Richard Connon
2015-Mar-09 22:16 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
On 09/03/2015 22:07, Rowland Penny wrote:> On 09/03/15 21:59, Richard Connon wrote: >> On 09/03/2015 21:59, Rowland Penny wrote: >>> How did you try to join the machine to the domain ? I think I know, >>> but it would like you to confirm my suspicions. >> >> Hi Rowland, >> >> This output was generated with `net ads join >> -Uprovisioning%<password> -d10 >> >> Regards, >> Richard > > OK, well it isn't what I thought, moving on, what is in smb.conf > (please do not post any commented lines), /etc/resolv.conf, > /etc/krb5.conf, what OS etc > > Rowland >Hi Rowland, On all hosts of site CCPG-UK: resolv.conf contains: domain ads.connon.me.uk nameserver 10.10.0.250 nameserver 10.10.0.252 nameserver 10.10.0.251 krb5.conf contains: [libdefaults] default_realm = ADS.CONNON.ME.UK dns_lookup_realm = false dns_lookup_kdc = true rdns = false The DC smb.conf contains: [global] netbios name = DC01 realm = ADS.CONNON.ME.UK workgroup = CONNON server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab dsdb:schema update allowed = Yes [netlogin] path = /var/lib/samba/sysvol/ads.connon.me.uk/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No The client smb.conf contains: [global] security = ads netbios name = SHELL01 realm = ADS.CONNON.ME.UK workgroup = CONNON dedicated keytab file = /etc/krb5.keytab kerberos method = dedicated keytab The OS for all machines is debian 7. The DC is using samba 4.1.17+dfsg-1~bpo70+1 from backports while the client is using 3.6.6-6+deb7u5. I appreciate that samba 3.6 is now very old but I'd like to avoid deviating from the standard install for clients. I'm reasonably sure this should be fixable with a 3.6 client since it has worked so well in the past. It is possible that the DC has received a minor (4.1.x) upgrade since domain join last worked. Regards, Richard
Rowland Penny
2015-Mar-09 22:36 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
On 09/03/15 22:16, Richard Connon wrote:> On 09/03/2015 22:07, Rowland Penny wrote: >> On 09/03/15 21:59, Richard Connon wrote: >>> On 09/03/2015 21:59, Rowland Penny wrote: >>>> How did you try to join the machine to the domain ? I think I know, >>>> but it would like you to confirm my suspicions. >>> >>> Hi Rowland, >>> >>> This output was generated with `net ads join >>> -Uprovisioning%<password> -d10 >>> >>> Regards, >>> Richard >> >> OK, well it isn't what I thought, moving on, what is in smb.conf >> (please do not post any commented lines), /etc/resolv.conf, >> /etc/krb5.conf, what OS etc >> >> Rowland >> > Hi Rowland, > > On all hosts of site CCPG-UK: > resolv.conf contains: > domain ads.connon.me.uk > nameserver 10.10.0.250 > nameserver 10.10.0.252 > nameserver 10.10.0.251 > > krb5.conf contains: > [libdefaults] > default_realm = ADS.CONNON.ME.UK > dns_lookup_realm = false > dns_lookup_kdc = true > rdns = false > > The DC smb.conf contains: > [global] > netbios name = DC01 > realm = ADS.CONNON.ME.UK > workgroup = CONNON > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, > drepl, winbind, ntp_signd, kcc, dnsupdate > dedicated keytab file = /etc/krb5.keytab > kerberos method = dedicated keytab > dsdb:schema update allowed = Yes > > [netlogin] > path = /var/lib/samba/sysvol/ads.connon.me.uk/scripts > read only = No > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > The client smb.conf contains: > [global] > security = ads > netbios name = SHELL01 > realm = ADS.CONNON.ME.UK > workgroup = CONNON > dedicated keytab file = /etc/krb5.keytab > kerberos method = dedicated keytab > > The OS for all machines is debian 7. The DC is using samba > 4.1.17+dfsg-1~bpo70+1 from backports while the client is using > 3.6.6-6+deb7u5. > I appreciate that samba 3.6 is now very old but I'd like to avoid > deviating from the standard install for clients. I'm reasonably sure > this should be fixable with a 3.6 client since it has worked so well > in the past. > > It is possible that the DC has received a minor (4.1.x) upgrade since > domain join last worked. > > Regards, > RichardHmm, everything looks ok and it shouldn't matter whether you use the standard 3.6 from debian or 4.1.17 from backports except for the fact that 3.6 isn't just old, it is EOL , so you may have to rely on debian backporting any security updates themselves. I take it that the three nameservers in the clients resolv.conf are all DC's, if not, I suggest you remove any that aren't, could you also have a look here: https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server Rowland
Richard Connon
2015-Mar-09 23:19 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
On 09/03/2015 22:36, Rowland Penny wrote:> Hmm, everything looks ok and it shouldn't matter whether you use the > standard 3.6 from debian or 4.1.17 from backports except for the fact > that 3.6 isn't just old, it is EOL , so you may have to rely on debian > backporting any security updates themselves. > > I take it that the three nameservers in the clients resolv.conf are > all DC's, if not, I suggest you remove any that aren't, could you also > have a look here: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > RowlandHi Rowland, I'm aware of 3.6's security status. I'm planning to count on debian backporting fixes for now and move to 4.1 (or 4.2) if and when required. I have just tried, as an experiment, upgrading this failing client to 4.1.17 to no avail. The nameservers in resolv.conf are just forwarders. They forward to my DCs for anything under ads.connon.me.uk. As an experiment I tried changing the resolv.conf on both the DC and the client to contain just the DC for this site rather than my normal recursive servers. Again, this didn't change the behaviour. I'm not familiar with the RPC protocol very much. Are there some tools I can use to perform some test queries against this DC? Regards, Richard
Maybe Matching Threads
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain