I'm trying to join a Windows 2008 to a Samba4 domain. I'm able to ping Samba4 or browse its network shares. Unfortunately, I can't join Windows 2008 to this Samba4 domain - I'm not even asked for Administrator password. Windows 2008 errors with the below message, which roughly translates to: DSN-query for domain "samba4.my.domain" was successful. The query was for _ldap._tcp.dc._msdcs.samba4.my.domain SRV-entry. The following AD controller was identified: contact-samba4.samba4.my.domain The most frequent errors for this error is: - missing A-entry - AD has no network connection Below, the original text (in German): Die DNS-Abfrage ?ber den Ressourceneintrag der Dienstidentifizierung (SRV), der zur Suche eines Active Directory-Dom?nencontrollers f?r die Dom?ne "samba4.my.domain" verwendet wird, wurde erfolgreich abgeschlossen: Die Abfrage war f?r den SRV-Eintrag f?r _ldap._tcp.dc._msdcs.samba4.my.domain Die folgenden Active Directory-Dom?nencontroller wurde von der Abfrage identifiziert: contact-samba4.samba4.my.domain Die h?ufigsten Ursachen dieses Fehlers sind: - Host (A)-Eintr?ge, die den Namen des Active Directory-Dom?nencontroller dessen IP-Adressen zuordnen, fehlen oder enthalten nicht die richtigen Adressen. - Die in DNS registrierten Active Directory-Dom?nencontroller verf?gen nicht ?ber eine Netzwerkverbindung oder werden nicht ausgef?hrt. -- Tomasz Chmielewski http://wpkg.org
Try adding these SRV entries to your DNS server: --- _ldap._tcp.samba4.my.domain. IN SRV 0 0 389 ldapserver.samba4.my.domain. _ldap._tcp.dc._msdcs.samba4.my.domain. IN SRV 0 0 389 ldapserver.samba4.my.domain. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samba4.my.domain. IN SRV 0 0 389 ldapserver.samba4.my.domain. _kerberos._tcp.samba4.my.domain. IN SRV 0 0 88 kerberosserver.samba4.my.domain. _kerberos._tcp.dc._msdcs.samba4.my.domain. IN SRV 0 0 88 kerberosserver.samba4.my.domain. --- Where ldapserver.samba4.my.domain is the FQDN of the LDAP server in your domain (samba4 domain controller?), and kerberosserver.samba4.my.domain. is the FQDN of your kerberos server (also your samba4 domain controller?) If you have multiple domain controllers, you will need to have the full set of SRV records point to the each of the DCs. Good luck. T -- ------------------------------------------------------------------------ Tony Hoover, Network Administrator KSU - Salina, College of Technology and Aviation (785) 826-2660 "Don't Blend in..." ------------------------------------------------------------------------ On Thu, 2010-05-20 at 09:00 -0500, Tomasz Chmielewski wrote:> I'm trying to join a Windows 2008 to a Samba4 domain. > > I'm able to ping Samba4 or browse its network shares. > > > Unfortunately, I can't join Windows 2008 to this Samba4 domain - I'm > not > even asked for Administrator password. > > Windows 2008 errors with the below message, which roughly translates > to: > > > DSN-query for domain "samba4.my.domain" was successful. > The query was for _ldap._tcp.dc._msdcs.samba4.my.domain SRV-entry. > > The following AD controller was identified: > > contact-samba4.samba4.my.domain > > > The most frequent errors for this error is: > > - missing A-entry > - AD has no network connection > > > > Below, the original text (in German): > > Die DNS-Abfrage ?ber den Ressourceneintrag der Dienstidentifizierung > (SRV), der zur Suche eines Active Directory-Dom?nencontrollers f?r > die > Dom?ne "samba4.my.domain" verwendet wird, wurde erfolgreich > abgeschlossen: > > Die Abfrage war f?r den SRV-Eintrag f?r > _ldap._tcp.dc._msdcs.samba4.my.domain > > Die folgenden Active Directory-Dom?nencontroller wurde von der > Abfrage > identifiziert: > > contact-samba4.samba4.my.domain > > Die h?ufigsten Ursachen dieses Fehlers sind: > > - Host (A)-Eintr?ge, die den Namen des Active > Directory-Dom?nencontroller dessen IP-Adressen zuordnen, fehlen oder > enthalten nicht die richtigen Adressen. > > - Die in DNS registrierten Active Directory-Dom?nencontroller > verf?gen > nicht ?ber eine Netzwerkverbindung oder werden nicht ausgef?hrt. > > > > -- > Tomasz Chmielewski > http://wpkg.org > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On 20/05/2010 15:26, Hoover, Tony wrote:> Try adding these SRV entries to your DNS server: > --- > _ldap._tcp.samba4.my.domain. IN SRV 0 0 389 > ldapserver.samba4.my.domain. > _ldap._tcp.dc._msdcs.samba4.my.domain. IN SRV 0 0 389 > ldapserver.samba4.my.domain. > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samba4.my.domain. > IN SRV 0 0 389 ldapserver.samba4.my.domain. > _kerberos._tcp.samba4.my.domain. IN SRV 0 0 88 > kerberosserver.samba4.my.domain. > _kerberos._tcp.dc._msdcs.samba4.my.domain. IN SRV 0 0 88 > kerberosserver.samba4.my.domain. > --- > Where ldapserver.samba4.my.domain is the FQDN of the LDAP server in your > domain (samba4 domain controller?), and kerberosserver.samba4.my.domain. > is the FQDN of your kerberos server (also your samba4 domain > controller?) > > If you have multiple domain controllers, you will need to have the full > set of SRV records point to the each of the DCs. > > Good luck. > > T > >When you provisioned samba4 it generated sample bind and zone config for that dc, have a look at samba_install_dir/private/dns/samba4.my.domain.zone which includes all of the dns records for that zone and see which ones you are missing Regards Luk
