samba - Feb 2022 - linux client DNS issues

On Mon, 2022-02-07 at 15:59 -0600, Patrick Goetz via samba
wrote:
> 
> On 2/7/22 15:04, Rowland Penny via samba wrote:
> > On Mon, 2022-02-07 at 12:45 -0600, Patrick Goetz via samba wrote:
> > > BTW, I can't find anything in the log files to help me with
> > > debugging
> > > this.  At what log level do DNS errors start showing up in the
> > > log
> > > files?
> > 
> > OK, I have setup Arch in a VM and installed Samba and I got the
> > same
> > error, no DNS update.
> > 
> > I checked /etc/hostname and it only has the short hostname in it, I
> > then checked /etc/hosts and it had three lines:
> > 
> > 127.0.0.1 localhost
> > ::1 localhost
> > 127.0.1.1 archmem.samdom.example.com archmem
> > 
> > As a test I commented out the last line, left the domain and then
> > rejoined the domain, this time it worked without the DNS error.
> > 
> 
> Thanks for testing this.  But now it seems more obvious that there's 
> something about my setup which is triggering this behavior and I'm
> dying 
> to know what it is.
> 
> You installed exactly these additional packages for Samba?
> # pacman -Syu samba smbclient krb5 pam-krb5 dnsutils
No, I just wanted to test the join and to be honest, this is the first
time I have installed Samba on Arch (and probably the last).
> 
> (acl, attr, ldb, and cifs-utils are installed as dependencies)
> 
> 
> Presumably using `net ads join`? Did you run a samba-tool dns query
> to 
> make sure the Arch VM was actually in DNS?
No, I just checked in sam.ldb on a DC, and the dns record is there.
> 
> I've now tried every variation.  My original /etc/hosts file looked
> like 
> this:
> 
> ------------
> # Static table lookup for hostnames.
> # See hosts(5) for details.
> 
> 192.168.1.84 erap-gnome.ea.linuxcs.com  erap-gnome
Are you using dhcp or is it a fixed IP ?
I used dhcp.
> ------------
> 
> I tried adding the loopback interface:
> 
> ------------
> # Static table lookup for hostnames.
> # See hosts(5) for details.
> 
> 127.0.0.1 localhost
> ::1 localhost
> 
> 192.168.1.84 erap-gnome.ea.linuxcs.com  erap-gnome
> ------------
> 
> commenting out the host IP address, using a FQDN in /etc/hostname
> and 
> all combinations of the above and I still get the DNS error every
> time.
> 
> Roland, from your description, how does `net ads join -U
> administrator` 
> even know what domain you're trying to join?  Does it use the 
> /etc/krb5.conf file?  If so, why does the Samba Wiki sternly warn you
> to 
> remove any 127.0.1.1 entry in /etc/hosts and add the system IP
> address 
> as shown above instead?
The /etc/krb5.conf on my test machine (thinking about it, krb5 must
have been installed, even though I didn't install it) just contained
two lines

