samba - Mar 2015 - "failed to lookup DC info for domain over rpc" when joining samba4 domain

On 09/03/2015 22:36, Rowland Penny wrote:
> Hmm, everything looks ok and it shouldn't matter whether you use the 
> standard 3.6 from debian or 4.1.17 from backports except for the fact 
> that 3.6 isn't just old, it is EOL , so you may have to rely on debian 
> backporting any security updates themselves.
>
> I take it that the three nameservers in the clients resolv.conf are 
> all DC's, if not, I suggest you remove any that aren't, could you
also
> have a look here:
>
>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>
> Rowland
Hi Rowland,

I'm aware of 3.6's security status. I'm planning to count on debian 
backporting fixes for now and move to 4.1 (or 4.2) if and when required.
I have just tried, as an experiment, upgrading this failing client to 
4.1.17 to no avail.

The nameservers in resolv.conf are just forwarders. They forward to my 
DCs for anything under ads.connon.me.uk.
As an experiment I tried changing the resolv.conf on both the DC and the 
client to contain just the DC for this site rather than my normal 
recursive servers. Again, this didn't change the behaviour.

I'm not familiar with the RPC protocol very much. Are there some tools I 
can use to perform some test queries against this DC?

Regards,
Richard

Hey Richard,

first of all I personally think it is better to post logfiles in plain text on
the list so that it keeps readable for later users. Just my two cents :-)

What I first saw in your smb.conf is that the netlogon share is named netlogin.

Beside this, I will send you a list of DNS entries I have under _msdcs later.
Perhaps it is worth to compare.

Am 10. M?rz 2015 00:19:53 MEZ, schrieb Richard Connon <richard at
connon.me.uk>:
>On 09/03/2015 22:36, Rowland Penny wrote:
>> Hmm, everything looks ok and it shouldn't matter whether you use
the
>> standard 3.6 from debian or 4.1.17 from backports except for the fact
>
>> that 3.6 isn't just old, it is EOL , so you may have to rely on
>debian 
>> backporting any security updates themselves.
>>
>> I take it that the three nameservers in the clients resolv.conf are 
>> all DC's, if not, I suggest you remove any that aren't, could
you
>also 
>> have a look here:
>>
>>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Rowland
>
>Hi Rowland,
>
>I'm aware of 3.6's security status. I'm planning to count on
debian
>backporting fixes for now and move to 4.1 (or 4.2) if and when
>required.
>I have just tried, as an experiment, upgrading this failing client to 
>4.1.17 to no avail.
>
>The nameservers in resolv.conf are just forwarders. They forward to my 
>DCs for anything under ads.connon.me.uk.
>As an experiment I tried changing the resolv.conf on both the DC and
>the 
>client to contain just the DC for this site rather than my normal 
>recursive servers. Again, this didn't change the behaviour.
>
>I'm not familiar with the RPC protocol very much. Are there some tools
>I 
>can use to perform some test queries against this DC?
>
>Regards,
>Richard
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

On 09/03/15 23:19, Richard Connon wrote:
> On 09/03/2015 22:36, Rowland Penny wrote:
>> Hmm, everything looks ok and it shouldn't matter whether you use
the
>> standard 3.6 from debian or 4.1.17 from backports except for the fact 
>> that 3.6 isn't just old, it is EOL , so you may have to rely on 
>> debian backporting any security updates themselves.
>>
>> I take it that the three nameservers in the clients resolv.conf are 
>> all DC's, if not, I suggest you remove any that aren't, could
you
>> also have a look here:
>>
>>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Rowland
>
> Hi Rowland,
>
> I'm aware of 3.6's security status. I'm planning to count on
debian
> backporting fixes for now and move to 4.1 (or 4.2) if and when required.
> I have just tried, as an experiment, upgrading this failing client to 
> 4.1.17 to no avail.
>
> The nameservers in resolv.conf are just forwarders. They forward to my 
> DCs for anything under ads.connon.me.uk.
> As an experiment I tried changing the resolv.conf on both the DC and 
> the client to contain just the DC for this site rather than my normal 
> recursive servers. Again, this didn't change the behaviour.
>
> I'm not familiar with the RPC protocol very much. Are there some tools 
> I can use to perform some test queries against this DC?
>
> Regards,
> Richard
Your DC's must point to themselves for DNS and your domain clients must 
point to the DC's, anything outside the domain the DC's will be obtain 
from the forwarders set on them.

What I think is happening: your client is asking for the DC from your 
forwarders, they do not know, so they ask the DC, who asks the 
forwarder, who does not know and so on.

