[Samba] Samba unable to find SRV record during join

Patrick Goetz pgoetz at math.utexas.edu
Tue Sep 6 19:12:15 UTC 2022 


On 9/6/22 12:29, Rowland Penny via samba wrote:
> On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote:
>>> Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <
>>> samba at lists.samba.org> het volgende geschreven:
>>>
>>> On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:
>>>> Rowland Penny via samba schreef op 2022-09-06 18:05:
>>>>>> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba
>>>>>> wrote:
>>>>>>> According to the documentation[1], I'm trying to join a to-
>>>>>>> be DC
>>>>>>> to
>>>>>>> an
>>>>>>> existing domain with:
>>>>>>>     samba-tool domain join cyberfusion.cloud DC -k yes
>>>>>>> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use
>>>>>>> rfc2307 =
>>>>>>> yes'
>>>>> What version of Samba are you using ? From 4.15.0 '-k yes' has
>>>>> been
>>>>> replaced with '--use-kerberos=required', though the earlier
>>>>> form
>>>>> should
>>>>> still work.
>>>>> Does /etc/resolv.conf point to an existing AD DC ?
>>>>> What OS is this ?
>>>>>> With debug level 5, this fails with:
>>>>>>     finddcs: searching for a DC by DNS domain
>>>>>> cyberfusion.cloud
>>>>>>     finddcs: looking for SRV records for
>>>>>> _ldap._tcp.cyberfusion.cloud
>>>>>>     resolve_lmhosts: Attempting lmhosts lookup for name
>>>>>> _ldap._tcp.cyberfusion.cloud<0x0>
>>>>>>     startlmhosts: Can't open lmhosts file /etc/samba/lmhosts.
>>>>>> Error
>>>>>> was
>>>>>> No such file or directory
>>>>>>     dns child failed to find name
>>>>>> '_ldap._tcp.cyberfusion.cloud'
>>>>>> of
>>>>>> type
>>>>>> SRV
>>>>>>     finddcs: Failed to find SRV record for
>>>>>> _ldap._tcp.cyberfusion.cloud
>>>>>>     ERROR: Failed to find a writeable DC for domain
>>>>>> 'cyberfusion.cloud':
>>>>>> The object name is not found.
>>>>>>       File "/usr/lib/python3/dist-packages/samba/join.py",
>>>>>> line
>>>>>> 351,
>>>>>> in
>>>>>> find_dc
>>>>>>         ctx.cldap_ret = ctx.net.finddc(domain=domain,
>>>>>> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
>>>>>> nbt.NBT_SERVER_WRITABLE)
>>>>>> However, the lookup actually succeeds. I tcpdumped on the
>>>>>> existing
>>>>>> DC
>>>>>> that receives the DNS query, and on the to-be new DC. The SRV
>>>>>> lookup
>>>>>> succeeds, and Samba looks up the AAAA and A records for the
>>>>>> hosts
>>>>>> in
>>>>>> the
>>>>>> SRV RRSet. That also succeeds: the AAAA lookup returns the
>>>>>> IPv6
>>>>>> addresses for the DCs, and the A lookups result in an empty
>>>>>> RRSet,
>>>>>> as
>>>>>> this is an IPv6-only setup.
>>>>>> I tried omitting --dns-backend and --option in the join
>>>>>> command.
>>>>> You do not need the dns one, it will used by default and the
>>>>> option
>>>>> makes samba use any uidNumber & gidNumber attributes found in
>>>>> AD
>>>>> instead of the xidNumber attributes found in idmap.ldb.
>>>>>> I also
>>>>>> tried using a username & password instead of Kerberos after
>>>>>> kinit.
>>>>>> Getting a token with `kinit administrator` succeeds. That
>>>>>> does
>>>>>> not
>>>>>> help.
>>>>>> Searching for the error messages "dns child failed to find
>>>>>> name"
>>>>>> and
>>>>>> "finddcs: Failed to find SRV record for" yielded a former
>>>>>> post[2]
>>>>>> on
>>>>>> the
>>>>>> mailing list, which suggests to set 'interfaces'. That does
>>>>>> not
>>>>>> help
>>>>>> either.
>>>>>> I hope someone has some pointers!
>>>>> It sounds like a dns problem.
>>>> As mentioned in my original email, tcpdump proves that the DNS
>>>> result
>>>> is
>>>> expected and correct. Something must be going wrong in userland.
>>>>> Rowland
>>>
>>> Would you please answer the questions that I asked.
>>
>> I did. I sent two emails in reply to yours. This is the second one.
>> Please see my email from 18:46.
>>
> 
> Sorry, yes I know, your second reply arrived after I sent my reply.
> 
> So, just to understand things, you are using Debian 10 and you are
> trying to add a Debian 11 machine (this would mean 4.9.5 and 4.13.? if
> using the standard distro packages)


He mentioned that he's not using the standard distro packages; likely 
using Louis' repo:

 > What version of Samba are you using ?

The existing DCs run 4.15.7. The to-be DC runs 4.16.4.


> I take it that /etc/resolv.conf points to another Samba AD DC and there
> is nothing else using port 53. Provided that everything is set up
> correctly, the join should work, whether IPv4 or IPv6 is used.
> 
> Rowland
> 
> 
>

More information about the samba mailing list