[libdefaults]
    default_realm = SAMDOM.EXAMPLE.COM

The wiki may need updating, but the 127.0.1.1 shouldn't point to a DC's
fqdn and short hostname, but then a DC should have a fixed IP. One of
the problems is that different OS's require different DNS settings, as
I said, red-hat OS's seem to require the fqdn in
/etc/hostname
> 
> 
> > I could get to like Arch, except for one thing, the install
> > procedure
> > is archaic (is that what 'arch' is short for ?), the last time
I
> > used
> > such an install procedure was over 20 years ago :-D
> > 
> 
> I'm guessing you used the installer included with the ISO only
> recently 
> after much gnashing of teeth, hand wringing, and push back. Arch
> doesn't 
> have a good installer (and didn't have one at all until recently) by 
> design; i.e. on purpose.  What you're supposed to do is go to 
> https://archlinux.org and use the Installation Guide referenced
> under 
> Documentation in the right side panel and get your hands dirty 
> assembling the system from scratch.  Kind of like how I made my kid
> help 
> me build his first computer from parts. This way you have hands on 
> knowledge of how your system is set up.
> 
> There are some advantages to this.  Installing Arch on somewhat 
> non-standard hardware is so much easier than installing, say, Ubuntu 
> precisely because you're not locked into an installation regime and
> can 
> twiddle with more knobs.  I've had to give up on installing Ubuntu
> on 
> some systems after hours of frustration followed by a quick, easy,
> and 
> deterministic 30 minute installation of Arch. Even the most recent 
> version of the Ubuntu installer (for example) won't let you
> configure 
> the EFI partition as an md RAID1, which you kind of need if you're
> going 
> to have truly redundant OS disks, which I do by default on nearly
> every 
> machine these days, as SSDs are cheap and my labor expensive, not to 
> mention that users don't appreciate downtime as much as they should.
> 
> For people who want an Arch system which can be installed by a
> novice 
> with a slick and modern installer, take a look at EndeavorOS,
> Manjaro, 
> or Garuda (among others).  Garuda linux is somewhat new, but they
> shot 
> for the moon at all levels; i.e. not just eye candy, which I
> studiously 
> avoid because I'd rather not waste CPU cycles on stuff like this
> when 
> running multiple VMs all the time; this is some next level stuff:
> https://www.youtube.com/watch?v=KK280Y0cNmQ
Yes, installing Arch may make it easier to set up on some systems, but
for the majority of users, it is over the top. I think I will stick to
Debian based distro's, though not Ubuntu, that distro seems to have
lost its way.

Rowland

On 2/7/22 16:29, Rowland Penny via samba wrote:
> On Mon, 2022-02-07 at 15:59 -0600, Patrick Goetz via samba wrote:
>>
>> On 2/7/22 15:04, Rowland Penny via samba wrote:
>>> On Mon, 2022-02-07 at 12:45 -0600, Patrick Goetz via samba wrote:
>>>> BTW, I can't find anything in the log files to help me with
>>>> debugging
>>>> this.  At what log level do DNS errors start showing up in the
>>>> log
>>>> files?
>>>
>>> OK, I have setup Arch in a VM and installed Samba and I got the
>>> same
>>> error, no DNS update.
>>>
>>> I checked /etc/hostname and it only has the short hostname in it, I
>>> then checked /etc/hosts and it had three lines:
>>>
>>> 127.0.0.1 localhost
>>> ::1 localhost
>>> 127.0.1.1 archmem.samdom.example.com archmem
>>>
>>> As a test I commented out the last line, left the domain and then
>>> rejoined the domain, this time it worked without the DNS error.
>>>
>>
>> Thanks for testing this.  But now it seems more obvious that
there's
>> something about my setup which is triggering this behavior and I'm
>> dying
>> to know what it is.
>>
>> You installed exactly these additional packages for Samba?
>> # pacman -Syu samba smbclient krb5 pam-krb5 dnsutils
> 
> No, I just wanted to test the join and to be honest, this is the first
> time I have installed Samba on Arch (and probably the last).
> 
>>
>> (acl, attr, ldb, and cifs-utils are installed as dependencies)
>>
>>
>> Presumably using `net ads join`? Did you run a samba-tool dns query
>> to
>> make sure the Arch VM was actually in DNS?
> 
> No, I just checked in sam.ldb on a DC, and the dns record is there.

How does one look into sam.ldb?  Is there a list command for this I'm 
not aware of?

> 
>>
>> I've now tried every variation.  My original /etc/hosts file looked
>> like
>> this:
>>
>> ------------
>> # Static table lookup for hostnames.
>> # See hosts(5) for details.
>>
>> 192.168.1.84 erap-gnome.ea.linuxcs.com  erap-gnome
> 
> Are you using dhcp or is it a fixed IP ?
> I used dhcp.
> 

I'm using a fixed IP. I need this because people also ssh into this 
system from outside the AD network and there's a firewall which does 
port redirection based on a fixed IP.



