Doing some more digging I followed the error links
https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#DNS_Update_failed:_ERROR_DNS_UPDATE_FAILED
->
https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Troubleshooting
.
Samba is started and running and is the only thing listening on port 53. I
did check the log.samba and found this
[2021/10/12 23:23:44.674248, 0]
../../source4/dns_server/dns_update.c:418(handle_one_update)
Can't handle updates of type 255 yet
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Tue, Oct 12, 2021 at 10:15 PM Rob Campbell <robcampbell08105 at
gmail.com>
wrote:
> > Are the winbind links set up correctly and is 'winbind' set on
the
> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>
> I didn't compile winbind so I didn't think I needed to do any
symlinks but
> this is what it is:
> la /usr/lib64/libnss_winbind.so /usr/lib64/libnss_winbind.so.2
> lrwxrwxrwx. 1 root root 19 Aug 25 11:35 /usr/lib64/libnss_winbind.so ->
> libnss_winbind.so.2
> -rwxr-xr-x. 1 root root 16K Aug 25 11:35 /usr/lib64/libnss_winbind.so.2
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
>
> On Tue, Oct 12, 2021 at 5:25 PM Rob Campbell <robcampbell08105 at
gmail.com>
> wrote:
>
>> >> 10.0.0.13 dc01.internal.test-server dc01
>>
>> > I hope that is a typo, the fqdn has lost the '.lan' from
the end
>>
>> It was. It was just a copy and paste but maybe when I was editing the
>> email I removed it by accident. It is correct in the actual file.
>>
>> >> search dc01.internal.test-server.lan
>>
>> > No, your dns domain is 'internal.test-server.lan' so the
line should be:
>> > search internal.test-server.lan
>>
>> I did make this change during my troubleshooting while waiting for a
>> response. Previously, DC01 was the subdomain [incorrectly] and I
didn't
>> remove it when I made the changes.
>>
>> >> winbind enum users = yes
>> >> winbind enum groups = yes
>>
>> >I would remove the two lines above, you do not need them and they
just
>> slow things down.
>>
>> Yes. It said that in the wiki but I thought it would provide some info
if
>> there were a problem since it said only use for testing purposes.
>>
>> >> krb5.conf:
>> >> [libdefaults]
>> >> default_realm = INTERNAL.TEST-SERVER.LAN
>> >> dns_lookup_realm = true
>> >> dns_lookup_kdc = true
>>
>> > As the DC, you only need the lines above
>>
>> This is on the FS (file server, the one I'm joining as a member).
Should
>> it still only be these lines?
>>
>> >> net ads join -U administrator
>> >> Enter administrator's password:
>> >> Using short domain name -- INTERNAL
>> >> Joined 'FS01' to dns domain
'internal.test-server.lan'
>> >> DNS Update for fs01.internal.test-server.lan failed:
>> >> ERROR_DNS_UPDATE_FAILED
>>
>> > How did that succeed if your dns domain is now
>> 'internal.test-server.lan' ?
>>
>> Not sure but maybe because fs01.internal.test-server.lan and
>> internal.test-server.lan resolves to the same IP?
>>
>> > Are the winbind links set up correctly and is 'winbind'
set on the
>> 'passwd' & 'group' lines in /etc/nsswitch.conf ?
>>
>> passwd: files winbind #systemd
>> group: files winbind #systemd
>>
>> I just commented out systemd and now I get a response
>>
>> getent group "INTERNAL\\Domain Users"
>> domain users:x:110513:
>>
>> Still something is wrong with dns. I'm not able to resolve from
DC01 to
>> FS01 but I can the other way.
>>
>> net ads join -U administrator
>> Enter administrator's password:
>> Using short domain name -- INTERNAL
>> Joined 'FS01' to dns domain 'internal.test-server.lan'
>> DNS Update for fs01.internal.test-server.lan failed:
>> ERROR_DNS_UPDATE_FAILED
>> DNS update failed: NT_STATUS_UNSUCCESSFUL
>>
>> On DC01 I had to do this to get reverse lookups to work:
>> samba-tool dns add internal.test-server.lan 0.0.10.in-addr.arpa 13 PTR
>> internal.test-server.lan
>>
>> If I try something similar on FS01, it complains about port 135
>> refusing. Samba isn't running on FS01 as it is on DC01.
>>
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> In all things, Be Intentional.
>>
>>
>> On Tue, Oct 12, 2021 at 2:18 PM Rowland Penny via samba <
>> samba at lists.samba.org> wrote:
>>
>>> On Tue, 2021-10-12 at 13:38 -0400, Rob Campbell via samba wrote:
>>> > *Debian server first DC: DC01*
>>> >
>>> > hostname: DC01
>>> >
>>> > /etc/hosts:
>>> > 127.0.0.1 localhost
>>> > 10.0.0.13 dc01.internal.test-server dc01
>>>
>>> I hope that is a typo, the fqdn has lost the '.lan' from
the end
>>>
>>> >
>>> >
>>> >
>>> >
>>> > krb5.conf:
>>> > [libdefaults]
>>> > default_realm = INTERNAL.TEST-SERVER.LAN
>>> > dns_lookup_realm = false
>>> > dns_lookup_kdc = true
>>> >
>>> > [realms]
>>> > INTERNAL.TEST-SERVER.LAN = {
>>> > default_domain = internal.test-server.lan
>>> > }
>>> >
>>> > [domain_realm]
>>> > DC01 = INTERNAL.TEST-SERVER.LAN
>>> >
>>>
>>> You only need the first four lines and the '[domain_realm]'
is totally
>>> wrong anyway.