The resolv.conf on my DCs is simply this:

search example.com
nameserver 127.0.0.1

I use Bind and this is setup to forward to my router, so when a client 
wants the DC, it contacts a DC (set in resolv.conf on client) which 
knows all about the domain and replies with the correct info. You can do 
this with the internal DC DNS server.

Rowland

Hey Richard,

here you are my _msdcs-dns-zone. I only have two dcs. I hope the text structure
will be readable at your side.

Name									Type				Data
dc
+- _sites
	+- Default-First-Site-Name
		+- _tcp
			_kerberos					Service Identification (SRV)	[0][100][88]
DC1.example.samdom.com.
			_kerberos					Service Identification (SRV)	[0][100][88]
DC2.example.samdom.com.
			_ldap						Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
			_ldap						Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
+- _tcp
	_kerberos							Service Identification (SRV)	[0][100][88]
DC1.example.samdom.com.
	_kerberos							Service Identification (SRV)	[0][100][88]
DC2.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
domains
+- <Domain-ID>
	_tcp
	+- 	_ldap
		 (identical with folder above)				Service Identification (SRV) 	[0][100][389]
DC1.example.samdom.com.
		 (identical with folder above)				Service Identification (SRV) 	[0][100][389]
DC2.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
	
gc
+- _sites
	+- Default-First-Site-Name
		+- _tcp
			_ldap						Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
			_ldap						Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
+- _tcp
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
	_ldap								Service Identification (SRV)	[0][100][389] DC2.example.samdom.com.
(identical with folder above)						Host (A)			<IP Adress DC1>
(identical with folder above)						Host (A)			<IP Adress DC2>

pdc
+- _tcp
	_ldap								Service Identification (SRV)	[0][100][389] DC1.example.samdom.com.
		
<Unique ID of DC1>						Alias (CNAME)				DC1.example.samdom.com.
<Unique ID of DC2>						Alias (CNAME)				DC2.example.samdom.com.
(identical with folder above)					Authority Source (SOA)			[12],
DC1.example.samdom.com., hostmaster.example.samdom.com.
(identical with folder above)					Nameserver (NS)				DC1.example.samdom.com.
(identical with folder above)					Nameserver (NS)				DC2.example.samdom.com.



Regards
Tim



Am 10.03.2015 00:19, schrieb Richard Connon:
> On 09/03/2015 22:36, Rowland Penny wrote:
>> Hmm, everything looks ok and it shouldn't matter whether you use
the
>> standard 3.6 from debian or 4.1.17 from backports except for the fact
>> that 3.6 isn't just old, it is EOL , so you may have to rely on
debian
>> backporting any security updates themselves.
>>
>> I take it that the three nameservers in the clients resolv.conf are
>> all DC's, if not, I suggest you remove any that aren't, could
you also
>> have a look here:
>>
>>  https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
>>
>> Rowland
>
> Hi Rowland,
>
> I'm aware of 3.6's security status. I'm planning to count on
debian
> backporting fixes for now and move to 4.1 (or 4.2) if and when required.
> I have just tried, as an experiment, upgrading this failing client to
> 4.1.17 to no avail.
>
> The nameservers in resolv.conf are just forwarders. They forward to my
> DCs for anything under ads.connon.me.uk.
> As an experiment I tried changing the resolv.conf on both the DC and the
> client to contain just the DC for this site rather than my normal
> recursive servers. Again, this didn't change the behaviour.
>
> I'm not familiar with the RPC protocol very much. Are there some tools
I
> can use to perform some test queries against this DC?
>
> Regards,
> Richard

Hi Rowland,

Please see comments inline.

On 10/03/15 08:51, Rowland Penny wrote:
> Your DC's must point to themselves for DNS and your domain clients must
> point to the DC's, anything outside the domain the DC's will be
obtain
> from the forwarders set on them.
This is contrary to what the wiki says.
https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server
This page indicates that as long as the client can resolve names in the 
domain DNS zone (in my case ads.connon.me.uk) they should be fine.
> What I think is happening: your client is asking for the DC from your
> forwarders, they do not know, so they ask the DC, who asks the
> forwarder, who does not know and so on.
I can confirm this isn't happening since I can resolve (for example) the 
SRV records on _ldap._tcp.ads.connon.me.uk through my forwarders, you 
can even test this yourself with `dig -t SRV 
_ldap._tcp.ads.connon.me.uk` or similar.

I'm currently looking into whether there are any records missing.

Regards,
Richard