[Samba] Joining a new Samba AD DC
mfoley at novatec-inc.com
Sun Jul 30 16:17:32 UTC 2023
While awaiting feedback on the error results of my "samba-tool ntacl
sysvolreset" (ref. my message, same thread, of Fri, 28 Jul 2023 17:04:21), I'm
going to look at this problem with the DNS ...
On Tue Jul 25 01:54:45 2023 Mark Foley via samba <samba at lists.samba.org> wrote:
> On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
> > On 24/07/2023 17:46, Mark Foley via samba wrote:
> > > Note that I did not specify any --dns-backend [when joining the new DC]. I hope that's OK as I
> > > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC. I do
> > > have LAN members not part of the domain that need to have DNS service, so I may
> > > have to redo this later.
> > If you didn't specify a dns backend, then the default internal dns
> > server will be used.
> > > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's
> > > IP, but that didn't work -- couldn't see any other host, so I reverted back to
> > > the original DC's IP.
> > The dns problem is probably because there are no records in AD, you need
> > to either transfer the records from the flat files (you will probably
> > have to create the reverse zone) or let your Windows computers create
> > them in AD.
> OK, I'll look at that after the sync Sysvol. On the original DC, that machine
> was already the DNS w/o Samba with all the named.conf, zones, etc. configured.
> It was easy to adapt that to the then supported --dns-backend=BIND9_FLATFILE. I
> think I can research this a bit and sort it out.
Prior to provisioning the current DC, that host was running as the LAN
nameserver and I had created the named.conf containing zones and other options. As
mentioned, I provisioned with --dns-backend=BIND9_FLATFILE and it was a
relatively simple matter to add include "/var/lib/samba/private/named.conf"; to
/etc/named.conf, and in put needed zone into into that file.
So now I'm going step-by-step on this DNS thing. In the wiki, after doing the
join, I am following the instructions under "Verifying the DNS Entries". That
sections says, "If you join a Samba DC that runs Samba 4.7 and later, samba-tool
created all required DNS entries automatically. To manually create the records
on an earlier version, see Verifying and Creating a DC DNS Record."
The current DC is version 4.8.2, but I thought I should go ahead and do the
verify steps in https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record.
Note that the current DC is host MAIL, IP 192.168.0.2, and the new DC is host
DC1, IP 192.168.0.7. Wiki test results - all these commands are run on the current AD MAIL:
(Domain Controller A Record - good!)
> host -t A DC1.hprs.local.
DC1.hprs.local has address 192.168.0.7
(Determining a DCs objectGUID)
> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
# record 1
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
# record 2
dn: CN=NTDS Settings,CN=MAIL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
# returned 2 records
# 2 entries
# 0 referrals
(objectGUID for DC1 is 0d2a3ba9-4ade-45de-85c7-321ba69caee0)
(Verifying and Creating the objectGUID Record. Note that the objectGUID for MAIL is found, not shown here)
> host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found: 3(NXDOMAIN)
(manually add the objectGUID)
> samba-tool dns add MAIL _msdcs.hprs.local 0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [HPRS\administrator]:
gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea820
gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state error[0 (0x0)] state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1064]
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeea820/../auth/gensec/spnego.c:1601]: state error[0 (0x0)] state[struct gensec_spnego_update_state (0xeea9b0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea4f0
gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_OK tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state error[0 (0x0)] state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1071]
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeea4f0/../auth/gensec/spnego.c:1601]: state error[0 (0x0)] state[struct gensec_spnego_update_state (0xeea680)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeec350
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_OK tevent_req[0xeec350/../auth/gensec/spnego.c:1601]: state error[0 (0x0)] state[struct gensec_spnego_update_state (0xeec4e0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
This didn't work as the 'host -t CNAME' command still says not found.
What am I doing wrong?
More information about the samba