[Samba] Member join to Active Directory -> DNS-Update fails
Bestattungen Vitt - Thomas Reitelbach
t.reitelbach at bestattungen-vitt.de
Sat Oct 28 09:05:11 UTC 2023
>> >> I guess this is because this specific machine has an old samba
>> >> version (4.6.4) which lacks the necessary functions.
>> >> What are my options now?
>> >> a) update Samba on the old machine to a current version? (not
>> >> preferred)
>> > Excelent idea. Try:
>> Unfortunately this is complicated. Current samba configure scripts
>> need python3 which is unavailable for this old server. I would have
>> to compile python and all its dependencies as well. I'll try not to
>> do this ;-)
>> Well, I COULD do this, but this is my last choice...
> I wouldn't bother, just transfer any FSMO roles to another DC, then
> demote this old DC and then, if required, create a new one.
This DC is also my main Fileserver as well (I know, bad decision 12
What will happen to the file service if I demote the DC. If I understand
the docs I should turn off the server afer demoting it which means shut
down file and print services as well. This is not possible at the time
beeing because it holds the users home directories, folder redirection
share and so on.
>> >> b) let the joining Fileserver choose a different AD-Server
>> >> preferred for
>> >> DNS-Updates? (how would I do that?? the other AD servers are
>> >> running on
>> >> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD
>> >> servers.
> I suggest you upgrade Bullseye to Bookworm and then use Samba from
Upgrade to Bookworm is planned. But what's the exact reason to use samba
from backports with bookworm? Is here a known problem with the samba
version packaged with bookworm? (besides that it is not always the
>> > I don’t think you can do that unless you stop samba in the old
>> > server. Worth trying .
>> I'll test when the old server is unused. At the working hours this is
>> not possible.
Tried it today.
Stopped samba service on the old server. Now the new fileserver can be
joined without the errors about failed DNS updates because it chooses
one of the newer DCs for it's DNS update. Fine :)
>> > Review your member server config, just in case your missing
>> > something:
>> The config at time of the Join is very basic:
>> ### Grundkonfiguration ###
>> security = ADS
>> workgroup = ADVITT
>> realm = ADVITT.SITE
>> log file = /var/log/samba/%m.log
>> log level = 1
>> idmap config * : backend = autorid
>> idmap config * : range = 10000-9999999
>> vfs objects = acl_xattr
>> map acl inherit = yes
> Using the 'autorid' idmap backend is quite okay, but it has a
> limitation, you cannot set 'winbind use default domain = yes' in your
> smb.conf and then just use '$USERNAME' to logon, instead of
> There are quite few extra lines I would add, 'winbind refresh tickets =
> yes' for one.
Thank you for your input, I'll read the docs regarding those options :)
>> Time Syncronization is pulled via NTP from the AD-DC Servers.
>> Name resolution is set to the three AD-DC servers and Name resolution
>> tests are OK.
> When you move to Bookworm, use Chrony instead, ntpsec has replaced ntp
> and ntpsec isn't working with Samba at the present.
With "pulled via NTP" I referred to NTP as a network protocol, not the
daemon with that name. Actually I'm using chrony on the DCs right now
and systemd-timesyncd on the new File server (Member server) which
should be fine I guess.
> How is /etc/hosts set up ?
> If you run 'hostname -f' in a terminal, does it return the computers
> FQDN ?
Yes, it does.
The hosts file is straight forward:
root at fs1:~# cat /etc/hosts
192.168.3.246 fs1.advitt.site fs1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
Thank you all on this list for helping me.
Stopping the old samba server was the easiest solution to join the new
member. After beeing successful I restarted the old samba server.
Now I can migrate file- and print-services from the old to the new
server and finally shut down the ancient one :)
Bestattungen Vitt oHG
Inhaber Willi & Thomas Reitelbach
Registergericht: Amtsgericht Bonn, HRA 7958
Telefon: 0228 - 62 68 68
Fax: 0228 - 978 30 36
More information about the samba