On 2023-04-05 09:56, Gary Dale via samba wrote:> On 2023-04-04 19:36, Gary Dale via samba wrote:
>> On 2023-04-02 02:49, Rowland Penny via samba wrote:
>>>
>>>
>>> On 02/04/2023 04:54, Gary Dale via samba wrote:
>>>
>>>> I could, but that seems like overkill. A complete second
(virtually
>>>> identical) system to administer and update just to hive off the
>>>> authentication task.
>>>>
>>>
>>> To be honest, I would run two DC's just for authentication and
other
>>> Samba machines as Unix domain members.
>>>
>>> However, I cannot force you to do anything, all I can do is advise
>>> you of best practices, neither Samba or Microsoft recommend using a
>>> DC for anything other than authentication.
>>>
>>> Rowland
>>>
>> I've set up a Debian/Stable VM with the backports in a minimal
>> install. Then I added an ssh server and connected to it (so I can cut
>> & paste to the Konsole session), and did the Debian
>> distribution-specific installation. I removed the installer's
>> smb.conf and ran the interactive provisioning.? TheLibrarian is
>> already a
>>
>> I then figured I'd try the Create a reverse zone but that failed:
>>
>> # samba-tool dns zonecreate? DC1 1.168.192.in-addr.arpa -U
Administrator
>> Failed to connect host 192.168.1.13 on port 135 -
>> NT_STATUS_CONNECTION_REFUSED
>> Failed to connect host 192.168.1.13 (DC1) on port 135 -
>> NT_STATUS_CONNECTION_REFUSED.
>> ERROR: Connecting to DNS RPC server DC1 failed with (3221226038,
'The
>> transport-connection attempt was refused by the remote system.')
>>
>> The message shows that the DC1 name resolved properly. I'm not
aware
>> of anything blocking port 135 - this is a clean install to a new VM.?
>> Any ideas on what's going on?
>>
> Nevermind. I redid the entire process and got it to work this time.
>
So now I've got a separate DC and file server working - except that the
domain controller seems hard to contact. I keep getting error messages
such as "The specified domain either does not exist or cannot be
contacted". This is when I'm trying to do things in Windows - and apart
from being able to connect to a Samba share as Administrator (but not
see the files), I can't do anything.
I'm looking around in the DNS backend for why.
> # samba-tool dns zonelist DC1 -U administrator
> Password for [HOME\administrator]:
> ?4 zone(s) found
>
> ?pszZoneName ????????????????: 1.168.192,in-addr.rapa
> ?Flags ??????????????????????: DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ?ZoneType ???????????????????: DNS_ZONE_TYPE_PRIMARY
> ?Version ????????????????????: 50
> ?dwDpFlags ??????????????????: DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> ?pszDpFqdn ??????????????????: DomainDnsZones.home.rahim-dale.org
>
> ?pszZoneName ????????????????: 1.168.192.in-addr.arpa
> ?Flags ??????????????????????: DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ?ZoneType ???????????????????: DNS_ZONE_TYPE_PRIMARY
> ?Version ????????????????????: 50
> ?dwDpFlags ??????????????????: DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> ?pszDpFqdn ??????????????????: DomainDnsZones.home.rahim-dale.org
>
> ?pszZoneName ????????????????: home.rahim-dale.org
> ?Flags ??????????????????????: DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ?ZoneType ???????????????????: DNS_ZONE_TYPE_PRIMARY
> ?Version ????????????????????: 50
> ?dwDpFlags ??????????????????: DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> ?pszDpFqdn ??????????????????: DomainDnsZones.home.rahim-dale.org
>
> ?pszZoneName ????????????????: _msdcs.home.rahim-dale.org
> ?Flags ??????????????????????: DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
> ?ZoneType ???????????????????: DNS_ZONE_TYPE_PRIMARY
> ?Version ????????????????????: 50
> ?dwDpFlags ??????????????????: DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> ?pszDpFqdn ??????????????????: ForestDnsZones.home.rahim-dale.org
