[Samba] DNS Update problems
Rowland Penny
rpenny at samba.org
Wed Feb 12 09:28:24 UTC 2025
On Wed, 12 Feb 2025 02:37:14 +0000
Stephen Brandli via samba <samba at lists.samba.org> wrote:
> Still having problems with DNS Update:
>
> I have two brand-new dc's running 4.21.3. The first of these was
> newly installed and joined a 4.9.5 domain. Then, the old dc's were
> retired. All seems well with the dc's. Replication, samba_dnsupdate
> checkout, and they both respond to DNS inquiries. Samba-tool dbcheck
> also finds no errors.
>
> Installed a new 4.21.3 member server and joined it. Got:
>
> Using short domain name -- BRANDLI
> Joined 'TOWER' to dns domain 'domain.brandli.com'
> DNS Update for tower.domain.brandli.com failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> No errors in any logs on domain controllers or member server (unless
> I'm looking in the wrong place). The new server is in the domain
> computer list. But, the forward DNS record (A) is not there.
I think I can explain that, does /etc/hosts contain a line similar to
this:
x.x.x.x member.samdom.example.com member
Where 'x.x.x.x' is either '127.0.1.1' if the IP is set by DHCP, or the
fixed IP you set manually and 'member' is the computers short hostname,
'samdom.example.com' being the computers dns domain.
If it isn't there, add it, leave the domain and join again.
>
> I see the wiki page with instructions on what to do in case of this
> error: run samba_dnsupdate. I did that. Still getting the error on
> join.
>
I must check if that is in the wiki and add it if it isn't
> The resolv.conf on the member server points to the domain controllers.
>
> I have had problems with computers not being able to update their DNS
> records from before this upgrade, especially two laptops that move
> locations and therefore IP addresses. I have had to add records DNS
> records manually. So, my guess is that something is missing, maybe a
> DNS record?, that prevents DNS updates in general.
>
> I don't want to add IP addresses manually every time this is
> necessary.
>
> In case it's helpful, here's the smb.conf of the member server:
>
> [global]
> security = ads
> workgroup = BRANDLI
> realm = DOMAIN.BRANDLI.COM
>
> log file = /var/log/samba/tower.log
> log level = 1
>
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
>
> idmap config BRANDLI:backend = ad
> idmap config BRANDLI:schema_mode = rfc2307
> idmap config BRANDLI:range = 1000-1499
Upgraded old classic NT4-style domain ?
That range, unfortunately, precludes any local users, apart from 'root'
> idmap config BRANDLI:unix_nss_info = no
> idmap config BRANDLI:unix_primary_group = yes
>
> inherit acls = yes
>
> [Personal]
> path = /home/shares/personal
> writeable = yes
> valid users = steve bj
> force user = steve
> force group = steve
Can I suggest you add (to global):
vfs objects = acl_xattr
map acl inherit = Yes
Remove 'valid users', 'force user' and 'force group' from the share and
use Extended attrs instead. see here:
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs
https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs
Rowland
More information about the samba
mailing list