[Samba] Member join to Active Directory -> DNS-Update fails
rpenny at samba.org
Fri Oct 27 16:45:00 UTC 2023
On Fri, 27 Oct 2023 16:22:54 +0200
Bestattungen Vitt - Thomas Reitelbach via samba <samba at lists.samba.org>
> Hello Luis,
> answering between the comments...
> >> And this is the debug log on the machine where the DNS-Update is
> >> tried upon:
> >> Oct 27 14:58:21 vmads.vitt.site samba: [2023/10/27
> >> 14:58:21.679662, 0]
> >> ../source4/dns_server/dns_update.c:407(handle_one_update)
> >> Oct 27 14:58:21 vmads.vitt.site samba: Can't handle updates
> >> of type 255 yet
> > I assume your record does not exist already.
> Correct, it does not exist already. Neither the A nor the PTR record
> do exist at this moment.
But there is nothing stopping you creating them.
> >> I guess this is because this specific machine has an old samba
> >> version (4.6.4) which lacks the necessary functions.
> >> What are my options now?
> >> a) update Samba on the old machine to a current version? (not
> >> preferred)
> > Excelent idea. Try:
> Unfortunately this is complicated. Current samba configure scripts
> need python3 which is unavailable for this old server. I would have
> to compile python and all its dependencies as well. I'll try not to
> do this ;-)
> Well, I COULD do this, but this is my last choice...
I wouldn't bother, just transfer any FSMO roles to another DC, then
demote this old DC and then, if required, create a new one.
> >> b) let the joining Fileserver choose a different AD-Server
> >> preferred for
> >> DNS-Updates? (how would I do that?? the other AD servers are
> >> running on
> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD
> >> servers.
I suggest you upgrade Bullseye to Bookworm and then use Samba from
> > I don’t think you can do that unless you stop samba in the old
> > server. Worth trying .
> I'll test when the old server is unused. At the working hours this is
> not possible.
> >> c) create the necessary DNS-Entry manually (tried that already
> >> with the
> >> Windows DNS Client, this works)
> Do I have to expect any problems when I join the new Fileserver and
> create the DNS entries manually? If I do so, the DNS-Records are
> immediately beeing synced between the three samba-internal dns
> servers as expected. Is there anything more to take care of?
> >> The server with the old samba version is my old File server and AD
> >> server in one machine
> > You probably refer to a DC server, not an AD server.
> The old server has always been used as Active Directory Domain
> Controller (this is what I called an AD server), first installed
> samba version was 4.0.5, self-compiled, one of the first versions
> with support for it. It is NOT an old NT-style PDC, if you mean this.
> > Review your member server config, just in case your missing
> > something:
> The config at time of the Join is very basic:
> ### Grundkonfiguration ###
> security = ADS
> workgroup = ADVITT
> realm = ADVITT.SITE
> log file = /var/log/samba/%m.log
> log level = 1
> idmap config * : backend = autorid
> idmap config * : range = 10000-9999999
> vfs objects = acl_xattr
> map acl inherit = yes
Using the 'autorid' idmap backend is quite okay, but it has a
limitation, you cannot set 'winbind use default domain = yes' in your
smb.conf and then just use '$USERNAME' to logon, instead of
There are quite few extra lines I would add, 'winbind refresh tickets =
yes' for one.
> -> true, no shares at this point.
> Kerberos config:
> default_realm = ADVITT.SITE
> dns_lookup_realm = false
> dns_lookup_kdc = true
> Time Syncronization is pulled via NTP from the AD-DC Servers.
> Name resolution is set to the three AD-DC servers and Name resolution
> tests are OK.
When you move to Bookworm, use Chrony instead, ntpsec has replaced ntp
and ntpsec isn't working with Samba at the present.
> I don't think I'm missing something important so far.
How is /etc/hosts set up ?
If you run 'hostname -f' in a terminal, does it return the computers
More information about the samba