> # samba-tool dns zonelist DC1 --secondary -U administrator
> Password for [HOME\administrator]:
> ?0 zone(s) found
> # samba-tool dns zoneinfo DC1 home.rahim-dale.org -U administrator
> Password for [HOME\administrator]:
> ?pszZoneName ????????????????: home.rahim-dale.org
> ?dwZoneType ?????????????????: DNS_ZONE_TYPE_PRIMARY
> ?fReverse ???????????????????: FALSE
> ?fAllowUpdate ???????????????: DNS_ZONE_UPDATE_SECURE
> ?fPaused ????????????????????: FALSE
> ?fShutdown ??????????????????: FALSE
> ?fAutoCreated ???????????????: FALSE
> ?fUseDatabase ???????????????: TRUE
> ?pszDataFile ????????????????: None
> ?aipMasters ?????????????????: []
> ?fSecureSecondaries ?????????: DNS_ZONE_SECSECURE_NO_XFER
> ?fNotifyLevel ???????????????: DNS_ZONE_NOTIFY_LIST_ONLY
> ?aipSecondaries ?????????????: []
> ?aipNotify ??????????????????: []
> ?fUseWins ???????????????????: FALSE
> ?fUseNbstat ?????????????????: FALSE
> ?fAging ?????????????????????: FALSE
> ?dwNoRefreshInterval ????????: 168
> ?dwRefreshInterval ??????????: 168
> ?dwAvailForScavengeTime ?????: 0
> ?aipScavengeServers ?????????: []
> ?dwRpcStructureVersion ??????: 0x2
> ?dwForwarderTimeout ?????????: 0
> ?fForwarderSlave ????????????: 0
> ?aipLocalMasters ????????????: []
> ?dwDpFlags ??????????????????: DNS_DP_AUTOCREATED
> DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
> ?pszDpFqdn ??????????????????: DomainDnsZones.home.rahim-dale.org
> ?pwszZoneDn ?????????????????:
>
DC=home.rahim-dale.org,CN=MicrosoftDNS,DC=DomainDnsZones,DC=home,DC=rahim-dale,DC=org
> ?dwLastSuccessfulSoaCheck ???: 0
> ?dwLastSuccessfulXfr ????????: 0
> ?fQueuedForBackgroundLoad ???: FALSE
> ?fBackgroundLoadInProgress ??: FALSE
> ?fReadOnlyZone ??????????????: FALSE
> ?dwLastXfrAttempt ???????????: 0
> ?dwLastXfrResult ????????????: 0
>
> # samba-tool dns query ?DC1 home.rahim-dale.org @ ALL -U administrator
> Password for [HOME\administrator]:
> ?Name=, Records=3, Children=0
> ???SOA: serial=131, refresh=900, retry=600, expire=86400, minttl=3600,
> ns=dc1.home.rahim-dale.org., email=hostmaster.
> home.rahim-dale.org. (flags=600000f0, serial=131, ttl=3600)
> ???NS: dc1.home.rahim-dale.org. (flags=600000f0, serial=1, ttl=900)
> ???A: 192.168.1.13 (flags=600000f0, serial=1, ttl=900)
> ?Name=_msdcs, Records=0, Children=0
> ?Name=_sites, Records=0, Children=1
> ?Name=_tcp, Records=0, Children=4
> ?Name=_udp, Records=0, Children=2
> ?Name=dc1, Records=4, Children=0
> ???A: 192.168.1.13 (flags=f0, serial=1, ttl=900)
> ???SRV: dc1.home.rahim-dale.org. (8080, 0, 100) (flags=f0, serial=129,
> ttl=900)
> ???SRV: dc1.home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=130,
> ttl=900)
> ???SRV: home.rahim-dale.org. (389, 0, 100) (flags=f0, serial=131,
> ttl=900)
> ?Name=DomainDnsZones, Records=0, Children=2
> ?Name=ForestDnsZones, Records=0, Children=2
> ?Name=thelibrarian, Records=1, Children=0
> ???A: 192.168.1.14 (flags=f0, serial=110, ttl=3600)
>
The various A and SRV records in the query segment are (probably) from
me trying (clumsily) to add the correct record into the backend via
samba-tool. I think the serial=130 and 131 should have been close, but I
still get:> # host -t SRV _ldap,_tcp.home.rahim-dale-org
> _ldap,_tcp.home.rahim-dale-org has no SRV record
>
when I run the DNS test in the AD DC setup wiki.
> # cat /etc/resolv.conf
> search home.rahim-dale.org
> nameserver 192.168.1.13
>
> cat /etc/hosts
> 127.0.0.1 ??????localhost
> 192.168.1.13 ???DC1.home.rahim-dale.org DC1
>
> # The following lines are desirable for IPv6 capable hosts
> ::1 ????localhost ip6-localhost ip6-loopback
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
>
Having the dc1 listed in the Windows hosts file and as a SRV in the
lmhosts file doesn't seem to have helped either.
Any ideas on what is going wrong or how I can fix it?