[Samba] Join linux-client trixi not working no dns update

Mon Nov 3 19:57:47 UTC 2025

On Mon, 3 Nov 2025 20:30:53 +0100
Stefan Kania via samba <samba at lists.samba.org> wrote:

> Hello to everyone,
> 
> I just set up a new domain for testing Samba 4.22 with debian trixi.
> All packages are direct from the distribution repository no backport
> no nothing special.
> 
> I have two DCs who replicate everyting that is working fine. Then I
> try to join a linux client, also with trixi and packages from the
> debian trixi repository. Here is my smb.conf of the client: ---------
> [global] workgroup = example
> realm = EXAMPLE.NET
> security = ADS
> winbind refresh tickets = Yes
> winbind use default domain = yes
> template shell = /bin/bash
> idmap config * : range = 10000 - 19999
> idmap config EXAMPLE : backend = rid
> idmap config EXAMPLE : range =  1000000 - 1999999
> interfaces = 192.168.56.33
> bind interfaces only = yes
> ---------
> 
> Both DCs are as "nameserver" added to resolv.conf. The krb5.conf is
> ---------
> [libdefaults]
>          default_realm = EXAMPLE.NET
>          dns_lookup_realm = false
>          dns_lookup_kdc = true
> 
> [realms]
> EXAMPLE.NET = {
>          default_domain = example.net
> ---------
> 
> I can get a ticket with "kinit administrator" a "host -t srv
> _kerberos._tcp.example.net" gives me the two DCs
> 
> then I join:
> ----------
> root at client01:~# net ads join -U administrator
> Password for [EXAMPLE\administrator]:
> Using short domain name -- EXAMPLE
> Joined 'CLIENT01' to dns domain 'example.net'
> gse_get_client_auth_token: gss_init_sec_context failed with [A
> parameter was malformed Miscellaneous failure (see text): Success]
> DNS Update for client01.example.net failed: ERROR_DNS_INVALID_MESSAGE
> DNS update failed: NT_STATUS_UNSUCCESSFUL ----------
> 
> As you can see, the join is working, the acount will be created:
> -----------
> root at dc01:~# samba-tool computer list
> DC02$
> DC01$
> CLIENT01$
> -----------
> The object is replicated to the other DC
> On the DC I see:
> ------------
> Nov 03 20:13:59 dc01 named[821]: samba_dlz: starting transaction on
> zone example.net Nov 03 20:13:59 dc01 named[821]: client
> @0x7f3e52b31000 192.168.56.33#38638: updating zone
> 'example.net/NONE': update unsuccessful: client01.example.net/A:
> 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
> Nov 03 20:13:59 dc01 named[821]: samba_dlz: cancelling transaction on
> zone example.net Nov 03 20:13:59 dc01 named[821]: samba_dlz: spnego
> update failed Nov 03 20:13:59 dc01 named[821]: client @0x7f3e52b31000
> 192.168.56.33#38638: updating zone 'example.net/NONE': update failed:
> rejected by secure update (REFUSED) ------------
> 
> If I try a "net ads dns register -U administrator" the same result
> _:-(
> 
> Any idea ?
> 
> 
> Stefan
> 

First thoughts, what is in /etc/hosts ?

Rowland