On Thu, 2010-05-20 at 19:21 +0100, Lukasz Zalewski wrote:> On 20/05/2010 15:26, Hoover, Tony wrote: > > Try adding these SRV entries to your DNS server: > > --- > > _ldap._tcp.samba4.my.domain. IN SRV 0 0 389 > > ldapserver.samba4.my.domain. > > _ldap._tcp.dc._msdcs.samba4.my.domain. IN SRV 0 0 389 > > ldapserver.samba4.my.domain. > > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samba4.my.domain. > > IN SRV 0 0 389 ldapserver.samba4.my.domain. > > _kerberos._tcp.samba4.my.domain. IN SRV 0 0 88 > > kerberosserver.samba4.my.domain. > > _kerberos._tcp.dc._msdcs.samba4.my.domain. IN SRV 0 0 88 > > kerberosserver.samba4.my.domain. > > --- > > Where ldapserver.samba4.my.domain is the FQDN of the LDAP server in your > > domain (samba4 domain controller?), and kerberosserver.samba4.my.domain. > > is the FQDN of your kerberos server (also your samba4 domain > > controller?) > > > > If you have multiple domain controllers, you will need to have the full > > set of SRV records point to the each of the DCs. > > > > Good luck. > > > > T > > > > > > When you provisioned samba4 it generated sample bind and zone config for > that dc, > have a look at samba_install_dir/private/dns/samba4.my.domain.zone > which includes all of the dns records for that zone and see which ones > you are missingIndeed, if you used a zone file other than the one we generated, then you are asking for trouble. Please us the one we generate. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: This is a digitally signed message part URL: <http://lists.samba.org/pipermail/samba/attachments/20100521/b7a3b924/attachment.pgp>
SNIP> >> >> When you provisioned samba4 it generated sample bind and zone config >> for >> that dc, >> have a look at samba_install_dir/private/dns/samba4.my.domain.zone >> which includes all of the dns records for that zone and see which ones >> you are missing > > Indeed, if you used a zone file other than the one we generated, then > you are asking for trouble. Please us the one we generate.If I might chime in...but as long as dynamic updates are configured properly, withing like 15 minutes the samba 4 server will write the necessary entries to DNS...so the static zone file isn't exactly necessary... Just my 2 cents... TMS III> > > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Cisco Inc. > >
Am 25.05.2010 14:50, Tomasz Chmielewski wrote:> Am 25.05.2010 13:58, Lukasz Zalewski wrote: > >>> What more info should I provide? >>> >>> >> >> The only way i can replicate your problem and get simmilar message, is >> by blocking access to port 389 both TCP and UDP on the samba4 host - it >> seems like enabling either (i.e. TCP or UDP) produces enter credentials >> dialog. Note that i have used Windows 7 rather than Srv2008 > > The only packets exchanged, from the moment I press "OK" button to when the error is shown, are: > > - DNS queries > - LDAP queries > > (192.168.128.11 - Samba4; 192.168.128.12 - Windows 2008) > > So, nothing blocked on Samba4 side (and LDAP queries add some data to Samba debug log).If I block LDAP on UDP, Windows does not send queries to LDAP on TCP. Is it the same for you? And indeed, the error message is the same whether 389/UDP is blocked or not. -- Tomasz Chmielewski http://wpkg.org
Am 25.05.2010 15:08, Tomasz Chmielewski wrote:> And indeed, the error message is the same whether 389/UDP is blocked or > not.This is what I see produced by Samba4 when I try to join: # samba -i -M single -d 9 (...) dreplsrv_notify_schedule(5) scheduled for: Tue May 25 15:15:26 2010 CEST dreplsrv_notify_schedule(5) scheduled for: Tue May 25 15:15:31 2010 CEST cldap netlogon query domain=samba4.contact-web.de host=WIN2008 user=(null) version=22 guid=(null) gendb_search_v: CN=Sites,CN=Configuration,DC=samba4,DC=contact-web,DC=de (objectClass=site) -> 1 added interface ip=192.168.128.11 nmask=255.255.255.0 dreplsrv_notify_schedule(5) scheduled for: Tue May 25 15:15:36 2010 CEST cldap netlogon query domain=samba4.contact-web.de host=WIN2008 user=(null) version=22 guid=(null) gendb_search_v: CN=Sites,CN=Configuration,DC=samba4,DC=contact-web,DC=de (objectClass=site) -> 1 added interface ip=192.168.128.11 nmask=255.255.255.0 dreplsrv_notify_schedule(5) scheduled for: Tue May 25 15:15:41 2010 CEST Should I expect something else? -- Tomasz Chmielewski http://wpkg.org
On 29/05/2010 19:17, Tomasz Chmielewski wrote:> Am 29.05.2010 20:15, Lukasz Zalewski wrote: > >>> Unfortunately, Windows XP SP3 fails to join a Samba4 domain as well. >>> >>> How can I troubleshoot it? > >> Are both the samba4 and client machine on the same subnet? If not are >> there any firewalls, or routers in the way? > > Same subnet, no firewalls or routers on the way.> >> Is your client dns configuration pointing explicitly at samba4 > > Yes. > >Hmm this is mostly odd, are you using FQDN to join the domain? Can you resolve all of the samba4 generated dns records externally (http://wiki.samba.org/index.php/Samba4/HOWTO Configure DNS section), such as host -t SRV _ldap._tcp.samdom.example.com. . . . Luk