On Tue, 2022-09-06 at 19:09 +0200, William Edwards
wrote:> > Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <
> > samba at lists.samba.org> het volgende geschreven:
> >
> > ?On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:
> > > Rowland Penny via samba schreef op 2022-09-06 18:05:
> > > > > On Tue, 2022-09-06 at 17:19 +0200, William Edwards via
samba
> > > > > wrote:
> > > > > > According to the documentation[1], I'm trying
to join a to-
> > > > > > be DC
> > > > > > to
> > > > > > an
> > > > > > existing domain with:
> > > > > > samba-tool domain join cyberfusion.cloud DC -k
yes
> > > > > > --dns-backend=SAMBA_INTERNAL
--option='idmap_ldb:use
> > > > > > rfc2307 > > > > > > yes'
> > > > What version of Samba are you using ? From 4.15.0 '-k
yes' has
> > > > been
> > > > replaced with '--use-kerberos=required', though the
earlier
> > > > form
> > > > should
> > > > still work.
> > > > Does /etc/resolv.conf point to an existing AD DC ?
> > > > What OS is this ?
> > > > > With debug level 5, this fails with:
> > > > > finddcs: searching for a DC by DNS domain
> > > > > cyberfusion.cloud
> > > > > finddcs: looking for SRV records for
> > > > > _ldap._tcp.cyberfusion.cloud
> > > > > resolve_lmhosts: Attempting lmhosts lookup for name
> > > > > _ldap._tcp.cyberfusion.cloud<0x0>
> > > > > startlmhosts: Can't open lmhosts file
/etc/samba/lmhosts.
> > > > > Error
> > > > > was
> > > > > No such file or directory
> > > > > dns child failed to find name
> > > > > '_ldap._tcp.cyberfusion.cloud'
> > > > > of
> > > > > type
> > > > > SRV
> > > > > finddcs: Failed to find SRV record for
> > > > > _ldap._tcp.cyberfusion.cloud
> > > > > ERROR: Failed to find a writeable DC for domain
> > > > > 'cyberfusion.cloud':
> > > > > The object name is not found.
> > > > > File
"/usr/lib/python3/dist-packages/samba/join.py",
> > > > > line
> > > > > 351,
> > > > > in
> > > > > find_dc
> > > > > ctx.cldap_ret = ctx.net.finddc(domain=domain,
> > > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS |
> > > > > nbt.NBT_SERVER_WRITABLE)
> > > > > However, the lookup actually succeeds. I tcpdumped on
the
> > > > > existing
> > > > > DC
> > > > > that receives the DNS query, and on the to-be new DC.
The SRV
> > > > > lookup
> > > > > succeeds, and Samba looks up the AAAA and A records for
the
> > > > > hosts
> > > > > in
> > > > > the
> > > > > SRV RRSet. That also succeeds: the AAAA lookup returns
the
> > > > > IPv6
> > > > > addresses for the DCs, and the A lookups result in an
empty
> > > > > RRSet,
> > > > > as
> > > > > this is an IPv6-only setup.
> > > > > I tried omitting --dns-backend and --option in the join
> > > > > command.
> > > > You do not need the dns one, it will used by default and the
> > > > option
> > > > makes samba use any uidNumber & gidNumber attributes
found in
> > > > AD
> > > > instead of the xidNumber attributes found in idmap.ldb.
> > > > > I also
> > > > > tried using a username & password instead of
Kerberos after
> > > > > kinit.
> > > > > Getting a token with `kinit administrator` succeeds.
That
> > > > > does
> > > > > not
> > > > > help.
> > > > > Searching for the error messages "dns child failed
to find
> > > > > name"
> > > > > and
> > > > > "finddcs: Failed to find SRV record for"
yielded a former
> > > > > post[2]
> > > > > on
> > > > > the
> > > > > mailing list, which suggests to set
'interfaces'. That does
> > > > > not
> > > > > help
> > > > > either.
> > > > > I hope someone has some pointers!
> > > > It sounds like a dns problem.
> > > As mentioned in my original email, tcpdump proves that the DNS
> > > result
> > > is
> > > expected and correct. Something must be going wrong in userland.
> > > > Rowland
> >
> > Would you please answer the questions that I asked.
>
> I did. I sent two emails in reply to yours. This is the second one.
> Please see my email from 18:46.
>
Sorry, yes I know, your second reply arrived after I sent my reply.
So, just to understand things, you are using Debian 10 and you are
trying to add a Debian 11 machine (this would mean 4.9.5 and 4.13.? if
using the standard distro packages)
I take it that /etc/resolv.conf points to another Samba AD DC and there
is nothing else using port 53. Provided that everything is set up
correctly, the join should work, whether IPv4 or IPv6 is used.
Rowland