On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:> Rowland Penny via samba schreef op 2022-09-06 18:05: > > On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote: > > > According to the documentation[1], I'm trying to join a to-be DC > > > to > > > an > > > existing domain with: > > > > > > samba-tool domain join cyberfusion.cloud DC -k yes > > > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 > > > yes' > > > > > > > What version of Samba are you using ? From 4.15.0 '-k yes' has been > > replaced with '--use-kerberos=required', though the earlier form > > should > > still work. > > Does /etc/resolv.conf point to an existing AD DC ? > > What OS is this ? > > > > > > > With debug level 5, this fails with: > > > > > > finddcs: searching for a DC by DNS domain cyberfusion.cloud > > > finddcs: looking for SRV records for > > > _ldap._tcp.cyberfusion.cloud > > > resolve_lmhosts: Attempting lmhosts lookup for name > > > _ldap._tcp.cyberfusion.cloud<0x0> > > > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > > > Error > > > was > > > No such file or directory > > > dns child failed to find name '_ldap._tcp.cyberfusion.cloud' > > > of > > > type > > > SRV > > > finddcs: Failed to find SRV record for > > > _ldap._tcp.cyberfusion.cloud > > > ERROR: Failed to find a writeable DC for domain > > > 'cyberfusion.cloud': > > > The object name is not found. > > > File "/usr/lib/python3/dist-packages/samba/join.py", line > > > 351, > > > in > > > find_dc > > > ctx.cldap_ret = ctx.net.finddc(domain=domain, > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | > > > nbt.NBT_SERVER_WRITABLE) > > > > > > However, the lookup actually succeeds. I tcpdumped on the > > > existing > > > DC > > > that receives the DNS query, and on the to-be new DC. The SRV > > > lookup > > > succeeds, and Samba looks up the AAAA and A records for the hosts > > > in > > > the > > > SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6 > > > addresses for the DCs, and the A lookups result in an empty > > > RRSet, > > > as > > > this is an IPv6-only setup. > > > > > > I tried omitting --dns-backend and --option in the join command. > > > > You do not need the dns one, it will used by default and the option > > makes samba use any uidNumber & gidNumber attributes found in AD > > instead of the xidNumber attributes found in idmap.ldb. > > > > > I also > > > tried using a username & password instead of Kerberos after > > > kinit. > > > Getting a token with `kinit administrator` succeeds. That does > > > not > > > help. > > > > > > Searching for the error messages "dns child failed to find name" > > > and > > > "finddcs: Failed to find SRV record for" yielded a former post[2] > > > on > > > the > > > mailing list, which suggests to set 'interfaces'. That does not > > > help > > > either. > > > > > > I hope someone has some pointers! > > > > > > > It sounds like a dns problem. > > As mentioned in my original email, tcpdump proves that the DNS result > is > expected and correct. Something must be going wrong in userland. > > > RowlandWould you please answer the questions that I asked. Rowland
> Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <samba at lists.samba.org> het volgende geschreven: > > ?On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote: >> Rowland Penny via samba schreef op 2022-09-06 18:05: >>>> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba wrote: >>>>> According to the documentation[1], I'm trying to join a to-be DC >>>>> to >>>>> an >>>>> existing domain with: >>>>> samba-tool domain join cyberfusion.cloud DC -k yes >>>>> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use rfc2307 >>>>> yes' >>> What version of Samba are you using ? From 4.15.0 '-k yes' has been >>> replaced with '--use-kerberos=required', though the earlier form >>> should >>> still work. >>> Does /etc/resolv.conf point to an existing AD DC ? >>> What OS is this ? >>>> With debug level 5, this fails with: >>>> finddcs: searching for a DC by DNS domain cyberfusion.cloud >>>> finddcs: looking for SRV records for >>>> _ldap._tcp.cyberfusion.cloud >>>> resolve_lmhosts: Attempting lmhosts lookup for name >>>> _ldap._tcp.cyberfusion.cloud<0x0> >>>> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. >>>> Error >>>> was >>>> No such file or directory >>>> dns child failed to find name '_ldap._tcp.cyberfusion.cloud' >>>> of >>>> type >>>> SRV >>>> finddcs: Failed to find SRV record for >>>> _ldap._tcp.cyberfusion.cloud >>>> ERROR: Failed to find a writeable DC for domain >>>> 'cyberfusion.cloud': >>>> The object name is not found. >>>> File "/usr/lib/python3/dist-packages/samba/join.py", line >>>> 351, >>>> in >>>> find_dc >>>> ctx.cldap_ret = ctx.net.finddc(domain=domain, >>>> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | >>>> nbt.NBT_SERVER_WRITABLE) >>>> However, the lookup actually succeeds. I tcpdumped on the >>>> existing >>>> DC >>>> that receives the DNS query, and on the to-be new DC. The SRV >>>> lookup >>>> succeeds, and Samba looks up the AAAA and A records for the hosts >>>> in >>>> the >>>> SRV RRSet. That also succeeds: the AAAA lookup returns the IPv6 >>>> addresses for the DCs, and the A lookups result in an empty >>>> RRSet, >>>> as >>>> this is an IPv6-only setup. >>>> I tried omitting --dns-backend and --option in the join command. >>> You do not need the dns one, it will used by default and the option >>> makes samba use any uidNumber & gidNumber attributes found in AD >>> instead of the xidNumber attributes found in idmap.ldb. >>>> I also >>>> tried using a username & password instead of Kerberos after >>>> kinit. >>>> Getting a token with `kinit administrator` succeeds. That does >>>> not >>>> help. >>>> Searching for the error messages "dns child failed to find name" >>>> and >>>> "finddcs: Failed to find SRV record for" yielded a former post[2] >>>> on >>>> the >>>> mailing list, which suggests to set 'interfaces'. That does not >>>> help >>>> either. >>>> I hope someone has some pointers! >>> It sounds like a dns problem. >> As mentioned in my original email, tcpdump proves that the DNS result >> is >> expected and correct. Something must be going wrong in userland. >>> Rowland > > Would you please answer the questions that I asked.I did. I sent two emails in reply to yours. This is the second one. Please see my email from 18:46.> > Rowland > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba