[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Tue Aug 1 21:40:23 UTC 2023 

On Mon Jul 31 11:17:57 2023 Mark Foley via samba <samba at lists.samba.org> wrote:

> On Jul 31 03:00:37 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On 30/07/2023 22:24, Mark Foley via samba wrote:
> > > That gave me:
> > > 
> > > # host -t A 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local
> > > host: idnkit idn_encodename to idn failed: prohibited character found
> >
> > That is strange, if I obtain the GUID's on my DCs and run a similar 
> > command, I get this:
> >
> > adminuser at rpidc1:~ $ host -t A 
> > fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com
> > fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
> > alias for rpidc1.samdom.example.com.
> > rpidc1.samdom.example.com has address 192.168.1.2
> >
> > Rowland
>
> It could be a difference in host command versions (I have version 9.11.37), as
> well as my version of Samba on the current DC is very old (4.8.2). 
[deleted]
>
> My results when running 'host -t A':
>
> # host -t A 
> Usage: host [-aCdilrTvVw] [-c class] [-N ndots] [-t type] [-W time]
>             [-R number] [-m flag] hostname [server]
[deleted]
>
> It looks like a hostname is required.
>
> The "prohibited character" error seems really odd. I found this: 
> https://bind-users.isc.narkive.com/9nA0Aqea/idn-dig-and-underscore which is a
> very similar problem related to the underscore. However, unlike the author 'dig'
> works for me, albeit it does give a warning about the .local. Perhaps this is
> part of the problem?
>
> # dig 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local 
>
> ; <<>> DiG 9.11.37 <<>> 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local
> ;; global options: +cmd
> ;; Got answer:
> ;; WARNING: .local is reserved for Multicast DNS
[deleted]
>
> ;; AUTHORITY SECTION:
> hprs.local.             3600    IN      SOA     mail.hprs.local. hostmaster.hprs.local. 2014159838 10800 3600 28800 3600
>
> If I remove the underscore from the 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local'
> the 'host -t A 0d2...' command does not give the "prohibited character found"
> error, but of course doesn't find the host.
>
> > Of the top of my head, is the locale set up correctly ?
>
> My local is en_US.UTF-8 and TZ is EDT -0400.
>
> # locale
> LANG=en_US.UTF-8
[deleted]

Is not being able to run 'host -t A' a show stopper here? The wiki 'host -t CNAME'
gave, as expected:

# host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found: 3(NXDOMAIN)

and when trying to add with 'samba-tool' I got:

# samba-tool dns add MAIL _msdcs.hprs.local 0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
[deleted]
Password for [HPRS\administrator]:
gensec_update_send: gssapi_krb5[0xd83f00]: subreq: 0xd85680
gensec_update_send: spnego[0xd831e0]: subreq: 0xd83820
gensec_update_done: gssapi_krb5[0xd83f00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xd85680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xd85810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1064]
gensec_update_done: spnego[0xd831e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xd83820/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xd839b0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: gssapi_krb5[0xd83f00]: subreq: 0xd85680
gensec_update_send: spnego[0xd831e0]: subreq: 0xd834f0
gensec_update_done: gssapi_krb5[0xd83f00]: NT_STATUS_OK tevent_req[0xd85680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xd85810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1071]
gensec_update_done: spnego[0xd831e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xd834f0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xd83680)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: spnego[0xd831e0]: subreq: 0xd85350
gensec_update_done: spnego[0xd831e0]: NT_STATUS_OK tevent_req[0xd85350/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xd854e0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
    raise e

which you seemed to think was a bogus error with WERR_DNS_ERROR_RECORD_ALREADY_EXISTS.
Nevertheless the ojectGUID CNAME record was not added.

So, is there another way to add this record? Perhaps ldbedit'ing some .ldb file? 

Was your 'host -t A' suggestion intended to be another way to get this done? If
so, I can update my BIND package to a newer version which does not have the
"prohibited character" issue. I have it on good authority from the "father" of
Slackware himself that I should be able to upgrade this package w/o too much
difficulty.

--Mark

More information about the samba mailing list