Hi,
After joining samba DC (vm-dc4) to MS AD, I've discovered that most DNS
entries
were not populated. Below are the only entries in the AD for the new DC:
domain.com:VM-DC4 900 A 172.26.1.84
_msdcs.domain.com:d14c4206-79e3-441f-868a-6c693415256a 900 CNAME
vm-dc4.domain.com.
Please, help me figure out what's going on.
Here is the excerpt from log.samba:
# grep dnsup log.samba
prefork_fork_master: Forking [dnsupdate] pre-fork master process
prefork_fork_master: Forking [dnsupdate] pre-fork master process
[2020/03/13 17:48:19.938956, 3]
../../source4/dsdb/dns/dns_update.c:126(dnsupdate_check_names)
[2020/03/13 17:48:19.981617, 3]
../../source4/dsdb/dns/dns_update.c:141(dnsupdate_check_names)
...
/usr/local/samba/sbin/samba_dnsupdate: Processing section
"[sysvol]"
/usr/local/samba/sbin/samba_dnsupdate: Processing section
"[netlogon]"
/usr/local/samba/sbin/samba_dnsupdate: pm_process() returned Yes
/usr/local/samba/sbin/samba_dnsupdate: added interface ens18 ip=172.26.1.84
bcast=172.26.255.255 netmask=255.255.0.0
/usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master[no]
updates allowed[no]
/usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master[no]
updates allowed[no]
/usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
[2020/03/13 17:48:22.992929, 3]
../../source4/dsdb/dns/dns_update.c:111(dnsupdate_spnupdate_done)
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length 199
/usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length 1449
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_spnego'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_krb5'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'gssapi_krb5_sasl' registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'spnego'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'schannel'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'naclrpc_as_system' registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'sasl-EXTERNAL'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'ntlmssp'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'ntlmssp_resume_ccache' registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_basic'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_ntlm'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_negotiate'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'krb5'
registered
/usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'fake_gssapi_krb5' registered
/usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism
gssapi_krb5_sasl
/usr/local/samba/sbin/samba_dnsupdate: Ticket in credentials cache for
VM-DC4$@DOMAIN.COM will expire in 35998 secs
/usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism
gssapi_krb5_sasl
/usr/local/samba/sbin/samba_dnsupdate: GSSAPI credentials for
VM-DC4$@DOMAIN.COM will expire in 35999 secs
/usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify
failure
/usr/local/samba/sbin/samba_dnsupdate: update failed: SERVFAIL
...
/usr/local/samba/sbin/samba_dnsupdate: Failed update of 25 entries
samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_dnsupdate exited 25
[2020/03/13 17:58:24.726240, 0]
../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)
dnsupdate_nameupdate_done: Failed DNS update with exit code 25
Join command was:
samba-tool domain join domain.com DC -k yes --server=vm-dc1.domain.com
--dns-backend SAMBA_INTERNAL -v -d 5 2>&1 | tee join.txt
# cat smb.conf
[global]
netbios name = VM-DC4
realm = DOMAIN.COM
server role = active directory domain controller
workgroup = DOMAIN
dns forwarder = 172.26.1.1
ntlm auth = mschapv2-and-ntlmv2-only
ldap server require strong auth = allow_sasl_over_tls
log level = 5
max log size = 5000
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
read only = No
# cat /etc/resolv.conf
# Generated by NetworkManager
search domain.com
nameserver 172.26.1.84
nameserver 172.26.1.81
nameserver 172.26.1.82
# samba -V
Version 4.12.0
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.26.1.84 vm-dc4.domain.com vm-dc4
--
Best regards,
Alex