>>>
>>> > =======================================>>> >
*Fedora first file server: FS01*
>>> >
>>> > smb.conf:
>>> > [global]
>>> > workgroup = INTERNAL
>>> > security = ADS
>>> > realm = INTERNAL.TEST-SERVER.LAN
>>> >
>>> > winbind refresh tickets = Yes
>>> > vfs objects = acl_xattr
>>> > map acl inherit = Yes
>>> > store dos attributes = Yes
>>> > idmap config * : backend = autorid
>>> > idmap config * : range = 10000-24999999
>>> >
>>> > dedicated keytab file = /etc/krb5.keytab
>>> > kerberos method = secrets and keytab
>>> > winbind use default domain = yes
>>> > winbind enum users = yes
>>> > winbind enum groups = yes
>>>
>>> I would remove the two lines above, you do not need them and they
just
>>> slow things down.
>>>
>>> > winbind separator = +
>>> >
>>> > load printers = no
>>> > printing = bsd
>>> > printcap name = /dev/null
>>> > disable spoolss = yes
>>> >
>>> > username map = /etc/samba/usermap.txt
>>> >
>>> > krb5.conf:
>>> > [libdefaults]
>>> > default_realm = INTERNAL.TEST-SERVER.LAN
>>> > dns_lookup_realm = true
>>> > dns_lookup_kdc = true
>>>
>>> As the DC, you only need the lines above
>>>
>>> >
>>> > /etc/hosts:
>>> > 127.0.0.1 localhost
>>> > ::1 localhost
>>> > 10.0.0.10 fs01.internal.test-server.lan fs01
>>> >
>>> > hostname: FS01
>>> >
>>> > resolv.conf:
>>> > # Generated by NetworkManager
>>> > nameserver 10.0.0.13
>>> > search dc01.internal.test-server.lan
>>>
>>> No, your dns domain is 'internal.test-server.lan' so the
line should
>>> be:
>>> search internal.test-server.lan
>>>
>>> >
>>> > I'm sure there may be some things not quite right with
smb.conf but
>>> > i've
>>> > been trying things online since the default didn't work.
I get the
>>> > same
>>> > reply when trying to join the domain:
>>> > net ads join -U administrator
>>> > Enter administrator's password:
>>> > Using short domain name -- INTERNAL
>>> > Joined 'FS01' to dns domain
'internal.test-server.lan'
>>> > DNS Update for fs01.internal.test-server.lan failed:
>>> > ERROR_DNS_UPDATE_FAILED
>>>
>>> That is because you still have problems in your dns
>>>
>>> > DNS update failed: NT_STATUS_UNSUCCESSFUL
>>> >
>>> > netstat -tulpn | egrep 'samba|nmb|smb|bind'
>>> > tcp 0 0 0.0.0.0:445 0.0.0.0:*
>>> > LISTEN
>>> > 5585/smbd
>>> > tcp 0 0 0.0.0.0:139 0.0.0.0:*
>>> > LISTEN
>>> > 5585/smbd
>>> > tcp6 0 0 :::445 :::*
>>> > LISTEN
>>> > 5585/smbd
>>> > tcp6 0 0 :::139 :::*
>>> > LISTEN
>>> > 5585/smbd
>>> > udp 0 0 10.0.0.255:137 0.0.0.0:*
>>> > 5586/nmbd
>>> > udp 0 0 10.0.0.10:137 0.0.0.0:*
>>> > 5586/nmbd
>>> > udp 0 0 0.0.0.0:137 0.0.0.0:*
>>> > 5586/nmbd
>>> > udp 0 0 10.0.0.255:138 0.0.0.0:*
>>> > 5586/nmbd
>>> > udp 0 0 10.0.0.10:138 0.0.0.0:*
>>> > 5586/nmbd
>>> > udp 0 0 0.0.0.0:138 0.0.0.0:*
>>> > 5586/nmbd
>>> >
>>> > wbinfo --ping-dc
>>> > checking the NETLOGON for domain[INTERNAL] dc connection to
>>> > "dc01.internal.test-server.lan" succeeded
>>>
>>> How did that succeed if your dns domain is now 'internal.test-
>>> server.lan' ?
>>>
>>> >
>>> > getent passwd INTERNAL\\username (Nothing)
>>> > getent group "INTERNAL\\Domain Users" (Nothing)
>>>
>>> Are the winbind links set up correctly and is 'winbind' set
on the
>>> 'passwd' & 'group' lines in /etc/nsswitch.conf
?
>>>
>>> Rowland
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions: https://lists.samba.org/mailman/options/samba
>>>
>>