[Samba] Samba unable to find SRV record during join

Rowland Penny rpenny at samba.org
Wed Sep 7 09:35:49 UTC 2022 

On Tue, 2022-09-06 at 22:07 +0200, William Edwards wrote:
> Hi Rowland,
> 
> Rowland Penny via samba schreef op 2022-09-06 19:29:
> > On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote:
> > > > Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <
> > > > samba at lists.samba.org> het volgende geschreven:
> > > > 
> > > > On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:
> > > > > Rowland Penny via samba schreef op 2022-09-06 18:05:
> > > > > > > On Tue, 2022-09-06 at 17:19 +0200, William Edwards via
> > > > > > > samba
> > > > > > > wrote:
> > > > > > > > According to the documentation[1], I'm trying to join a
> > > > > > > > to-
> > > > > > > > be DC
> > > > > > > > to
> > > > > > > > an
> > > > > > > > existing domain with:
> > > > > > > >    samba-tool domain join cyberfusion.cloud DC -k yes
> > > > > > > > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use
> > > > > > > > rfc2307 =
> > > > > > > > yes'
> > > > > > What version of Samba are you using ? From 4.15.0 '-k yes'
> > > > > > has
> > > > > > been
> > > > > > replaced with '--use-kerberos=required', though the earlier
> > > > > > form
> > > > > > should
> > > > > > still work.
> > > > > > Does /etc/resolv.conf point to an existing AD DC ?
> > > > > > What OS is this ?
> > > > > > > With debug level 5, this fails with:
> > > > > > >    finddcs: searching for a DC by DNS domain
> > > > > > > cyberfusion.cloud
> > > > > > >    finddcs: looking for SRV records for
> > > > > > > _ldap._tcp.cyberfusion.cloud
> > > > > > >    resolve_lmhosts: Attempting lmhosts lookup for name
> > > > > > > _ldap._tcp.cyberfusion.cloud<0x0>
> > > > > > >    startlmhosts: Can't open lmhosts file
> > > > > > > /etc/samba/lmhosts.
> > > > > > > Error
> > > > > > > was
> > > > > > > No such file or directory
> > > > > > >    dns child failed to find name
> > > > > > > '_ldap._tcp.cyberfusion.cloud'
> > > > > > > of
> > > > > > > type
> > > > > > > SRV
> > > > > > >    finddcs: Failed to find SRV record for
> > > > > > > _ldap._tcp.cyberfusion.cloud
> > > > > > >    ERROR: Failed to find a writeable DC for domain
> > > > > > > 'cyberfusion.cloud':
> > > > > > > The object name is not found.
> > > > > > >      File "/usr/lib/python3/dist-packages/samba/join.py",
> > > > > > > line
> > > > > > > 351,
> > > > > > > in
> > > > > > > find_dc
> > > > > > >        ctx.cldap_ret = ctx.net.finddc(domain=domain,
> > > > > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
> > > > > > > nbt.NBT_SERVER_WRITABLE)
> > > > > > > However, the lookup actually succeeds. I tcpdumped on the
> > > > > > > existing
> > > > > > > DC
> > > > > > > that receives the DNS query, and on the to-be new DC. The
> > > > > > > SRV
> > > > > > > lookup
> > > > > > > succeeds, and Samba looks up the AAAA and A records for
> > > > > > > the
> > > > > > > hosts
> > > > > > > in
> > > > > > > the
> > > > > > > SRV RRSet. That also succeeds: the AAAA lookup returns
> > > > > > > the
> > > > > > > IPv6
> > > > > > > addresses for the DCs, and the A lookups result in an
> > > > > > > empty
> > > > > > > RRSet,
> > > > > > > as
> > > > > > > this is an IPv6-only setup.
> > > > > > > I tried omitting --dns-backend and --option in the join
> > > > > > > command.
> > > > > > You do not need the dns one, it will used by default and
> > > > > > the
> > > > > > option
> > > > > > makes samba use any uidNumber & gidNumber attributes found
> > > > > > in
> > > > > > AD
> > > > > > instead of the xidNumber attributes found in idmap.ldb.
> > > > > > > I also
> > > > > > > tried using a username & password instead of Kerberos
> > > > > > > after
> > > > > > > kinit.
> > > > > > > Getting a token with `kinit administrator` succeeds. That
> > > > > > > does
> > > > > > > not
> > > > > > > help.
> > > > > > > Searching for the error messages "dns child failed to
> > > > > > > find
> > > > > > > name"
> > > > > > > and
> > > > > > > "finddcs: Failed to find SRV record for" yielded a former
> > > > > > > post[2]
> > > > > > > on
> > > > > > > the
> > > > > > > mailing list, which suggests to set 'interfaces'. That
> > > > > > > does
> > > > > > > not
> > > > > > > help
> > > > > > > either.
> > > > > > > I hope someone has some pointers!
> > > > > > It sounds like a dns problem.
> > > > > As mentioned in my original email, tcpdump proves that the
> > > > > DNS
> > > > > result
> > > > > is
> > > > > expected and correct. Something must be going wrong in
> > > > > userland.
> > > > > > Rowland
> > > > 
> > > > Would you please answer the questions that I asked.
> > > 
> > > I did. I sent two emails in reply to yours. This is the second
> > > one.
> > > Please see my email from 18:46.
> > > 
> > 
> > Sorry, yes I know, your second reply arrived after I sent my reply.
> 
> Ah, it arrived here already. Sorry.
> 
> > So, just to understand things, you are using Debian 10 and you are
> > trying to add a Debian 11 machine
> 
> Correct.
> 
> > (this would mean 4.9.5 and 4.13.? if
> > using the standard distro packages)
> 
> No, the existing DCs run 4.15.7. The to-be DC runs 4.16.4.
> 
> > I take it that /etc/resolv.conf points to another Samba AD DC
> 
> It points to one of the existing DCs, yes.
> 
> > and there
> > is nothing else using port 53.
> 
> Yes, i.e. it is Samba that responds to the DNS query. The result of
> the 
> DNS query is also expected.
> 
> > Provided that everything is set up
> > correctly, the join should work, whether IPv4 or IPv6 is used.
> 
> That's what I'd think, but it doesn't. I hope someone has a clue!
> 
> > Rowland

Have you looked in /var/log/syslog ?

Rowland

More information about the samba mailing list