[Samba] Samba unable to find SRV record during join

Tue Sep 6 20:07:50 UTC 2022

Hi Rowland,

Rowland Penny via samba schreef op 2022-09-06 19:29:
> On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote:
>> > Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <
>> > samba at lists.samba.org> het volgende geschreven:
>> >
>> > On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:
>> > > Rowland Penny via samba schreef op 2022-09-06 18:05:
>> > > > > On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba
>> > > > > wrote:
>> > > > > > According to the documentation[1], I'm trying to join a to-
>> > > > > > be DC
>> > > > > > to
>> > > > > > an
>> > > > > > existing domain with:
>> > > > > >    samba-tool domain join cyberfusion.cloud DC -k yes
>> > > > > > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use
>> > > > > > rfc2307 =
>> > > > > > yes'
>> > > > What version of Samba are you using ? From 4.15.0 '-k yes' has
>> > > > been
>> > > > replaced with '--use-kerberos=required', though the earlier
>> > > > form
>> > > > should
>> > > > still work.
>> > > > Does /etc/resolv.conf point to an existing AD DC ?
>> > > > What OS is this ?
>> > > > > With debug level 5, this fails with:
>> > > > >    finddcs: searching for a DC by DNS domain
>> > > > > cyberfusion.cloud
>> > > > >    finddcs: looking for SRV records for
>> > > > > _ldap._tcp.cyberfusion.cloud
>> > > > >    resolve_lmhosts: Attempting lmhosts lookup for name
>> > > > > _ldap._tcp.cyberfusion.cloud<0x0>
>> > > > >    startlmhosts: Can't open lmhosts file /etc/samba/lmhosts.
>> > > > > Error
>> > > > > was
>> > > > > No such file or directory
>> > > > >    dns child failed to find name
>> > > > > '_ldap._tcp.cyberfusion.cloud'
>> > > > > of
>> > > > > type
>> > > > > SRV
>> > > > >    finddcs: Failed to find SRV record for
>> > > > > _ldap._tcp.cyberfusion.cloud
>> > > > >    ERROR: Failed to find a writeable DC for domain
>> > > > > 'cyberfusion.cloud':
>> > > > > The object name is not found.
>> > > > >      File "/usr/lib/python3/dist-packages/samba/join.py",
>> > > > > line
>> > > > > 351,
>> > > > > in
>> > > > > find_dc
>> > > > >        ctx.cldap_ret = ctx.net.finddc(domain=domain,
>> > > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
>> > > > > nbt.NBT_SERVER_WRITABLE)
>> > > > > However, the lookup actually succeeds. I tcpdumped on the
>> > > > > existing
>> > > > > DC
>> > > > > that receives the DNS query, and on the to-be new DC. The SRV
>> > > > > lookup
>> > > > > succeeds, and Samba looks up the AAAA and A records for the
>> > > > > hosts
>> > > > > in
>> > > > > the
>> > > > > SRV RRSet. That also succeeds: the AAAA lookup returns the
>> > > > > IPv6
>> > > > > addresses for the DCs, and the A lookups result in an empty
>> > > > > RRSet,
>> > > > > as
>> > > > > this is an IPv6-only setup.
>> > > > > I tried omitting --dns-backend and --option in the join
>> > > > > command.
>> > > > You do not need the dns one, it will used by default and the
>> > > > option
>> > > > makes samba use any uidNumber & gidNumber attributes found in
>> > > > AD
>> > > > instead of the xidNumber attributes found in idmap.ldb.
>> > > > > I also
>> > > > > tried using a username & password instead of Kerberos after
>> > > > > kinit.
>> > > > > Getting a token with `kinit administrator` succeeds. That
>> > > > > does
>> > > > > not
>> > > > > help.
>> > > > > Searching for the error messages "dns child failed to find
>> > > > > name"
>> > > > > and
>> > > > > "finddcs: Failed to find SRV record for" yielded a former
>> > > > > post[2]
>> > > > > on
>> > > > > the
>> > > > > mailing list, which suggests to set 'interfaces'. That does
>> > > > > not
>> > > > > help
>> > > > > either.
>> > > > > I hope someone has some pointers!
>> > > > It sounds like a dns problem.
>> > > As mentioned in my original email, tcpdump proves that the DNS
>> > > result
>> > > is
>> > > expected and correct. Something must be going wrong in userland.
>> > > > Rowland
>> >
>> > Would you please answer the questions that I asked.
>> 
>> I did. I sent two emails in reply to yours. This is the second one.
>> Please see my email from 18:46.
>> 
> 
> Sorry, yes I know, your second reply arrived after I sent my reply.

Ah, it arrived here already. Sorry.

> 
> So, just to understand things, you are using Debian 10 and you are
> trying to add a Debian 11 machine

Correct.

> (this would mean 4.9.5 and 4.13.? if
> using the standard distro packages)

No, the existing DCs run 4.15.7. The to-be DC runs 4.16.4.

> I take it that /etc/resolv.conf points to another Samba AD DC

It points to one of the existing DCs, yes.

> and there
> is nothing else using port 53.

Yes, i.e. it is Samba that responds to the DNS query. The result of the 
DNS query is also expected.

> Provided that everything is set up
> correctly, the join should work, whether IPv4 or IPv6 is used.

That's what I'd think, but it doesn't. I hope someone has a clue!

> 
> Rowland

-- 
With kind regards,

William Edwards