[Samba] Macs can't join domain when 2nd DC is online

Alex peter.alexander99 at gmail.com
Thu Jan 25 17:25:02 UTC 2024 

Hi, I am looking for advice troubleshooting this issue.


I have 2x Samba 4 DC's:
- dc1, Samba 4.7.6 (with FSMO roles) on Ubuntu 18.04
- dc2, Samba 4.15.13 on Ubuntu 20.04

dbcheck finds no issues, same with samba_dnsupdate.

DHCP hands out dc1 and dc2 as DNS servers.

Currently domain-joined Mac and Win10 computers can login fine.

When both dc1 and dc2 are running, unbound Macs can't join the domain.
If I turn off dc1, still can't join the domain.
If I turn dc1 back on, and turn off dc2, those Macs can now join the domain
just fine.
If I turn dc2 back on, Macs can't join the domain anymore.

This only seems to affect macOS 13 and 14. Tested a Mac running macOS 11
and the issue was not reproducible. Have not tried on v12.

DC1 smb.conf
[global]
        netbios name = DC1
        realm = SAMDOM.TLD
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        disable netbios = yes
        eventlog list = Application Security System
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        disable netbios = yes
        min protocol = SMB3
        time server = yes
log file = /var/log/samba/log.%m
[netlogon]
        path = /var/lib/samba/sysvol/samdom.tld/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

DC1 /etc/krb5.conf (copied from /var/lib/samba/private...)
[libdefaults]
        default_realm = SAMDOM.TLD
        dns_lookup_realm = false
        dns_lookup_kdc = true

DC2 smb.conf
[global]
        netbios name = DC2
        realm = SAMDOM.TLD
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = SAMDOM
        idmap_ldb:use rfc2307 = yes
        disable netbios = yes
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        disable netbios = yes
        min protocol = SMB3
        time server = yes
        log file = /var/log/samba/log.%m
[netlogon]
        path = /var/lib/samba/sysvol/samdom.tld/scripts
        read only = No
[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

DC2 /etc/krb5.conf
[libdefaults]
        default_realm = SAMDOM.TLD
        dns_lookup_realm = false
        dns_lookup_kdc = true

The configuration above has been unchanged for ~3 years.

Any advice would be appreciated!

Peter

More information about the samba mailing list