[Samba] Joining Linux Domain Member to Samba DC, issues

Mark Foley mfoley at novatec-inc.com
Sun Apr 28 16:53:32 UTC 2024 

On Sun Apr 28 03:42:51 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> On Sat, 27 Apr 2024 20:38:34 -0400
> Mark Foley via samba <samba at lists.samba.org> wrote:
>
> > I've successfully joined two Linux Domain Members to two different
> > Domains. Now, I'm joining a second Linux host as a Domain Member to a
> > Samba4 (4.18.9) Domain. I'm having some possible issues this time.
> > 
> > Issue #1 Reverse Zone
> > 
> > On the SambaWiki:
> > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member,
> > under 2.5 Forward Lookup, no problem:
> > 
> > # host mail
> > mail.hprs.local has address 192.168.0.2
> > 
> > 2.6 Reverse Lookup is not working:
> > 
> > # host 192.168.0.2
> > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
> > 
> > This is true for the other Linux domain member as well. I did create
> > the reverse zone when provisioning the DC, and when I get a zonelist
> > on the DC it does show the reverse zone (I think):
> > 
> > # samba-tool dns zonelist mail
> > 
> >   pszZoneName                 : 0.168.192.in-addr.arpa   <----
> >   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> > DNS_RPC_ZONE_UPDATE_SECURE 
> >   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
> >   Version                     : 50
> >   dwDpFlags                   : DNS_DP_AUTOCREATED
> > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED 
> >   pszDpFqdn                   : DomainDnsZones.hprs.local
> > 
> > What's up here and is this a problem?
>
> Linux dhcp has no direct method to add/update a computers reverse
> record in AD, you either need to use a script called by your dhcp
> server, or add them manually.

So creating the reverse zone: 

samba-tool dns zonecreate mail  0.168.192.in-addr.arpa

Per the WiKi https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone
has no effect on subdomain members? I would have to create individual rDNS
records for each host:

samba-tool dns zonecreate mail  3.168.192.in-addr.arpa

right? What then is the point of creating the reverse zone for 192.168.0.0/24?


> > Issue #2: "DNS Update failed"
> > 
> > When joining the domain member, it joins (I think), but I get "DNS
> > update failed" messages:
> > 
> > # net ads join -U Administrator   
> > Using short domain name -- HPRS
> > Joined 'WEBSERVER' to dns domain 'hprs.local'
> > DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
> > DNS update failed: NT_STATUS_UNSUCCESSFUL
> > 
> > I'm hoping this is just because I had added an A record for this host
> > back when I provisioned the domain (and this host was not a domain
> > member).  In fact, at the time I added A records for all the
> > non-Domain-Member Linux hosts and other devices (like network
> > printers).  I'm hopig this is not a real error, but is basically
> > saying the A record already exists and it can't "update" the DNS.  If
> > so, a less scarey message would be nice.  Please advise. 
> > 
>
> This is probably down to a dns problem, I usually give my servers a
> fixed IP and then add the machines dns info to /etc/hosts:
>
> IPADDRESS FQDN SHORT_HOSTNAME
>
> I never have the problem you are having.
>
> If you do not want to set a fixed ip, then ensure that your dhcp server
> is supplying all the required dns data and that your server knows it.

I've never had this problem either. I've joined Linux members in the past
to both Samba DCs and Windows DCs. I've tried unjoining and re-joining with:

# samba-tool domain join hprs.local MEMBER -U administrator

DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
Joined domain hprs.local (S-1-5-21-1179323223-1906255692-291620936)

but still get that update failed message, even though it says, "Joined domain."

This host is set up for a fixed IP address.

> I also hope that '.local' is a placeholder for the real TLD.

Nope. No choice in that. This domain started originally as a Windows SBS domain
and that hprs.local was the way it was configured, long before I arrived on the
scene. I have posts on this list describing my efforts to change the domain when
I re-provisioned from scratch, but the hprs.local is scatter-shotted throughout
all the Windows domain members' registries and attempts to change that failed.

> > 
> > Issue #3: getent not working
> > 
> > After joining this Domain Member I ran the getent test:
> > 
> > # getent passwd HPRS\\mark
> > 
> > Nothing came back. I do get results if I run it on the other Domain
> > Member:
> > 
> > # getent passwd HPRS\\mark
> > HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash
> > 
> > winbindd is running and the /etc/nsswitch.conf file has been
> > appropriately modified. The only config different I know of between
> > this member and the one where getent works is that in
> > /etc/samba/smb.conf I added:
> > 
> > username map = /var/lib/samba/etc/user.map
> > 
> > and in /var/lib/samba/etc/user.map I have:
> > 
> > !root = hprs\Administrator
> > uid = 0
> > 
> > wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work?
>
> If smb.conf is set up correctly and winbind is running (which it seems
> it is), then, have you set up the libnss winbind links ?
>  
> Rowland

I've previously joined several Linux domain members and I've never had to
manually set libnss links. The wiki https://wiki.samba.org/index.php/Libnss_winbind_Links
says, "You only need to do this if you compiled Samba yourself, otherwise your
distro will provide packages to do this for you." 

I did not compile samba myself. I am using the Slackware 15.0 distro of Samba
4.18.9. The lib /usr/lib64/libnss_winbind.so.2 is the only winbind.so* that
exists on any of these computers and getent works on the DC and the other domain
member. I don't think there is anything else I can link.

# smbd -b | grep LIBDIR
   LIBDIR: /usr/lib64

getent still doesn't work.

In addition, the share I've created in smb.conf isn't working and I think it is
related to this problem.  Basically I moved another share definition from
another domain member to this new member (which was the point of creating this
new member).  With the share hosted on the original member, there was no
problem.  Tha map-drive function used the users domain credentials without
asking and the drive mapped.  On this new domain member, Windows users mapping
this drive are asked to enter credentials.  And, once having done so the
credentials are invalid -- even though they are valid domain user credentials.
The windows computer says,

"The mapped network drive could not be created because the following error has
occured: The network login failed."

I don't know what's going wrong. I joined this domain member exactly like the
others as far as I can tell.

More information about the samba mailing list