samba - Sep 2022 - Samba unable to find SRV record during join

Rowland Penny via samba schreef op 2022-09-07 16:42:
> On Wed, 2022-09-07 at 16:30 +0200, William Edwards via samba wrote:
>> I just found out about the --server parameter to `samba-tool domain
>> join`. I set it to the DNS name of one of the existing DCs, and the
>> join
>> succeeded.
> 
> I said it was dns.
That was not disputed.
> 
>> 
>> I'd like to make sure that I understand the option description,
>> though,
>> which is:
>> 
>>      DC to join
>> 
>> Does this mean the DC to join is hardcoded instead of looked up with
>> DNS? That would explain why the join succeeds now, but not why the
>> original issue occurred.
> 
> The join is supposed to find the best DC to use during the join and it
> looks like your new DC couldn't find a DC to join to. Using
'--server'
> tells the join to use that DC, so the question has to be, did your
> /etc/resolv.conf look like this:
> 
> search <YOUR_DNS_DOMAIN>
> nameserver <AN_AD_DC_IP>
Yes.
> 
> Does your new DC have a fixed IP ?
Yes.
> Is its IP info in /etc/hosts ?
Yes.
> 
> Have you updated your new DC's /etc/resolv.conf to now use its
> ipaddress as its nameserver ?
No, the resolver of the new DC is still set to one of the original DCs.
> 
> Rowland
-- 
With kind regards,

William Edwards

Although the join succeeded, no replication happens. Also, on the 
existing DCs, the following errors are logged when using several 
`samba-tool` commands such as `dns zonelist`:

     Cannot reach a KDC we require to contact (null) : kinit for 
Administrator at CYBERFUSION failed (Cannot contact any KDC for requested 
realm)
     gensec_spnego_create_negTokenInit_step: gssapi_krb5: creating 
NEG_TOKEN_INIT for host/DC1.CYBERFUSION.CLOUD failed (next[ntlmssp]): 
NT_STATUS_NO_LOGON_SERVERS

Getting a ticket with `kinit` works though.

I'm not sure if these messages are unexpected. If so, it looks like I 
have some fixing to do for the existing DCs. For now, I demoted the new 
DC using the offline demotion procedure.

I'm going to upgrade the existing DCs from 4.15.7 to 4.16.4 tomorrow to 
see if that helps.

William Edwards via samba schreef op 2022-09-07 16:46:
> Rowland Penny via samba schreef op 2022-09-07 16:42:
>> On Wed, 2022-09-07 at 16:30 +0200, William Edwards via samba wrote:
>>> I just found out about the --server parameter to `samba-tool domain
>>> join`. I set it to the DNS name of one of the existing DCs, and the
>>> join
>>> succeeded.
>> 
>> I said it was dns.
> 
> That was not disputed.
> 
>> 
>>> 
>>> I'd like to make sure that I understand the option description,
>>> though,
>>> which is:
>>> 
>>>      DC to join
>>> 
>>> Does this mean the DC to join is hardcoded instead of looked up
with
>>> DNS? That would explain why the join succeeds now, but not why the
>>> original issue occurred.
>> 
>> The join is supposed to find the best DC to use during the join and it
>> looks like your new DC couldn't find a DC to join to. Using
'--server'
>> tells the join to use that DC, so the question has to be, did your
>> /etc/resolv.conf look like this:
>> 
>> search <YOUR_DNS_DOMAIN>
>> nameserver <AN_AD_DC_IP>
> 
> Yes.
> 
>> 
>> Does your new DC have a fixed IP ?
> 
> Yes.
> 
>> Is its IP info in /etc/hosts ?
> 
> Yes.
> 
>> 
>> Have you updated your new DC's /etc/resolv.conf to now use its
>> ipaddress as its nameserver ?
> 
> No, the resolver of the new DC is still set to one of the original DCs.
> 
>> 
>> Rowland
> 
> --
> With kind regards,
> 
> William Edwards
-- 
With kind regards,

William Edwards