[Samba] Joining Linux Domain Member to Samba DC, issues

Rowland Penny rpenny at samba.org
Sun Apr 28 07:42:11 UTC 2024 

On Sat, 27 Apr 2024 20:38:34 -0400
Mark Foley via samba <samba at lists.samba.org> wrote:

> I've successfully joined two Linux Domain Members to two different
> Domains. Now, I'm joining a second Linux host as a Domain Member to a
> Samba4 (4.18.9) Domain. I'm having some possible issues this time.
> 
> Issue #1 Reverse Zone
> 
> On the SambaWiki:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
> under 2.5 Forward Lookup, no problem:
> 
> # host mail
> mail.hprs.local has address 192.168.0.2
> 
> 2.6 Reverse Lookup is not working:
> 
> # host 192.168.0.2
> Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> 
> This is true for the other Linux domain member as well. I did create
> the reverse zone when provisioning the DC, and when I get a zonelist
> on the DC it does show the reverse zone (I think):
> 
> # samba-tool dns zonelist mail
> 
>   pszZoneName                 : 0.168.192.in-addr.arpa   <----
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE 
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
>   pszDpFqdn                   : DomainDnsZones.hprs.local
> 
> What's up here and is this a problem?

Linux dhcp has no direct method to add/update a computers reverse
record in AD, you either need to use a script called by your dhcp
server, or add them manually.

> 
> 
> Issue #2: "DNS Update failed"
> 
> When joining the domain member, it joins (I think), but I get "DNS
> update failed" messages:
> 
> # net ads join -U Administrator   
> Using short domain name -- HPRS
> Joined 'WEBSERVER' to dns domain 'hprs.local'
> DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> I'm hoping this is just because I had added an A record for this host
> back when I provisioned the domain (and this host was not a domain
> member).  In fact, at the time I added A records for all the
> non-Domain-Member Linux hosts and other devices (like network
> printers).  I'm hopig this is not a real error, but is basically
> saying the A record already exists and it can't "update" the DNS.  If
> so, a less scarey message would be nice.  Please advise. 
> 

This is probably down to a dns problem, I usually give my servers a
fixed IP and then add the machines dns info to /etc/hosts:

IPADDRESS FQDN SHORT_HOSTNAME

I never have the problem you are having.

If you do not want to set a fixed ip, then ensure that your dhcp server
is supplying all the required dns data and that your server knows it.

I also hope that '.local' is a placeholder for the real TLD.

> 
> Issue #3: getent not working
> 
> After joining this Domain Member I ran the getent test:
> 
> # getent passwd HPRS\\mark
> 
> Nothing came back. I do get results if I run it on the other Domain
> Member:
> 
> # getent passwd HPRS\\mark
> HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash
> 
> winbindd is running and the /etc/nsswitch.conf file has been
> appropriately modified. The only config different I know of between
> this member and the one where getent works is that in
> /etc/samba/smb.conf I added:
> 
> username map = /var/lib/samba/etc/user.map
> 
> and in /var/lib/samba/etc/user.map I have:
> 
> !root = hprs\Administrator
> uid = 0
> 
> wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work?

If smb.conf is set up correctly and winbind is running (which it seems
it is), then, have you set up the libnss winbind links ?
 
Rowland

More information about the samba mailing list