samba - Jun 2022 - BIND9 DLZ DNS Back End Timeout on Boot

> How did you provision Samba ?
I joined this to an already existing 4.13 domain.

samba-tool domain join ad.example.com DC -U"AD\administrator"
--dns-backend=BIND9_DLZ --site=SampleSite --option='idmap_ldb:use rfc2307
yes'

If I run "samba_dnsupdate --verbose" (after systemctl restart named)
it
tells me "No DNS updates needed".

Thanks

Its a hard one, I don?t see directly whats going on here but I did notice a few
things.

> Can't open PID file /usr/local/samba/var/run/samba.pid (yet?) after
start:
No such file or directory 

You can set in the systemd service file : 
[Service]
RuntimeDirectory= /usr/local/samba/var/run/

As test you can remove the STUB part and point to the DNS server directly.
> dns_lookup_send_next: Sending DNS request #0 to 127.0.0.53  
> ldap server require strong auth = Yes 
you can remove that one. Only works with backend ldap. *( as far I know).
> gpo_parse_gplink: link:
LDAP://CN={72498053-0691-419F-B60A-BD15DCE34E45},CN=Policies,CN=System,DC=ad2,DC=DOMAIN,DC=eu
> gpo_parse_gplink: opt: 0
> skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been
set
> ads_get_gpo_list: query SITE:
[CN=TRISTSNP,CN=Sites,CN=Configuration,DC=ad2,DC=DOMAIN,DC=eu] for GPOs
> ads_get_gpo_link: no 'gPLink' attribute found
I don?t know but, looks like there the AD-DC is, has a GPO deny set. 

Last I see : 
> parse_gpt_ini: no name in
/var/cache/samba/gpo_cache/AD2.DOMAIN.EU/POLICIES/{1445968E-23F9-4D5B-8B7C-4D42B68D26BC}/GPT.INI
parse_gpt_ini: no name, same here I don?t know if its good or wrong. 
> /usr/sbin/samba-gpupdate: Search for (objectclass=*) in
<CN=TRISTSNPA43,OU=Linux,OU=AOA,OU=Domain
Controllers,DC=ad2,DC=DOMAIN,DC=eu> gave 1 replies
>   /usr/sbin/samba-gpupdate: add_local_groups: SID
S-1-5-21-4081981426-3436066561-3860847288-1000 -> getpwuid(3000016) failed,
is nsswitch configured?
/usr/sbin/samba-gpupdate: RuntimeError: Failed to get machine token for
'TRISTSNPA43$'(CN=TRISTSNPA43,OU=Linux,OU=AOA,OU=Domain
Controllers,DC=ad2,DC=DOMAIN,DC=eu): The specified account does not exist.

So its found but not found. 

did you remove and rejoin it? And if you removed it, did you make sure you
remove all parts, like AD and DNS records?

Maybe Rowland can see more here. 

but don?t see it, at least, besides above I don?t see strange things. 

? 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba <samba-bounces at lists.samba.org> Namens Dale Renton via
> samba
> Verzonden: vrijdag 24 juni 2022 16:06
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] BIND9 DLZ DNS Back End Timeout on Boot
> 
> > How did you provision Samba ?
> 
> I joined this to an already existing 4.13 domain.
> 
> samba-tool domain join ad.example.com DC -U"AD\administrator"
> --dns-backend=BIND9_DLZ --site=SampleSite --option='idmap_ldb:use
> rfc2307 = yes'
> 
> If I run "samba_dnsupdate --verbose" (after systemctl restart
named) it tells
> me "No DNS updates needed".
> 
> Thanks
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba