samba - Aug 2023 - Joining a new Samba AD DC

On 01/08/2023 22:40, Mark Foley via samba wrote:
> Is not being able to run 'host -t A' a show stopper here? The wiki
'host -t CNAME'
> gave, as expected:
> 
> # host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
> Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not found:
3(NXDOMAIN)
> 
> and when trying to add with 'samba-tool' I got:
> 
> # samba-tool dns add MAIL _msdcs.hprs.local
0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
> [deleted]
> Password for [HPRS\administrator]:
> gensec_update_send: gssapi_krb5[0xd83f00]: subreq: 0xd85680
> gensec_update_send: spnego[0xd831e0]: subreq: 0xd83820
> gensec_update_done: gssapi_krb5[0xd83f00]:
NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0xd85680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xd85810)] timer[(nil)]
finish[../source4/auth/gensec/gensec_gssapi.c:1064]
> gensec_update_done: spnego[0xd831e0]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0xd83820/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] 
state[struct gensec_spnego_update_state (0xd839b0)] timer[(nil)]
finish[../auth/gensec/spnego.c:2070]
> gensec_update_send: gssapi_krb5[0xd83f00]: subreq: 0xd85680
> gensec_update_send: spnego[0xd831e0]: subreq: 0xd834f0
> gensec_update_done: gssapi_krb5[0xd83f00]: NT_STATUS_OK
tevent_req[0xd85680/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2]
error[0 (0x0)]  state[struct gensec_gssapi_update_state (0xd85810)] timer[(nil)]
finish[../source4/auth/gensec/gensec_gssapi.c:1071]
> gensec_update_done: spnego[0xd831e0]: NT_STATUS_MORE_PROCESSING_REQUIRED
tevent_req[0xd834f0/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] 
state[struct gensec_spnego_update_state (0xd83680)] timer[(nil)]
finish[../auth/gensec/spnego.c:2070]
> gensec_update_send: spnego[0xd831e0]: subreq: 0xd85350
> gensec_update_done: spnego[0xd831e0]: NT_STATUS_OK
tevent_req[0xd85350/../auth/gensec/spnego.c:1601]: state[2] error[0 (0x0)] 
state[struct gensec_spnego_update_state (0xd854e0)] timer[(nil)]
finish[../auth/gensec/spnego.c:2070]
> ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py",
line 940, in run
>      raise e
> 
> which you seemed to think was a bogus error with
WERR_DNS_ERROR_RECORD_ALREADY_EXISTS.
> Nevertheless the ojectGUID CNAME record was not added.
> 
> So, is there another way to add this record? Perhaps ldbedit'ing some
.ldb file?
> 
> Was your 'host -t A' suggestion intended to be another way to get
this done? If
> so, I can update my BIND package to a newer version which does not have the
> "prohibited character" issue. I have it on good authority from
the "father" of
> Slackware himself that I should be able to upgrade this package w/o too
much
> difficulty.
> 
> --Mark
> 
If I find the GUID for a DC, then use it in searches, I get results like 
these:

adminuser at rpidc1:~ $ host -t CNAME fb453823-737c-4a8b-93e1-dc197e236d50
fb453823-737c-4a8b-93e1-dc197e236d50 has no CNAME record

Doing an 'A' record search using the GUIDs FQDN, gets me this:

adminuser at rpidc1:~ $ host -t A 
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com.
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
alias for rpidc1.samdom.example.com.
rpidc1.samdom.example.com has address 192.168.1.2

Doing a similar search, but for a CNAME gets me this:

adminuser at rpidc1:~ $ host -t CNAME 
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com.
fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
alias for rpidc1.samdom.example.com.

I suggest you start Samba, wait a short while and then try again.

Rowland

On Wed Aug  2 04:15:23 2023 Rowland Penny via samba <samba at
lists.samba.org> wrote:
> On 01/08/2023 22:40, Mark Foley via samba wrote:
> > Is not being able to run 'host -t A' a show stopper here? The
wiki 'host -t CNAME'
> > gave, as expected:
> > 
> > # host -t CNAME
0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local.
> > Host 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. not
found: 3(NXDOMAIN)
> > 
> > and when trying to add with 'samba-tool' I got:
> > 
> > # samba-tool dns add MAIL _msdcs.hprs.local
0d2a3ba9-4ade-45de-85c7-321ba69caee0 CNAME DC1.hprs.local -Uadministrator
> > [deleted]
> > Password for [HPRS\administrator]:
[deleted]
> > ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> >    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
> >      return self.run(*args, **kwargs)
> >    File
"/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in
run
> >      raise e
> > 
> > which you seemed to think was a bogus error with
WERR_DNS_ERROR_RECORD_ALREADY_EXISTS.
> > Nevertheless the ojectGUID CNAME record was not added.
> > 
> > So, is there another way to add this record? Perhaps ldbedit'ing
some .ldb file?
> > 
> > Was your 'host -t A' suggestion intended to be another way to
get this done? If
> > so, I can update my BIND package to a newer version which does not
have the
> > "prohibited character" issue. I have it on good authority
from the "father" of
> > Slackware himself that I should be able to upgrade this package w/o
too much
> > difficulty.
> > 
> > --Mark
> > 
>
> If I find the GUID for a DC, then use it in searches, I get results like 
> these:
>
> adminuser at rpidc1:~ $ host -t CNAME fb453823-737c-4a8b-93e1-dc197e236d50
> fb453823-737c-4a8b-93e1-dc197e236d50 has no CNAME record
>
> Doing an 'A' record search using the GUIDs FQDN, gets me this:
>
> adminuser at rpidc1:~ $ host -t A 
> fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com.
> fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
> alias for rpidc1.samdom.example.com.
> rpidc1.samdom.example.com has address 192.168.1.2
>
> Doing a similar search, but for a CNAME gets me this:
>
> adminuser at rpidc1:~ $ host -t CNAME 
> fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com.
> fb453823-737c-4a8b-93e1-dc197e236d50._msdcs.samdom.example.com is an 
> alias for rpidc1.samdom.example.com.
Yeah, those command on my system simply return the 'help' syntax info
for the host command.
> I suggest you start Samba, wait a short while and then try again.
>
> Rowland
Do you mean to start Samba on the new DC (which I haven't done yet) or
[re]start
Samba on the current DC?

Thanks --Mark