[Samba] Joining a new Samba AD DC

Mark Foley mfoley at novatec-inc.com
Sun Jul 30 16:17:32 UTC 2023 

While awaiting feedback on the error results of my "samba-tool ntacl
sysvolreset" (ref. my message, same thread, of Fri, 28 Jul 2023 17:04:21), I'm
going to look at this problem with the DNS ...

On Tue Jul 25 01:54:45 2023 Mark Foley via samba <samba at lists.samba.org> wrote:

> On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On 24/07/2023 17:46, Mark Foley via samba wrote:

[deleted]

> > > Note that I did not specify any --dns-backend [when joining the new DC].  I hope that's OK as I
> > > provisioned with --dns-backend=BIND9_FLATFILE on the original/current DC.  I do
> > > have LAN members not part of the domain that need to have DNS service, so I may
> > > have to redo this later.
> >
> > If you didn't specify a dns backend, then the default internal dns 
> > server will be used.
> >
> > > Under "Verifying the DNS Entries" I did change the 1st IP in resolv.conf to be this new host's
> > > IP, but that didn't work -- couldn't see any other host, so I reverted back to
> > > the original DC's IP.
> >
> > The dns problem is probably because there are no records in AD, you need 
> > to either transfer the records from the flat files (you will probably 
> > have to create the reverse zone) or let your Windows computers create 
> > them in AD.
>
> OK, I'll look at that after the sync Sysvol. On the original DC, that machine
> was already the DNS w/o Samba with all the named.conf, zones, etc. configured.
> It was easy to adapt that to the then supported --dns-backend=BIND9_FLATFILE. I
> think I can research this a bit and sort it out.

[deleted]

Prior to provisioning the current DC, that host was running as the LAN
nameserver and I had created the named.conf containing zones and other options. As
mentioned, I provisioned with --dns-backend=BIND9_FLATFILE and it was a
relatively simple matter to add include "/var/lib/samba/private/named.conf"; to
/etc/named.conf, and in put needed zone into into that file.

So now I'm going step-by-step on this DNS thing. In the wiki, after doing the
join, I am following the instructions under "Verifying the DNS Entries". That
sections says, "If you join a Samba DC that runs Samba 4.7 and later, samba-tool
created all required DNS entries automatically. To manually create the records
on an earlier version, see Verifying and Creating a DC DNS Record."

The current DC is version 4.8.2, but I thought I should go ahead and do the
verify steps in https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record.

Note that the current DC is host MAIL, IP 192.168.0.2, and the new DC is host
DC1, IP 192.168.0.7. Wiki test results - all these commands are run on the current AD MAIL:

(Domain Controller A Record - good!)

> host -t A DC1.hprs.local.
DC1.hprs.local has address 192.168.0.7

(Determining a DCs objectGUID)

> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid
:
# record 1
dn: CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
objectGUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0

# record 2
dn: CN=NTDS Settings,CN=MAIL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
objectGUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c

# returned 2 records
# 2 entries
# 0 referrals

(objectGUID for DC1 is 0d2a3ba9-4ade-45de-85c7-321ba69caee0)

(Verifying and Creating the objectGUID Record. Note that the objectGUID for MAIL is found, not shown here)

> host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found: 3(NXDOMAIN)

(manually add the objectGUID)

> samba-tool dns add MAIL _msdcs.hprs.local 0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [HPRS\administrator]:
gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea820
gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1064]
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeea820/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xeea9b0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea4f0
gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_OK tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1071]
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0xeea4f0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xeea680)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeec350
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_OK tevent_req[0xeec350/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]  state[struct gensec_spnego_update_state (0xeec4e0)] timer[(nil)] finish[../auth/gensec/spnego.c:2070]
ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
    raise e

This didn't work as the 'host -t CNAME' command still says not found.

What am I doing wrong?

THX --Mark

More information about the samba mailing list