[Samba] Samba unable to find SRV record during join

William Edwards wedwards at cyberfusion.nl
Wed Sep 7 10:16:17 UTC 2022 

> Op 7 sep. 2022 om 11:39 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven:
> 
> On Tue, 2022-09-06 at 22:07 +0200, William Edwards wrote:
>> Hi Rowland,
>> 
>> Rowland Penny via samba schreef op 2022-09-06 19:29:
>>> On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote:
>>>>> Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <
>>>>> samba at lists.samba.org> het volgende geschreven:
>>>>> 
>>>>> On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:
>>>>>> Rowland Penny via samba schreef op 2022-09-06 18:05:
>>>>>>>> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via
>>>>>>>> samba
>>>>>>>> wrote:
>>>>>>>>> According to the documentation[1], I'm trying to join a
>>>>>>>>> to-
>>>>>>>>> be DC
>>>>>>>>> to
>>>>>>>>> an
>>>>>>>>> existing domain with:
>>>>>>>>>   samba-tool domain join cyberfusion.cloud DC -k yes
>>>>>>>>> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use
>>>>>>>>> rfc2307 =
>>>>>>>>> yes'
>>>>>>> What version of Samba are you using ? From 4.15.0 '-k yes'
>>>>>>> has
>>>>>>> been
>>>>>>> replaced with '--use-kerberos=required', though the earlier
>>>>>>> form
>>>>>>> should
>>>>>>> still work.
>>>>>>> Does /etc/resolv.conf point to an existing AD DC ?
>>>>>>> What OS is this ?
>>>>>>>> With debug level 5, this fails with:
>>>>>>>>   finddcs: searching for a DC by DNS domain
>>>>>>>> cyberfusion.cloud
>>>>>>>>   finddcs: looking for SRV records for
>>>>>>>> _ldap._tcp.cyberfusion.cloud
>>>>>>>>   resolve_lmhosts: Attempting lmhosts lookup for name
>>>>>>>> _ldap._tcp.cyberfusion.cloud<0x0>
>>>>>>>>   startlmhosts: Can't open lmhosts file
>>>>>>>> /etc/samba/lmhosts.
>>>>>>>> Error
>>>>>>>> was
>>>>>>>> No such file or directory
>>>>>>>>   dns child failed to find name
>>>>>>>> '_ldap._tcp.cyberfusion.cloud'
>>>>>>>> of
>>>>>>>> type
>>>>>>>> SRV
>>>>>>>>   finddcs: Failed to find SRV record for
>>>>>>>> _ldap._tcp.cyberfusion.cloud
>>>>>>>>   ERROR: Failed to find a writeable DC for domain
>>>>>>>> 'cyberfusion.cloud':
>>>>>>>> The object name is not found.
>>>>>>>>     File "/usr/lib/python3/dist-packages/samba/join.py",
>>>>>>>> line
>>>>>>>> 351,
>>>>>>>> in
>>>>>>>> find_dc
>>>>>>>>       ctx.cldap_ret = ctx.net.finddc(domain=domain,
>>>>>>>> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
>>>>>>>> nbt.NBT_SERVER_WRITABLE)
>>>>>>>> However, the lookup actually succeeds. I tcpdumped on the
>>>>>>>> existing
>>>>>>>> DC
>>>>>>>> that receives the DNS query, and on the to-be new DC. The
>>>>>>>> SRV
>>>>>>>> lookup
>>>>>>>> succeeds, and Samba looks up the AAAA and A records for
>>>>>>>> the
>>>>>>>> hosts
>>>>>>>> in
>>>>>>>> the
>>>>>>>> SRV RRSet. That also succeeds: the AAAA lookup returns
>>>>>>>> the
>>>>>>>> IPv6
>>>>>>>> addresses for the DCs, and the A lookups result in an
>>>>>>>> empty
>>>>>>>> RRSet,
>>>>>>>> as
>>>>>>>> this is an IPv6-only setup.
>>>>>>>> I tried omitting --dns-backend and --option in the join
>>>>>>>> command.
>>>>>>> You do not need the dns one, it will used by default and
>>>>>>> the
>>>>>>> option
>>>>>>> makes samba use any uidNumber & gidNumber attributes found
>>>>>>> in
>>>>>>> AD
>>>>>>> instead of the xidNumber attributes found in idmap.ldb.
>>>>>>>> I also
>>>>>>>> tried using a username & password instead of Kerberos
>>>>>>>> after
>>>>>>>> kinit.
>>>>>>>> Getting a token with `kinit administrator` succeeds. That
>>>>>>>> does
>>>>>>>> not
>>>>>>>> help.
>>>>>>>> Searching for the error messages "dns child failed to
>>>>>>>> find
>>>>>>>> name"
>>>>>>>> and
>>>>>>>> "finddcs: Failed to find SRV record for" yielded a former
>>>>>>>> post[2]
>>>>>>>> on
>>>>>>>> the
>>>>>>>> mailing list, which suggests to set 'interfaces'. That
>>>>>>>> does
>>>>>>>> not
>>>>>>>> help
>>>>>>>> either.
>>>>>>>> I hope someone has some pointers!
>>>>>>> It sounds like a dns problem.
>>>>>> As mentioned in my original email, tcpdump proves that the
>>>>>> DNS
>>>>>> result
>>>>>> is
>>>>>> expected and correct. Something must be going wrong in
>>>>>> userland.
>>>>>>> Rowland
>>>>> 
>>>>> Would you please answer the questions that I asked.
>>>> 
>>>> I did. I sent two emails in reply to yours. This is the second
>>>> one.
>>>> Please see my email from 18:46.
>>>> 
>>> 
>>> Sorry, yes I know, your second reply arrived after I sent my reply.
>> 
>> Ah, it arrived here already. Sorry.
>> 
>>> So, just to understand things, you are using Debian 10 and you are
>>> trying to add a Debian 11 machine
>> 
>> Correct.
>> 
>>> (this would mean 4.9.5 and 4.13.? if
>>> using the standard distro packages)
>> 
>> No, the existing DCs run 4.15.7. The to-be DC runs 4.16.4.
>> 
>>> I take it that /etc/resolv.conf points to another Samba AD DC
>> 
>> It points to one of the existing DCs, yes.
>> 
>>> and there
>>> is nothing else using port 53.
>> 
>> Yes, i.e. it is Samba that responds to the DNS query. The result of
>> the 
>> DNS query is also expected.
>> 
>>> Provided that everything is set up
>>> correctly, the join should work, whether IPv4 or IPv6 is used.
>> 
>> That's what I'd think, but it doesn't. I hope someone has a clue!
>> 
>>> Rowland
> 
> Have you looked in /var/log/syslog ?

Samba hasn’t logged anything to the journal and to syslog.

> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list