[Samba] DNS Update problems

Stephen Brandli steve at brandli.com
Wed Feb 12 11:40:19 UTC 2025 

Roland, thanks for the reply.

>I think I can explain that, does /etc/hosts contain a line similar to
>this:
>x.x.x.x member.samdom.example.com member

Yes.  /etc/hosts:

127.0.0.1 localhost
10.65.187.15 tower.domain.brandli.com tower
::1 localhost ip6-localhost ip6-loopback
Ff02::1 ip6-allnodes
Ff02::2 ip6-allrouters

Where .15 is tower's ip address, and domain.brandli.com is the domain.

Could this be permissions on something?  I first tried to join with brandli\steve, a user in the domain administrator's group.  This failed.  I then tried with administrator and this work.  I've always joined machines with brandli\steve before.  Don't know if this is relevant.

	Steve

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Wednesday, February 12, 2025 1:28 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] DNS Update problems

On Wed, 12 Feb 2025 02:37:14 +0000
Stephen Brandli via samba <samba at lists.samba.org> wrote:

> Still having problems with DNS Update:
> 
> I have two brand-new dc's running 4.21.3.  The first of these was 
> newly installed and joined a 4.9.5 domain.  Then, the old dc's were 
> retired.  All seems well with the dc's.  Replication, samba_dnsupdate 
> checkout, and they both respond to DNS inquiries.  Samba-tool dbcheck 
> also finds no errors.
> 
> Installed a new 4.21.3 member server and joined it.  Got:
> 
> Using short domain name -- BRANDLI
> Joined 'TOWER' to dns domain 'domain.brandli.com'
> DNS Update for tower.domain.brandli.com failed:
> ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> No errors in any logs on domain controllers or member server (unless 
> I'm looking in the wrong place).  The new server is in the domain 
> computer list.  But, the forward DNS record (A) is not there.

I think I can explain that, does /etc/hosts contain a line similar to
this:
x.x.x.x member.samdom.example.com member

Where 'x.x.x.x' is either '127.0.1.1' if the IP is set by DHCP, or the fixed IP you set manually and 'member' is the computers short hostname, 'samdom.example.com' being the computers dns domain.

If it isn't there, add it, leave the domain and join again.

> 
> I see the wiki page with instructions on what to do in case of this
> error: run samba_dnsupdate.  I did that.  Still getting the error on 
> join.
> 

I must check if that is in the wiki and add it if it isn't
 
> The resolv.conf on the member server points to the domain controllers.
> 
> I have had problems with computers not being able to update their DNS 
> records from before this upgrade, especially two laptops that move 
> locations and therefore IP addresses.  I have had to add records DNS 
> records manually.  So, my guess is that something is missing, maybe a 
> DNS record?, that prevents DNS updates in general.
> 
> I don't want to add IP addresses manually every time this is 
> necessary.
> 
> In case it's helpful, here's the smb.conf of the member server:
> 
> [global]
> security = ads
> workgroup = BRANDLI
> realm = DOMAIN.BRANDLI.COM
> 
> log file = /var/log/samba/tower.log
> log level = 1
> 
> idmap config * : backend = tdb
> idmap config * : range = 3000-7999
> 
> idmap config BRANDLI:backend = ad
> idmap config BRANDLI:schema_mode = rfc2307 idmap config BRANDLI:range 
> = 1000-1499

Upgraded old classic NT4-style domain ?
That range, unfortunately, precludes any local users, apart from 'root'

> idmap config BRANDLI:unix_nss_info = no idmap config 
> BRANDLI:unix_primary_group = yes
> 
> inherit acls = yes
> 
> [Personal]
> path = /home/shares/personal
> writeable = yes
> valid users = steve bj
> force user = steve
> force group = steve

Can I suggest you add (to global):

  vfs objects = acl_xattr
  map acl inherit = Yes

Remove 'valid users', 'force user' and 'force group' from the share and use Extended attrs instead. see here:

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_POSIX_ACLs

https://wiki.samba.org/index.php/Setting_up_a_Share_Using_Windows_ACLs

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list