>> ------------
>>
>> I tried adding the loopback interface:
>>
>> ------------
>> # Static table lookup for hostnames.
>> # See hosts(5) for details.
>>
>> 127.0.0.1 localhost
>> ::1 localhost
>>
>> 192.168.1.84 erap-gnome.ea.linuxcs.com  erap-gnome
>> ------------
>>
>> commenting out the host IP address, using a FQDN in /etc/hostname
>> and
>> all combinations of the above and I still get the DNS error every
>> time.
>>
>> Roland, from your description, how does `net ads join -U
>> administrator`
>> even know what domain you're trying to join?  Does it use the
>> /etc/krb5.conf file?  If so, why does the Samba Wiki sternly warn you
>> to
>> remove any 127.0.1.1 entry in /etc/hosts and add the system IP
>> address
>> as shown above instead?
> 
> The /etc/krb5.conf on my test machine (thinking about it, krb5 must
> have been installed, even though I didn't install it) just contained
> two lines
> 
> [libdefaults]
>      default_realm = SAMDOM.EXAMPLE.COM
> 
> The wiki may need updating, but the 127.0.1.1 shouldn't point to a
DC's
> fqdn and short hostname, but then a DC should have a fixed IP. One of
> the problems is that different OS's require different DNS settings, as
> I said, red-hat OS's seem to require the fqdn in /etc/hostname

In my case the Samba internal DNS is running on Ubuntu 20.04, which is 
where all the action occurs?  Not sure why the client /etc/hostname 
configuration should matter here.

Regarding your /etc/krb5.conf file, I'm not sure where this came from. 
When I install the Arch krb5 package, the default /etc/krb5.conf file is 
some generic boilerplate referencing, e.g. athena.mit.edu


Also, you mention "127.0.1.1 shouldn't point to a DC's fqdn and
short
hostname" but I think you must mean the client, not the DC?

I don't have any mention of samba-dc in /etc/hosts -- samba-dc is the 
name server in /etc/resolv.conf, so this wouldn't be unnecessary.

So, it seems like it must be the case that when you run `net ads join` 
the net commmand peeks at either /etc/krb5.conf or /etc/samba/smb.conf 
to figure out what domain you're trying to connect to, as this 
information isn't included anywhere else AFAIK.

>>
>>
>>> I could get to like Arch, except for one thing, the install
>>> procedure
>>> is archaic (is that what 'arch' is short for ?), the last
time I
>>> used
>>> such an install procedure was over 20 years ago :-D
>>>
>>
>> I'm guessing you used the installer included with the ISO only
>> recently
>> after much gnashing of teeth, hand wringing, and push back. Arch
>> doesn't
>> have a good installer (and didn't have one at all until recently)
by
>> design; i.e. on purpose.  What you're supposed to do is go to
>> https://archlinux.org and use the Installation Guide referenced
>> under
>> Documentation in the right side panel and get your hands dirty
>> assembling the system from scratch.  Kind of like how I made my kid
>> help
>> me build his first computer from parts. This way you have hands on
>> knowledge of how your system is set up.
>>
>> There are some advantages to this.  Installing Arch on somewhat
>> non-standard hardware is so much easier than installing, say, Ubuntu
>> precisely because you're not locked into an installation regime and
>> can
>> twiddle with more knobs.  I've had to give up on installing Ubuntu
>> on
>> some systems after hours of frustration followed by a quick, easy,
>> and
>> deterministic 30 minute installation of Arch. Even the most recent
>> version of the Ubuntu installer (for example) won't let you
>> configure
>> the EFI partition as an md RAID1, which you kind of need if you're
>> going
>> to have truly redundant OS disks, which I do by default on nearly
>> every
>> machine these days, as SSDs are cheap and my labor expensive, not to
>> mention that users don't appreciate downtime as much as they
should.
>>
>> For people who want an Arch system which can be installed by a
>> novice
>> with a slick and modern installer, take a look at EndeavorOS,
>> Manjaro,
>> or Garuda (among others).  Garuda linux is somewhat new, but they
>> shot
>> for the moon at all levels; i.e. not just eye candy, which I
>> studiously
>> avoid because I'd rather not waste CPU cycles on stuff like this
>> when
>> running multiple VMs all the time; this is some next level stuff:
>> https://www.youtube.com/watch?v=KK280Y0cNmQ
> 
> Yes, installing Arch may make it easier to set up on some systems, but
> for the majority of users, it is over the top. I think I will stick to
> Debian based distro's, though not Ubuntu, that distro seems to have
> lost its way.
> 
> Rowland
>   
> 
>