samba - Feb 2024 - Samba as an AD server problem

Hi,

I'm having a problem with my samba install, more specifically to use it as
one of my AD servers.

To setup the server, I used a fresh Debian 12, and followed
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory,
using BIND9_DLZ as the DNS backend.

I did manage to make everything work and the tests indicated in the page itself
work fine. But, to make sure everything was working, I made a quick serch and
found that it would be interesting to test the setup from my windows server.

First (in a windows cli), 'Repadmin /replsummary' indicated everything
as ok.

Then 'dcdiag /s:ad2' (where ad2 is the Debian/Samba server) also gave me
an all Ok result.

Finally, I ran 'dcdiag /Test:DNS /e /v', and here the Samba server
failed.

At the end of the command, it returned me the following(AD and WSUS are my
current Windows AD's):
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: xxx.xxx.xxx.xxx
               WSUS                         PASS WARN PASS FAIL PASS PASS n/a
               ad2                          PASS FAIL n/a  n/a  n/a  n/a  n/a
               AD                           PASS WARN PASS FAIL PASS WARN n/a

         ......................... xxx.xxxxx.xxxx.xxx failed test DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite


In more detail, the server failed the DNS tests (dcdiag output):

      Test omitted by user request: VerifyReplicas

            Starting test: DNS

                  Starting test: DNS

                     DNS Tests are running and not hung. Please wait a few
minutes...

                        Starting test: DNS
                           See DNS test in enterprise tests section for results
                           ......................... AD2 failed test DNS
                  See DNS test in enterprise tests section for results
                  ......................... AD passed test DNS
         See DNS test in enterprise tests section for results
         ......................... WSUS passed test DNS


Then at the authentication tests part, dcdiag accused a failure again:

               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  Error: No WMI connectivity
                  [Error details: 0x800706ba (Type: HRESULT - Facility: Win32,
Description: The RPC server is unavailabl
e.) - Connection to WMI server failed]
                  No host records (A or AAAA) were found for this DC

The 'No host records' did puzzle me, as 'ad2' does appear when I
open the windows DNS manager, and running DNS queries against ad2 does work
fine. The two windows servers did complete this test. To make sure it wasn't
a connectivity problem, I ran all tests on ad2 with iptables disabled.

Any idea of where I should look to make samba pass those tests, or if it even is
necessary/important for it to pass?

Thank you,

Roberto

PS:
system details:
OS Debian 12
1 GB RAM
9 GB Disk
Xen-Citrix virtualization
samba version: 2:4.17.12+dfsg-0+deb12u1 (installed via packet manager)

On Wed, 7 Feb 2024 12:06:52 +0000
Roberto Greiner via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I'm having a problem with my samba install, more specifically to use
> it as one of my AD servers.
> 
> To setup the server, I used a fresh Debian 12, and followed
>
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory,
> using BIND9_DLZ as the DNS backend.
> 
> I did manage to make everything work and the tests indicated in the
> page itself work fine. But, to make sure everything was working, I
> made a quick serch and found that it would be interesting to test the
> setup from my windows server.
> 
> First (in a windows cli), 'Repadmin /replsummary' indicated
> everything as ok.
> 
> Then 'dcdiag /s:ad2' (where ad2 is the Debian/Samba server) also
gave
> me an all Ok result.
> 
> Finally, I ran 'dcdiag /Test:DNS /e /v', and here the Samba server
> failed.
> 
> At the end of the command, it returned me the following(AD and WSUS
> are my current Windows AD's):
What are the Windows Servers ?
What is their functional level ?
> Summary of DNS test results:
> 
>                                             Auth Basc Forw Del  Dyn
> RReg Ext
> _________________________________________________________________
> Domain: xxx.xxx.xxx.xxx WSUS                         PASS WARN PASS
> FAIL PASS PASS n/a ad2                          PASS FAIL n/a  n/a
> n/a  n/a  n/a AD                           PASS WARN PASS FAIL PASS
> WARN n/a
> 
>          ......................... xxx.xxxxx.xxxx.xxx failed test DNS
>       Test omitted by user request: LocatorCheck
>       Test omitted by user request: Intersite
> 
> 
> In more detail, the server failed the DNS tests (dcdiag output):
> 
>       Test omitted by user request: VerifyReplicas
> 
>             Starting test: DNS
> 
>                   Starting test: DNS
> 
>                      DNS Tests are running and not hung. Please wait
> a few minutes...
> 
>                         Starting test: DNS
>                            See DNS test in enterprise tests section
> for results ......................... AD2 failed test DNS
>                   See DNS test in enterprise tests section for results
>                   ......................... AD passed test DNS
>          See DNS test in enterprise tests section for results
>          ......................... WSUS passed test DNS
> 
> 
> Then at the authentication tests part, dcdiag accused a failure again:
> 
>                TEST: Authentication (Auth)
>                   Authentication test: Successfully completed
> 
>                TEST: Basic (Basc)
>                   Error: No WMI connectivity
Not surprising the 'W' in 'WMI' stands for 'Windows', I
do not think
that it works on Linux.
>                   [Error details: 0x800706ba (Type: HRESULT -
> Facility: Win32, Description: The RPC server is unavailabl e.) -
> Connection to WMI server failed] No host records (A or AAAA) were
> found for this DC
> 
> The 'No host records' did puzzle me, as 'ad2' does appear
when I open
> the windows DNS manager, and running DNS queries against ad2 does
> work fine. The two windows servers did complete this test. To make
> sure it wasn't a connectivity problem, I ran all tests on ad2 with
> iptables disabled.
> 
> Any idea of where I should look to make samba pass those tests, or if
> it even is necessary/important for it to pass?
> 
> Thank you,
> 
> Roberto
> 
> PS:
> system details:
> OS Debian 12
> 1 GB RAM
> 9 GB Disk
> Xen-Citrix virtualization
> samba version: 2:4.17.12+dfsg-0+deb12u1 (installed via packet manager)
If you use Samba from backports, you will get 4.19.4

To be honest, providing everything else is working (replication, dns,
etc), I wouldn't worry about it.

Rowland