samba - Dec 2015 - After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command

On 03/12/15 20:54, Jonathan S. Fisher wrote:
> >unless you explicitly set your site name when you provision
> I guess we didn't. Is that an issue? I still wonder why that says 
> "null" when, even if we used the default, our sitename is not
null.
>
No it isn't an issue, why are you now worrying about something that has 
nothing to do with your problem.
> > well it obviously isn't working your way
> To be sure, I took a packet capture. It shows the DNS is going 
> straight to the DCs, so in reality it is working the way you are 
> describing: It is ignoring the main DNS server. Here, check this out:
>
> jonathan.fisher at freeradius:~$ nslookup whiskey.windows.corp.XXX.com 
> <http://whiskey.windows.corp.XXX.com>
> *Server:192.168.127.131*
> Address:192.168.127.131#53
>
> Name:whiskey.windows.corp.XXX.com
<http://whiskey.windows.corp.XXX.com>
> Address: 192.168.127.131
>
>
>
Look, I will say it again, a bit more forcefully this time, *DO NOT USE 
ANYTHING BUT YOUR DCs AS NAMESERVERS ON YOUR AD CLIENTS*

Rowland

Rowland, I hear and understand you loud and clear. If you could point out
below what is the problem, because the client seems to be configured
correctly as you have asked:


root at freeradius:~# nslookup 192.168.127.131
Server: 192.168.127.131
Address: 192.168.127.131#53

Non-authoritative answer:
131.127.168.192.in-addr.arpa name = whiskey.windows.corp.XXX.com.

Authoritative answers can be found from:

root at freeradius:~# nslookup 192.168.112.4
Server: 192.168.127.131
Address: 192.168.127.131#53

Non-authoritative answer:
4.112.168.192.in-addr.arpa name = wine.windows.corp.XXX.com.

Authoritative answers can be found from:

root at freeradius:~# cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by
resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 192.168.127.131
nameserver 192.168.112.4
search windows.corp.XXX.com

Both of those are DCs, both of them resolve correctly forward and reverse,
and both of them are in resolv.conf... is this incorrect yes/no?



*Jonathan S. Fisher*
*VP - Information Technology*
*Spring Venture Group*

On Thu, Dec 3, 2015 at 3:06 PM, Rowland penny <rpenny at samba.org> wrote:
> On 03/12/15 20:54, Jonathan S. Fisher wrote:
>
>> >unless you explicitly set your site name when you provision
>> I guess we didn't. Is that an issue? I still wonder why that says
"null"
>> when, even if we used the default, our sitename is not null.
>>
>>
> No it isn't an issue, why are you now worrying about something that has
> nothing to do with your problem.
>
> > well it obviously isn't working your way
>> To be sure, I took a packet capture. It shows the DNS is going straight
>> to the DCs, so in reality it is working the way you are describing: It
is
>> ignoring the main DNS server. Here, check this out:
>>
>> jonathan.fisher at freeradius:~$ nslookup whiskey.windows.corp.XXX.com
<
>> http://whiskey.windows.corp.XXX.com>
>> *Server:192.168.127.131*
>> Address:192.168.127.131#53
>>
>> Name:whiskey.windows.corp.XXX.com
<http://whiskey.windows.corp.XXX.com>
>> Address: 192.168.127.131
>>
>>
>>
>>
> Look, I will say it again, a bit more forcefully this time, *DO NOT USE
> ANYTHING BUT YOUR DCs AS NAMESERVERS ON YOUR AD CLIENTS*
>
>
> Rowland
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
Email Confidentiality Notice: The information contained in this 
transmission is confidential, proprietary or privileged and may be subject 
to protection under the law, including the Health Insurance Portability and 
Accountability Act (HIPAA). The message is intended for the sole use of the 
individual or entity to whom it is addressed. If you are not the intended 
recipient, you are notified that any use, distribution or copying of the 
message is strictly prohibited and may subject you to criminal or civil 
penalties. If you received this transmission in error, please contact the 
sender immediately by replying to this email and delete the material from 
any computer.

On 03/12/15 21:12, Jonathan S. Fisher wrote:
> Rowland, I hear and understand you loud and clear. If you could point 
> out below what is the problem, because the client seems to be 
> configured correctly as you have asked:
>
>
> root at freeradius:~# nslookup 192.168.127.131
> Server:192.168.127.131
> Address:192.168.127.131#53
>
> Non-authoritative answer:
> 131.127.168.192.in-addr.arpaname = whiskey.windows.corp.XXX.com 
> <http://whiskey.windows.corp.XXX.com>.
>
> Authoritative answers can be found from:
>
> root at freeradius:~# nslookup 192.168.112.4
> Server:192.168.127.131
> Address:192.168.127.131#53
>
> Non-authoritative answer:
> 4.112.168.192.in-addr.arpaname = wine.windows.corp.XXX.com 
> <http://wine.windows.corp.XXX.com>.
>
> Authoritative answers can be found from:
>
> root at freeradius:~# cat /etc/resolv.conf
> # Dynamic resolv.conf(5) file for glibc resolver(3) generated by 
> resolvconf(8)
> #     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
> nameserver 192.168.127.131
> nameserver 192.168.112.4
> search windows.corp.XXX.com <http://windows.corp.XXX.com>
>
> Both of those are DCs, both of them resolve correctly forward and 
> reverse, and both of them are in resolv.conf... is this incorrect yes/no?
>
>
This is what I would expect to see and the net command should now work.
What you seem to be mixing up, is the NETBios name 'WINDOWS' with the 
dns domain/realm name 'windows.corps.xxx.com' , Samba uses the first in 
searches but also uses the second in its dns/realm searches.
Your problem (as far as I can see) is being caused by Samba not being 
able to find any DCs due to a DNS problem. Active Directory is based 
heavily around DNS, if you get this wrong, then everything fails, this 
is why it is recommended to use a separate dns domain for the AD domain 
i.e. if your registered domain is 'example.com' use 
'internal.example.com' instead.

Rowland