[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Wed Aug 2 21:38:59 UTC 2023 

On Wed Aug  2 10:25:00 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 02/08/2023 15:04, Mark Foley via samba wrote:
>
> > Yeah, those command on my system simply return the 'help' syntax info for the host command.

Actually, I must correct this a bit. Running those commands on my current dc
give the "prohibited character found" error.

> >> I suggest you start Samba, wait a short while and then try again.
> > 
> > Do you mean to start Samba on the new DC (which I haven't done yet) or [re]start
> > Samba on the current DC?
>
> When you 'join' a new DC to the domain, only minimal critical DNS 
> records are created annd the GUID records are not amongst them. When 
> Samba on the new DC is started, a script <samba_dnsupdate> is run (it 
> then runs every 10 minutes after that). This script uses a file 
> <dns_update_list> to check if various DNS records for the DC exist, if 
> they do not exist, they are created, amongst these DNS records is:
>
> ${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}  ${HOSTNAME}
>
> So the GUID record possibly doesn't exist on your new DC because you 
> haven't started it.
>
> Rowland

Per the wiki, I ran 'samba' on the new DC, then tried the 'samba-tool drs showrepl'
on the new DC. No go:

# samba-tool drs showrepl
Failed to connect host 127.0.0.1 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 127.0.0.1 (dc1.hprs.local) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.hprs.local failed - drsException: DRS connection to dc1.hprs.local failed: (3221226038, 'The transport-connection attempt was refused by the remote system.')
  File "/usr/lib64/python3.9/site-packages/samba/netcmd/drs.py", line 55, in drsuapi_connect
    (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds)
  File "/usr/lib64/python3.9/site-packages/samba/drs_utils.py", line 71, in drsuapi_connect
    raise drsException("DRS connection to %s failed: %s" % (server, e))

I then tried 'samba-tool drs showrepl' on the current DC and got:

# samba-tool drs showrepl
:
: (bunch of gensec stuff)
:
Default-First-Site-Name\MAIL
DSA Options: 0x00000001
DSA object GUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c
DSA invocationId: efd15371-9645-4a1a-b9eb-f4db28add590

==== INBOUND NEIGHBORS ====

Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 2816 bytes, with 76 bytes header/signature.
CN=Schema,CN=Configuration,DC=hprs,DC=local
        Default-First-Site-Name\DC1 via RPC
                DSA object GUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0
                Last attempt @ Wed Aug  2 16:31:57 2023 EDT failed, result 2 (WERR_FILE_NOT_FOUND)
                2678 consecutive failure(s).
                Last success @ NTTIME(0)

The above starting with "Default-First-Site-Name\DC1 via RPC" was be repeated
4 more times, but note the failure which occured in each repeat. After that:

==== OUTBOUND NEIGHBORS ====

Sealed 64 bytes, and got 76 bytes header/signature.
Unsealed 32 bytes, with 76 bytes header/signature.
==== KCC CONNECTION OBJECTS ====

Connection --
        Connection name: 34b6cbf3-f021-4922-9b55-6dc26cb833be
        Enabled        : TRUE
        Server DNS name : dc1.hprs.local
        Server DN name  : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
                TransportType: RPC
                options: 0x00000001
Warning: No NC replicated for Connection!

Kerberos commands still not working:

# kinit administrator
Password for administrator at hprs.local: 
kinit: KDC reply did not match expectations while getting initial credentials

# klist
klist: No credentials cache found (filename: /tmp/krb5cc_0)

/etc/resolv.conf still not working with the new DC's IP.

All these failures are likely because samba failed, /var/log/syslog:

Aug  2 16:53:14 DC1 samba[16433]: [2023/08/02 16:53:14.573450,  0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) 
Aug  2 16:53:14 DC1 samba[16433]:   /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful
:
: (another 26 errors like this)
:
Aug  2 16:53:15 DC1 samba[16433]: [2023/08/02 16:53:15.236106,  0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) 
Aug  2 16:53:15 DC1 samba[16433]:   dnsupdate_nameupdate_done: Failed DNS update with exit code 27

As it stands, samba doesn't run, kerberos doesn't run, DNS not working.

Note that the 1st place I'm failing per the wiki procedure is with:

# host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')

I'm about ready to give up and start from scratch, maybe going back and attempting to
upgrade the existing Samba 4.8.2 if you think the current course is irredeemable
and out of control.

I started down the "upgrade" line of thinking in thread "Upgrading from Samba 4.8.2 to 4.15.5"
from January 28th, but advice from you and others was to try adding a DC and
"promoting" it. Is that still viable?

I could also give this 2nd DC another clean retry by removing it from the
domain, wiping the drive and starting over. Perhaps joining with a
specified backend so DNS works right away -- or getting that to work before
moving on. At the same time I could put the latest BIND package on the current
4.8.2 DC and get away from the "prohibited character found" error.

--Mark :(

More information about the samba mailing list