While awaiting feedback on the error results of my "samba-tool ntacl
sysvolreset" (ref. my message, same thread, of Fri, 28 Jul 2023 17:04:21),
I'm
going to look at this problem with the DNS ...
On Tue Jul 25 01:54:45 2023 Mark Foley via samba <samba at
lists.samba.org> wrote:
> On Jul 24 13:30:11 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
>
> > On 24/07/2023 17:46, Mark Foley via samba wrote:
[deleted]
> > > Note that I did not specify any --dns-backend [when joining the
new DC]. I hope that's OK as I
> > > provisioned with --dns-backend=BIND9_FLATFILE on the
original/current DC. I do
> > > have LAN members not part of the domain that need to have DNS
service, so I may
> > > have to redo this later.
> >
> > If you didn't specify a dns backend, then the default internal dns
> > server will be used.
> >
> > > Under "Verifying the DNS Entries" I did change the 1st
IP in resolv.conf to be this new host's
> > > IP, but that didn't work -- couldn't see any other host,
so I reverted back to
> > > the original DC's IP.
> >
> > The dns problem is probably because there are no records in AD, you
need
> > to either transfer the records from the flat files (you will probably
> > have to create the reverse zone) or let your Windows computers create
> > them in AD.
>
> OK, I'll look at that after the sync Sysvol. On the original DC, that
machine
> was already the DNS w/o Samba with all the named.conf, zones, etc.
configured.
> It was easy to adapt that to the then supported
--dns-backend=BIND9_FLATFILE. I
> think I can research this a bit and sort it out.
[deleted]
Prior to provisioning the current DC, that host was running as the LAN
nameserver and I had created the named.conf containing zones and other options.
As
mentioned, I provisioned with --dns-backend=BIND9_FLATFILE and it was a
relatively simple matter to add include
"/var/lib/samba/private/named.conf"; to
/etc/named.conf, and in put needed zone into into that file.
So now I'm going step-by-step on this DNS thing. In the wiki, after doing
the
join, I am following the instructions under "Verifying the DNS
Entries". That
sections says, "If you join a Samba DC that runs Samba 4.7 and later,
samba-tool
created all required DNS entries automatically. To manually create the records
on an earlier version, see Verifying and Creating a DC DNS Record."
The current DC is version 4.8.2, but I thought I should go ahead and do the
verify steps in
https://wiki.samba.org/index.php/Verifying_and_Creating_a_DC_DNS_Record.
Note that the current DC is host MAIL, IP 192.168.0.2, and the new DC is host
DC1, IP 192.168.0.7. Wiki test results - all these commands are run on the
current AD MAIL:
(Domain Controller A Record - good!)
> host -t A DC1.hprs.local.
DC1.hprs.local has address 192.168.0.7
(Determining a DCs objectGUID)
> ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)'
--cross-ncs objectguid
:
# record 1
dn: CN=NTDS
Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
objectGUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0
# record 2
dn: CN=NTDS
Settings,CN=MAIL,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local
objectGUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c
# returned 2 records
# 2 entries
# 0 referrals
(objectGUID for DC1 is 0d2a3ba9-4ade-45de-85c7-321ba69caee0)
(Verifying and Creating the objectGUID Record. Note that the objectGUID for MAIL
is found, not shown here)
> host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found:
3(NXDOMAIN)
(manually add the objectGUID)
> samba-tool dns add MAIL _msdcs.hprs.local
0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism spnego
Starting GENSEC submechanism gssapi_krb5
Password for [HPRS\administrator]:
gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea820
gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)] state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)]
finish[../source4/auth/gensec/gensec_gssapi.c:1064]
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0xeea820/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0xeea9b0)] timer[(nil)]
finish[../auth/gensec/spnego.c:2070]
gensec_update_send: gssapi_krb5[0xeeaf00]: subreq: 0xeec680
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeea4f0
gensec_update_done: gssapi_krb5[0xeeaf00]: NT_STATUS_OK
tevent_req[0xeec680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)] state[struct gensec_gssapi_update_state (0xeec810)] timer[(nil)]
finish[../source4/auth/gensec/gensec_gssapi.c:1071]
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0xeea4f0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0xeea680)] timer[(nil)]
finish[../auth/gensec/spnego.c:2070]
gensec_update_send: spnego[0xeea1e0]: subreq: 0xeec350
gensec_update_done: spnego[0xeea1e0]: NT_STATUS_OK
tevent_req[0xeec350/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)]
state[struct gensec_spnego_update_state (0xeec4e0)] timer[(nil)]
finish[../auth/gensec/spnego.c:2070]
ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line
940, in run
raise e
This didn't work as the 'host -t CNAME' command still says not
found.
What am I doing wrong?
THX --Mark