[Samba] Fwd: No DNS/Kerberos after DC OS upgrade

Nicolas Canonne me at electronico.nc
Sun Mar 30 06:35:12 UTC 2025 

Hi again,

Had to remove log as email was to big (more than 128K) and rejected

Nicolas

-------- Message transféré --------
Sujet : 	Re: No DNS/Kerberos after DC OS upgrade
Date : 	Sun, 30 Mar 2025 16:00:57 +1100
De : 	Nicolas Canonne <me at electronico.nc>
Pour : 	samba at lists.samba.org



Hi again,

More infos :

DC1

> sudo systemctl status samba-ad-dc.service
-> at end

> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.528964,  0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:03 dc1 winbindd[876]: /usr/sbin/samba-gpupdate:     
> cldap_ret = net.finddc(domain=lp.get('realm'), 
> flags=(nbt.NBT_SERVER_LDAP |
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.529100,  0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:03 dc1 winbindd[876]: /usr/sbin/samba-gpupdate: 
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.529161,  0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:03 dc1 winbindd[876]:   /usr/sbin/samba-gpupdate: 
> samba.NTSTATUSError: (3221225524, 'The object name is not found.')
> mars 30 15:54:03 dc1 winbindd[876]: [2025/03/30 15:54:03.858605,  0] 
> source3/winbindd/winbindd_gpupdate.c:182(gpupdate_cmd_done)
> mars 30 15:54:03 dc1 winbindd[876]:   gpupdate_cmd_done: gpupdate 
> failed with exit status 1
> mars 30 15:54:08 dc1 samba[894]: [2025/03/30 15:54:08.762553, 0] 
> source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> mars 30 15:54:08 dc1 samba[894]:   dnsupdate_nameupdate_done: Failed 
> DNS update with exit code 110


DC2

> sudo systemctl status samba-ad-dc.service

-> at end

> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.032763,  0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:   /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.057604, 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:   /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.083504, 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:   /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.112796, 0] 
> lib/util/util_runcmd.c:355(samba_runcmd_io_handler)
> mars 30 15:54:40 dc2 samba[1014]:   /usr/sbin/samba_dnsupdate: 
> ERROR(runtime): Record already exists; record could not be added. zone[>
> mars 30 15:54:40 dc2 samba[1014]: [2025/03/30 15:54:40.190527, 0] 
> source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> mars 30 15:54:40 dc2 samba[1014]:   dnsupdate_nameupdate_done: Failed 
> DNS update with exit code 27


We are all down ... Thanks in advance for any help

Nicolas Canonne

Electronico
NEW-CALEDONIA (South Pacific)

Le 30/03/2025 à 14:44, Nicolas Canonne a écrit :
> Hi all,
>
>
> It was a well running Domain, with 2 DC, 1 File Server and around 20 
> Windows clients until I started DC OS upgrades
>
>
> The 2 DC have been upgraded from Ubuntu20 with samba 4.15.13 to 
> Ubuntu22, so they are now running samba 4.19.5
>
> (internal DNS used)
>
> DC1 was the Primary DC, DC2 was added later and sysvolsync configured 
> with TranquilIT script 
> (https://samba.tranquil.it/doc/fr/samba_advanced_methods/samba_tis_sysvolsync.html)
>
> OS Upgrade as been started by DC2 (no error), then DC1
>
> During the upgrade process an DC1, I've been asked for DNS servers so 
> I entered :
>
> DC1 DC2
>
> Then for the Kerberos server, I entered :
>
> DC1
>
>
> Now no client can connect to AD, windows clients nor linux (File Server)
>
>
> Thanks in advance if you could help, as I have tried all I could think 
> to without any result ...
>
> Nicolas Canonne
>
>
> FS1
>
>> host -t A dc1.smb.rdk.nc
>> ;; communications error to 10.10.20.3#53: connection refused
>> ;; communications error to 10.10.20.3#53: connection refused
>> ;; no servers could be reached
>
>
> FS1
>
>> host -t A dc2.smb.rdk.nc
>> ;; communications error to 10.10.20.3#53: connection refused
>> ;; communications error to 10.10.20.3#53: timed out
>> ;; no servers could be reached
>
>
> DC1 /etc/samba/smb.conf
>
>> # Global parameters
>> [global]
>>     dns forwarder = 8.8.8.8
>>     netbios name = DC1
>>     realm = SMB.RDK.NC
>>     server role = active directory domain controller
>>     workgroup = SMB
>>     idmap_ldb:use rfc2307 = yes
>>     apply group policies = yes
>>     #tls enabled = yes
>>     #tls keyfile = tls/key.pem
>>     #tls certfile = tls/cert.pem
>>     #tls cafile =
>>     #tls priority = NORMAL
>> [sysvol]
>>     path = /var/lib/samba/sysvol
>>     read only = No
>>
>> [netlogon]
>>     path = /var/lib/samba/sysvol/smb.rdk.nc/scripts
>>     read only = No
>
> DC2 /etc/samba/smb.conf
>
>> # Global parameters
>> [global]
>>     netbios name = DC2
>>     realm = SMB.RDK.NC
>>     server role = active directory domain controller
>>     workgroup = SMB
>>     idmap_ldb:use rfc2307  = yes
>>
>> [sysvol]
>>     path = /var/lib/samba/sysvol
>>     read only = No
>>
>> [netlogon]
>>     path = /var/lib/samba/sysvol/smb.rdk.nc/scripts
>>     read only = No
>
> FS1 /etc/samba/smb.conf
>
>> [global]
>>     security = ADS
>>     workgroup = SMB
>>     realm = SMB.RDK.NC
>>
>>     log file = /var/log/samba/%m.log
>>     log level = 1
>>
>>     # Default ID mapping configuration using the autorid
>>     # idmap backend. This will work out of the box for simple setups
>>     # as well as complex setups with trusted domains.
>>     idmap config * : backend = autorid
>>     idmap config * : range = 10000-9999999
>>     min domain uid = 0
>>     vfs objects = acl_xattr
>>     map acl inherit = yes
>>     # the next line is only required on Samba versions less than 4.9.0
>>     # store dos attributes = yes
>>
>>     bind interfaces only = yes
>>     interfaces = lo br0
>>
>>     winbind enum users = yes
>>     winbind enum groups = yes
>>
>>     # prohibits SMB\Administrator to be mapped as root on Member Server
>>     username map = /etc/samba/user.map
>>     # /etc/samba/user.map =
>>     # !root = SMB\Administrator
>>     #
>>
>>     # CUPS
>>     #printing = CUPS
>>     #spoolss: architecture = Windows x64
>>     #load printers = yes
>>
>> [Profiles]
>>     path = /media/data/Profiles/
>>     read only = no
>>     #browseable = No
>>     read only = No
>>     csc policy = disable
>>
>>
>> [home]
>> #        commment = dossiers utilisateurs
>>         path = /media/data/home
>>         read only = No
>>
>> [journal]
>> #        comment = journal
>>         path = /media/data/journal
>>         read only = No
>>         vfs objects = recycle
>> recycle:directory_mode = 0770
>> recycle:subdir_mode = 0700
>> recycle:versions = Yes
>> recycle:keeptree = Yes
>> recycle:touch = Yes
>> recycle:repository = .recycle
>
>
>

More information about the samba mailing list