thr3ads.net - samba - [Samba] samba dc dns issue [Mar 2020]

If this information is useful, please help other people find it:
Share via:

Alex

2020-Mar-13 15:44 UTC

[Samba] samba dc dns issue

Hi,

After  joining samba DC (vm-dc4) to MS AD, I've discovered that most DNS
entries
were not populated. Below are the only entries in the AD for the new DC:

domain.com:VM-DC4                  900  A       172.26.1.84
_msdcs.domain.com:d14c4206-79e3-441f-868a-6c693415256a 900      CNAME  
vm-dc4.domain.com.

Please, help me figure out what's going on.

Here is the excerpt from log.samba:
# grep dnsup log.samba
  prefork_fork_master: Forking [dnsupdate] pre-fork master process
  prefork_fork_master: Forking [dnsupdate] pre-fork master process
[2020/03/13 17:48:19.938956,  3]
../../source4/dsdb/dns/dns_update.c:126(dnsupdate_check_names)
[2020/03/13 17:48:19.981617,  3]
../../source4/dsdb/dns/dns_update.c:141(dnsupdate_check_names)
  ...
    /usr/local/samba/sbin/samba_dnsupdate: Processing section
"[sysvol]"
  /usr/local/samba/sbin/samba_dnsupdate: Processing section
"[netlogon]"
  /usr/local/samba/sbin/samba_dnsupdate: pm_process() returned Yes
  /usr/local/samba/sbin/samba_dnsupdate: added interface ens18 ip=172.26.1.84
bcast=172.26.255.255 netmask=255.255.0.0
  /usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master[no]
updates allowed[no]
  /usr/local/samba/sbin/samba_dnsupdate: schema_fsmo_init: we are master[no]
updates allowed[no]
  /usr/local/samba/sbin/samba_dnsupdate: ldb_wrap open of secrets.ldb
[2020/03/13 17:48:22.992929,  3]
../../source4/dsdb/dns/dns_update.c:111(dnsupdate_spnupdate_done)
  /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length 199
  /usr/local/samba/sbin/samba_dnsupdate: Received smb_krb5 packet of length 1449
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_spnego'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'gssapi_krb5'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'gssapi_krb5_sasl' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'spnego'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'schannel'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'naclrpc_as_system' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'sasl-EXTERNAL'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'ntlmssp'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'ntlmssp_resume_ccache' registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_basic'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_ntlm'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'http_negotiate'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend 'krb5'
registered
  /usr/local/samba/sbin/samba_dnsupdate: GENSEC backend
'fake_gssapi_krb5' registered
  /usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism
gssapi_krb5_sasl
  /usr/local/samba/sbin/samba_dnsupdate: Ticket in credentials cache for
VM-DC4$@DOMAIN.COM will expire in 35998 secs
  /usr/local/samba/sbin/samba_dnsupdate: Starting GENSEC mechanism
gssapi_krb5_sasl
  /usr/local/samba/sbin/samba_dnsupdate: GSSAPI credentials for
VM-DC4$@DOMAIN.COM will expire in 35999 secs
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify
failure
  /usr/local/samba/sbin/samba_dnsupdate: update failed: SERVFAIL
...
  /usr/local/samba/sbin/samba_dnsupdate: Failed update of 25 entries
  samba_runcmd_io_handler: Child /usr/local/samba/sbin/samba_dnsupdate exited 25
[2020/03/13 17:58:24.726240,  0]
../../source4/dsdb/dns/dns_update.c:86(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 25

Join command was:
samba-tool domain join domain.com DC -k yes --server=vm-dc1.domain.com
--dns-backend SAMBA_INTERNAL -v -d 5 2>&1 | tee join.txt

# cat smb.conf
[global]
        netbios name = VM-DC4
        realm = DOMAIN.COM
        server role = active directory domain controller
        workgroup = DOMAIN
        dns forwarder = 172.26.1.1
        ntlm auth = mschapv2-and-ntlmv2-only
        ldap server require strong auth = allow_sasl_over_tls
        log level = 5
        max log size = 5000

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

[netlogon]
        path = /usr/local/samba/var/locks/sysvol/domain.com/scripts
        read only = No

# cat /etc/resolv.conf
# Generated by NetworkManager
search domain.com
nameserver 172.26.1.84
nameserver 172.26.1.81
nameserver 172.26.1.82

# samba -V
Version 4.12.0

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
172.26.1.84     vm-dc4.domain.com      vm-dc4

-- 
Best regards,
Alex

Rowland penny

2020-Mar-13 15:56 UTC

head link

[Samba] samba dc dns issue

On 13/03/2020 15:44, Alex via samba wrote:> Hi,
>
> After  joining samba DC (vm-dc4) to MS AD, I've discovered that most
DNS entries
> were not populated. Below are the only entries in the AD for the new DC:
>
> domain.com:VM-DC4                  900  A       172.26.1.84
> _msdcs.domain.com:d14c4206-79e3-441f-868a-6c693415256a 900      CNAME  
vm-dc4.domain.com.
>
> Please, help me figure out what's going on.
Try either setting:

ldap server require strong auth = no

Or:

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

in smb.conf

Rowland

Kris Lou

2020-Mar-13 16:04 UTC

head link

[Samba] samba dc dns issue

>
>
> Join command was:
> samba-tool domain join domain.com DC -k yes --server=vm-dc1.domain.com
--dns-backend
> SAMBA_INTERNAL -v -d 5 2>&1 | tee join.txt

Here, you have "--dns-backend SAMBA_INTERNAL" where perhaps you meant
"--dns-backend=SAMBA_INTERNAL" ?

 I'm guessing that it was interpreted as "--dns-backend=NONE"


Kris Lou
klou at themusiclink.net


On Fri, Mar 13, 2020 at 8:57 AM Rowland penny via samba <
samba at lists.samba.org> wrote:
> On 13/03/2020 15:44, Alex via samba wrote:
> > Hi,
> >
> > After  joining samba DC (vm-dc4) to MS AD, I've discovered that
most DNS
> entries
> > were not populated. Below are the only entries in the AD for the new
DC:
> >
> > domain.com:VM-DC4                  900  A       172.26.1.84
> > _msdcs.domain.com:d14c4206-79e3-441f-868a-6c693415256a 900      CNAME
> vm-dc4.domain.com.
> >
> > Please, help me figure out what's going on.
>
> Try either setting:
>
> ldap server require strong auth = no
>
> Or:
>
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> in smb.conf
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Maybe Matching Threads

Search for more maybe matching threads

samba - Mar 2020 - samba dc dns issue

[Samba] samba dc dns issue

[Samba] samba dc dns issue

[Samba] samba dc dns issue

Maybe Matching Threads