On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote:> According to the documentation[1], I'm trying to join a to-be DC to > an > existing domain with: > > samba-tool domain join cyberfusion.cloud DC -k yes > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' >What version of Samba are you using ? From 4.15.0 '-k yes' has been replaced with '--use-kerberos=required', though the earlier form should still work. Does /etc/resolv.conf point to an existing AD DC ? What OS is this ?> With debug level 5, this fails with: > > finddcs: searching for a DC by DNS domain cyberfusion.cloud > finddcs: looking for SRV records for > _ldap._tcp.cyberfusion.cloud > resolve_lmhosts: Attempting lmhosts lookup for name > _ldap._tcp.cyberfusion.cloud<0x0> > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error > was > No such file or directory > dns child failed to find name '_ldap._tcp.cyberfusion.cloud' of > type > SRV > finddcs: Failed to find SRV record for > _ldap._tcp.cyberfusion.cloud > ERROR: Failed to find a writeable DC for domain > 'cyberfusion.cloud': > The object name is not found. > File "/usr/lib/python3/dist-packages/samba/join.py", line 351, > in > find_dc > ctx.cldap_ret = ctx.net.finddc(domain=domain, > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | > nbt.NBT_SERVER_WRITABLE) > > However, the lookup actually succeeds. I tcpdumped on the existing > DC > that receives the DNS query, and on the to-be new DC. The SRV lookup > succeeds, and Samba looks up the AAAA and A records for the hosts in > the > SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6 > addresses for the DCs, and the A lookups result in an empty RRSet, > as > this is an IPv6-only setup. > > I tried omitting --dns-backend and --option in the join command.You do not need the dns one, it will used by default and the option makes samba use any uidNumber & gidNumber attributes found in AD instead of the xidNumber attributes found in idmap.ldb.> I also > tried using a username & password instead of Kerberos after kinit. > Getting a token with `kinit administrator` succeeds. That does not > help. > > Searching for the error messages "dns child failed to find name" and > "finddcs: Failed to find SRV record for" yielded a former post[2] on > the > mailing list, which suggests to set 'interfaces'. That does not help > either. > > I hope someone has some pointers! >It sounds like a dns problem. Rowland
Hi Rowland, Rowland Penny via samba schreef op 2022-09-06 18:05:> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote: >> According to the documentation[1], I'm trying to join a to-be DC to >> an >> existing domain with: >> >> samba-tool domain join cyberfusion.cloud DC -k yes >> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' >> > > What version of Samba are you using ?The existing DCs run 4.15.7. The to-be DC runs 4.16.4.> From 4.15.0 '-k yes' has been > replaced with '--use-kerberos=required', though the earlier form should > still work.Thanks for this information. Perhaps the documentation I mentioned earlier should be updated to reflect this.> Does /etc/resolv.conf point to an existing AD DC ?Yes.> What OS is this ?The existing DCs run Debian 10. The to-be DC runs Debian 11.> > >> With debug level 5, this fails with: >> >> finddcs: searching for a DC by DNS domain cyberfusion.cloud >> finddcs: looking for SRV records for >> _ldap._tcp.cyberfusion.cloud >> resolve_lmhosts: Attempting lmhosts lookup for name >> _ldap._tcp.cyberfusion.cloud<0x0> >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error >> was >> No such file or directory >> dns child failed to find name '_ldap._tcp.cyberfusion.cloud' of >> type >> SRV >> finddcs: Failed to find SRV record for >> _ldap._tcp.cyberfusion.cloud >> ERROR: Failed to find a writeable DC for domain >> 'cyberfusion.cloud': >> The object name is not found. >> File "/usr/lib/python3/dist-packages/samba/join.py", line 351, >> in >> find_dc >> ctx.cldap_ret = ctx.net.finddc(domain=domain, >> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | >> nbt.NBT_SERVER_WRITABLE) >> >> However, the lookup actually succeeds. I tcpdumped on the existing >> DC >> that receives the DNS query, and on the to-be new DC. The SRV lookup >> succeeds, and Samba looks up the AAAA and A records for the hosts in >> the >> SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6 >> addresses for the DCs, and the A lookups result in an empty RRSet, >> as >> this is an IPv6-only setup. >> >> I tried omitting --dns-backend and --option in the join command. > > You do not need the dns one, it will used by default and the option > makes samba use any uidNumber & gidNumber attributes found in AD > instead of the xidNumber attributes found in idmap.ldb. > >> I also >> tried using a username & password instead of Kerberos after kinit. >> Getting a token with `kinit administrator` succeeds. That does not >> help. >> >> Searching for the error messages "dns child failed to find name" and >> "finddcs: Failed to find SRV record for" yielded a former post[2] on >> the >> mailing list, which suggests to set 'interfaces'. That does not help >> either. >> >> I hope someone has some pointers! >> > > It sounds like a dns problem. > > Rowland-- With kind regards, William Edwards
Rowland Penny via samba schreef op 2022-09-06 18:05:> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote: >> According to the documentation[1], I'm trying to join a to-be DC to >> an >> existing domain with: >> >> samba-tool domain join cyberfusion.cloud DC -k yes >> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 = yes' >> > > What version of Samba are you using ? From 4.15.0 '-k yes' has been > replaced with '--use-kerberos=required', though the earlier form should > still work. > Does /etc/resolv.conf point to an existing AD DC ? > What OS is this ? > > >> With debug level 5, this fails with: >> >> finddcs: searching for a DC by DNS domain cyberfusion.cloud >> finddcs: looking for SRV records for >> _ldap._tcp.cyberfusion.cloud >> resolve_lmhosts: Attempting lmhosts lookup for name >> _ldap._tcp.cyberfusion.cloud<0x0> >> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. Error >> was >> No such file or directory >> dns child failed to find name '_ldap._tcp.cyberfusion.cloud' of >> type >> SRV >> finddcs: Failed to find SRV record for >> _ldap._tcp.cyberfusion.cloud >> ERROR: Failed to find a writeable DC for domain >> 'cyberfusion.cloud': >> The object name is not found. >> File "/usr/lib/python3/dist-packages/samba/join.py", line 351, >> in >> find_dc >> ctx.cldap_ret = ctx.net.finddc(domain=domain, >> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | >> nbt.NBT_SERVER_WRITABLE) >> >> However, the lookup actually succeeds. I tcpdumped on the existing >> DC >> that receives the DNS query, and on the to-be new DC. The SRV lookup >> succeeds, and Samba looks up the AAAA and A records for the hosts in >> the >> SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6 >> addresses for the DCs, and the A lookups result in an empty RRSet, >> as >> this is an IPv6-only setup. >> >> I tried omitting --dns-backend and --option in the join command. > > You do not need the dns one, it will used by default and the option > makes samba use any uidNumber & gidNumber attributes found in AD > instead of the xidNumber attributes found in idmap.ldb. > >> I also >> tried using a username & password instead of Kerberos after kinit. >> Getting a token with `kinit administrator` succeeds. That does not >> help. >> >> Searching for the error messages "dns child failed to find name" and >> "finddcs: Failed to find SRV record for" yielded a former post[2] on >> the >> mailing list, which suggests to set 'interfaces'. That does not help >> either. >> >> I hope someone has some pointers! >> > > It sounds like a dns problem.As mentioned in my original email, tcpdump proves that the DNS result is expected and correct. Something must be going wrong in userland.> > Rowland-- With kind regards, William Edwards