[Samba] Samba unable to find SRV record during join

William Edwards wedwards at cyberfusion.nl
Tue Sep 6 16:43:03 UTC 2022


Hi Rowland,

Rowland Penny via samba schreef op 2022-09-06 18:05:
> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote:
>> According to the documentation[1], I'm trying to join a to-be DC to
>> an
>> existing domain with:
>> 
>>      samba-tool domain join cyberfusion.cloud DC -k yes
>> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes'
>> 
> 
> What version of Samba are you using ?

The existing DCs run 4.15.7. The to-be DC runs 4.16.4.

> From 4.15.0 '-k yes' has been
> replaced with '--use-kerberos=required', though the earlier form should
> still work.

Thanks for this information. Perhaps the documentation I mentioned 
earlier should be updated to reflect this.

> Does /etc/resolv.conf point to an existing AD DC ?

Yes.

> What OS is this ?

The existing DCs run Debian 10. The to-be DC runs Debian 11.

> 
> 
>> With debug level 5, this fails with:
>> 
>>      finddcs: searching for a DC by DNS domain cyberfusion.cloud
>>      finddcs: looking for SRV records for
>> _ldap._tcp.cyberfusion.cloud
>>      resolve_lmhosts: Attempting lmhosts lookup for name
>> _ldap._tcp.cyberfusion.cloud<0x0>
>>      startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error
>> was
>> No such file or directory
>>      dns child failed to find name '_ldap._tcp.cyberfusion.cloud' of
>> type
>> SRV
>>      finddcs: Failed to find SRV record for
>> _ldap._tcp.cyberfusion.cloud
>>      ERROR: Failed to find a writeable DC for domain
>> 'cyberfusion.cloud':
>> The object name is not found.
>>        File "/usr/lib/python3/dist-packages/samba/join.py", line 351,
>> in
>> find_dc
>>          ctx.cldap_ret = ctx.net.finddc(domain=domain,
>> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
>> nbt.NBT_SERVER_WRITABLE)
>> 
>> However, the lookup actually succeeds. I tcpdumped on the existing
>> DC
>> that receives the DNS query, and on the to-be new DC. The SRV lookup
>> succeeds, and Samba looks up the AAAA and A records for the hosts in
>> the
>> SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6
>> addresses for the DCs, and the A lookups result in an empty RRSet,
>> as
>> this is an IPv6-only setup.
>> 
>> I tried omitting --dns-backend and --option in the join command.
> 
> You do not need the dns one, it will used by default and the option
> makes samba use any uidNumber & gidNumber attributes found in AD
> instead of the xidNumber attributes found in idmap.ldb.
> 
>>  I also
>> tried using a username & password instead of Kerberos after kinit.
>> Getting a token with `kinit administrator` succeeds. That does not
>> help.
>> 
>> Searching for the error messages "dns child failed to find name" and
>> "finddcs: Failed to find SRV record for" yielded a former post[2] on
>> the
>> mailing list, which suggests to set 'interfaces'. That does not help
>> either.
>> 
>> I hope someone has some pointers!
>> 
> 
> It sounds like a dns problem.
> 
> Rowland

-- 
With kind regards,

William Edwards




More information about the samba mailing list