[Samba] Joining a new Samba AD DC

Wed Aug 2 08:14:41 UTC 2023

On 01/08/2023 22:40, Mark Foley via samba wrote:
> Is not being able to run 'host -t A' a show stopper here? The wiki 'host -t CNAME'
> gave, as expected:
> 
> # host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
> Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found: 3(NXDOMAIN)
> 
> and when trying to add with 'samba-tool' I got:
> 
> # samba-tool dns add MAIL _msdcs.hprs.local 0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
> [deleted]
> Password for [HPRS\administrator]:
> gensec_update_send: gssapi_krb5[0xd83f00]: subreq: 0xd85680
> gensec_update_send: spnego[0xd831e0]: subreq: 0xd83820
> gensec_update_done: gssapi_krb5[0xd83f00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xd85680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xd85810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1064]
> gensec_update_done: spnego[0xd831e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xd83820/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xd839b0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
> gensec_update_send: gssapi_krb5[0xd83f00]: subreq: 0xd85680
> gensec_update_send: spnego[0xd831e0]: subreq: 0xd834f0
> gensec_update_done: gssapi_krb5[0xd83f00]: NT_STATUS_OK tevent_req[0xd85680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xd85810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1071]
> gensec_update_done: spnego[0xd831e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xd834f0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xd83680)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
> gensec_update_send: spnego[0xd831e0]: subreq: 0xd85350
> gensec_update_done: spnego[0xd831e0]: NT_STATUS_OK tevent_req[0xd85350/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xd854e0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
> ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
>      raise e
> 
> which you seemed to think was a bogus error with WERR_DNS_ERROR_RECORD_ALREADY_EXISTS.
> Nevertheless the ojectGUID CNAME record was not added.
> 
> So, is there another way to add this record? Perhaps ldbedit'ing some .ldb file?
> 
> Was your 'host -t A' suggestion intended to be another way to get this done? If
> so, I can update my BIND package to a newer version which does not have the
> "prohibited character" issue. I have it on good authority from the "father" of
> Slackware himself that I should be able to upgrade this package w/o too much
> difficulty.
> 
> --Mark
> 

If I find the GUID for a DC, then use it in searches, I get results like 
these:

adminuser at rpidc1:~ $ host -t CNAME fb453823-737c-4a8b-93e1-dc197e236d50
fb453823-737c-4a8b-93e1-dc197e236d50 has no CNAME record

Doing an 'A' record search using the GUIDs FQDN, gets me this:

adminuser at rpidc1:~ $ host -t A 
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com.
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
alias for rpidc1.samdom.example.com.
rpidc1.samdom.example.com has address 192.168.1.2

Doing a similar search, but for a CNAME gets me this:

adminuser at rpidc1:~ $ host -t CNAME 
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com.
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
alias for rpidc1.samdom.example.com.

I suggest you start Samba, wait a short while and then try again.

Rowland