samba - Mar 2015 - "failed to lookup DC info for domain over rpc" when joining samba4 domain

On 09/03/2015 22:07, Rowland Penny wrote:
> On 09/03/15 21:59, Richard Connon wrote:
>> On 09/03/2015 21:59, Rowland Penny wrote:
>>> How did you try to join the machine to the domain ? I think I know,
>>> but it would like you to confirm my suspicions.
>>
>> Hi Rowland,
>>
>> This output was generated with `net ads join 
>> -Uprovisioning%<password> -d10
>>
>> Regards,
>> Richard
>
> OK, well it isn't what I thought, moving on, what is in smb.conf 
> (please do not post any commented lines), /etc/resolv.conf, 
> /etc/krb5.conf, what OS etc
>
> Rowland
>
Hi Rowland,

On all hosts of site CCPG-UK:
resolv.conf contains:
domain ads.connon.me.uk
nameserver 10.10.0.250
nameserver 10.10.0.252
nameserver 10.10.0.251

krb5.conf contains:
[libdefaults]
         default_realm = ADS.CONNON.ME.UK
         dns_lookup_realm = false
         dns_lookup_kdc = true
         rdns = false

The DC smb.conf contains:
[global]
         netbios name = DC01
         realm = ADS.CONNON.ME.UK
         workgroup = CONNON
         server role = active directory domain controller
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbind, ntp_signd, kcc, dnsupdate
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = dedicated keytab
         dsdb:schema update allowed = Yes

[netlogin]
         path = /var/lib/samba/sysvol/ads.connon.me.uk/scripts
         read only = No
[sysvol]
         path = /var/lib/samba/sysvol
         read only = No

The client smb.conf contains:
[global]
         security = ads
         netbios name = SHELL01
         realm = ADS.CONNON.ME.UK
         workgroup = CONNON
         dedicated keytab file = /etc/krb5.keytab
         kerberos method = dedicated keytab

The OS for all machines is debian 7. The DC is using samba 
4.1.17+dfsg-1~bpo70+1 from backports while the client is using 
3.6.6-6+deb7u5.
I appreciate that samba 3.6 is now very old but I'd like to avoid 
deviating from the standard install for clients. I'm reasonably sure 
this should be fixable with a 3.6 client since it has worked so well in 
the past.

It is possible that the DC has received a minor (4.1.x) upgrade since 
domain join last worked.

Regards,
Richard

On 09/03/15 22:16, Richard Connon wrote:
> On 09/03/2015 22:07, Rowland Penny wrote:
>> On 09/03/15 21:59, Richard Connon wrote:
>>> On 09/03/2015 21:59, Rowland Penny wrote:
>>>> How did you try to join the machine to the domain ? I think I
know,
>>>> but it would like you to confirm my suspicions.
>>>
>>> Hi Rowland,
>>>
>>> This output was generated with `net ads join 
>>> -Uprovisioning%<password> -d10
>>>
>>> Regards,
>>> Richard
>>
>> OK, well it isn't what I thought, moving on, what is in smb.conf 
>> (please do not post any commented lines), /etc/resolv.conf, 
>> /etc/krb5.conf, what OS etc
>>
>> Rowland
>>
> Hi Rowland,
>
> On all hosts of site CCPG-UK:
> resolv.conf contains:
> domain ads.connon.me.uk
> nameserver 10.10.0.250
> nameserver 10.10.0.252
> nameserver 10.10.0.251
>
> krb5.conf contains:
> [libdefaults]
>         default_realm = ADS.CONNON.ME.UK
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
>         rdns = false
>
> The DC smb.conf contains:
> [global]
>         netbios name = DC01
>         realm = ADS.CONNON.ME.UK
>         workgroup = CONNON
>         server role = active directory domain controller
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbind, ntp_signd, kcc, dnsupdate
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = dedicated keytab
>         dsdb:schema update allowed = Yes
>
> [netlogin]
>         path = /var/lib/samba/sysvol/ads.connon.me.uk/scripts
>         read only = No
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
>
> The client smb.conf contains:
> [global]
>         security = ads
>         netbios name = SHELL01
>         realm = ADS.CONNON.ME.UK
>         workgroup = CONNON
>         dedicated keytab file = /etc/krb5.keytab
>         kerberos method = dedicated keytab
>
> The OS for all machines is debian 7. The DC is using samba 
> 4.1.17+dfsg-1~bpo70+1 from backports while the client is using 
> 3.6.6-6+deb7u5.
> I appreciate that samba 3.6 is now very old but I'd like to avoid 
> deviating from the standard install for clients. I'm reasonably sure 
> this should be fixable with a 3.6 client since it has worked so well 
> in the past.
>
> It is possible that the DC has received a minor (4.1.x) upgrade since 
> domain join last worked.
>
> Regards,
> Richard
Hmm, everything looks ok and it shouldn't matter whether you use the 
standard 3.6 from debian or 4.1.17 from backports except for the fact 
that 3.6 isn't just old, it is EOL , so you may have to rely on debian 
backporting any security updates themselves.

I take it that the three nameservers in the clients resolv.conf are all 
DC's, if not, I suggest you remove any that aren't, could you also have 
a look here:

  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server

Rowland

On 09/03/2015 22:36, Rowland Penny wrote:
> Hmm, everything looks ok and it shouldn't matter whether you use the 
> standard 3.6 from debian or 4.1.17 from backports except for the fact 
> that 3.6 isn't just old, it is EOL , so you may have to rely on debian 
> backporting any security updates themselves.
>
> I take it that the three nameservers in the clients resolv.conf are 
> all DC's, if not, I suggest you remove any that aren't, could you
also
> have a look here:
>
>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Rowland
Hi Rowland,

I'm aware of 3.6's security status. I'm planning to count on debian 
backporting fixes for now and move to 4.1 (or 4.2) if and when required.
I have just tried, as an experiment, upgrading this failing client to 
4.1.17 to no avail.

The nameservers in resolv.conf are just forwarders. They forward to my 
DCs for anything under ads.connon.me.uk.
As an experiment I tried changing the resolv.conf on both the DC and the 
client to contain just the DC for this site rather than my normal 
recursive servers. Again, this didn't change the behaviour.

I'm not familiar with the RPC protocol very much. Are there some tools I 
can use to perform some test queries against this DC?

Regards,
Richard