Richard Connon
2015-Mar-09 23:19 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
On 09/03/2015 22:36, Rowland Penny wrote:> Hmm, everything looks ok and it shouldn't matter whether you use the > standard 3.6 from debian or 4.1.17 from backports except for the fact > that 3.6 isn't just old, it is EOL , so you may have to rely on debian > backporting any security updates themselves. > > I take it that the three nameservers in the clients resolv.conf are > all DC's, if not, I suggest you remove any that aren't, could you also > have a look here: > > https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server > > RowlandHi Rowland, I'm aware of 3.6's security status. I'm planning to count on debian backporting fixes for now and move to 4.1 (or 4.2) if and when required. I have just tried, as an experiment, upgrading this failing client to 4.1.17 to no avail. The nameservers in resolv.conf are just forwarders. They forward to my DCs for anything under ads.connon.me.uk. As an experiment I tried changing the resolv.conf on both the DC and the client to contain just the DC for this site rather than my normal recursive servers. Again, this didn't change the behaviour. I'm not familiar with the RPC protocol very much. Are there some tools I can use to perform some test queries against this DC? Regards, Richard
Tim
2015-Mar-10 07:18 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
Hey Richard, first of all I personally think it is better to post logfiles in plain text on the list so that it keeps readable for later users. Just my two cents :-) What I first saw in your smb.conf is that the netlogon share is named netlogin. Beside this, I will send you a list of DNS entries I have under _msdcs later. Perhaps it is worth to compare. Am 10. M?rz 2015 00:19:53 MEZ, schrieb Richard Connon <richard at connon.me.uk>:>On 09/03/2015 22:36, Rowland Penny wrote: >> Hmm, everything looks ok and it shouldn't matter whether you use the >> standard 3.6 from debian or 4.1.17 from backports except for the fact > >> that 3.6 isn't just old, it is EOL , so you may have to rely on >debian >> backporting any security updates themselves. >> >> I take it that the three nameservers in the clients resolv.conf are >> all DC's, if not, I suggest you remove any that aren't, could you >also >> have a look here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> Rowland > >Hi Rowland, > >I'm aware of 3.6's security status. I'm planning to count on debian >backporting fixes for now and move to 4.1 (or 4.2) if and when >required. >I have just tried, as an experiment, upgrading this failing client to >4.1.17 to no avail. > >The nameservers in resolv.conf are just forwarders. They forward to my >DCs for anything under ads.connon.me.uk. >As an experiment I tried changing the resolv.conf on both the DC and >the >client to contain just the DC for this site rather than my normal >recursive servers. Again, this didn't change the behaviour. > >I'm not familiar with the RPC protocol very much. Are there some tools >I >can use to perform some test queries against this DC? > >Regards, >Richard >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Mar-10 08:51 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
On 09/03/15 23:19, Richard Connon wrote:> On 09/03/2015 22:36, Rowland Penny wrote: >> Hmm, everything looks ok and it shouldn't matter whether you use the >> standard 3.6 from debian or 4.1.17 from backports except for the fact >> that 3.6 isn't just old, it is EOL , so you may have to rely on >> debian backporting any security updates themselves. >> >> I take it that the three nameservers in the clients resolv.conf are >> all DC's, if not, I suggest you remove any that aren't, could you >> also have a look here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> Rowland > > Hi Rowland, > > I'm aware of 3.6's security status. I'm planning to count on debian > backporting fixes for now and move to 4.1 (or 4.2) if and when required. > I have just tried, as an experiment, upgrading this failing client to > 4.1.17 to no avail. > > The nameservers in resolv.conf are just forwarders. They forward to my > DCs for anything under ads.connon.me.uk. > As an experiment I tried changing the resolv.conf on both the DC and > the client to contain just the DC for this site rather than my normal > recursive servers. Again, this didn't change the behaviour. > > I'm not familiar with the RPC protocol very much. Are there some tools > I can use to perform some test queries against this DC? > > Regards, > RichardYour DC's must point to themselves for DNS and your domain clients must point to the DC's, anything outside the domain the DC's will be obtain from the forwarders set on them. What I think is happening: your client is asking for the DC from your forwarders, they do not know, so they ask the DC, who asks the forwarder, who does not know and so on. The resolv.conf on my DCs is simply this: search example.com nameserver 127.0.0.1 I use Bind and this is setup to forward to my router, so when a client wants the DC, it contacts a DC (set in resolv.conf on client) which knows all about the domain and replies with the correct info. You can do this with the internal DC DNS server. Rowland
Tim
2015-Mar-10 12:16 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
Hey Richard, here you are my _msdcs-dns-zone. I only have two dcs. I hope the text structure will be readable at your side. Name Type Data dc +- _sites +- Default-First-Site-Name +- _tcp _kerberos Service Identification (SRV) [0][100][88] DC1.example.samdom.com. _kerberos Service Identification (SRV) [0][100][88] DC2.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC1.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC2.example.samdom.com. +- _tcp _kerberos Service Identification (SRV) [0][100][88] DC1.example.samdom.com. _kerberos Service Identification (SRV) [0][100][88] DC2.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC1.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC2.example.samdom.com. domains +- <Domain-ID> _tcp +- _ldap (identical with folder above) Service Identification (SRV) [0][100][389] DC1.example.samdom.com. (identical with folder above) Service Identification (SRV) [0][100][389] DC2.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC1.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC2.example.samdom.com. gc +- _sites +- Default-First-Site-Name +- _tcp _ldap Service Identification (SRV) [0][100][389] DC1.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC2.example.samdom.com. +- _tcp _ldap Service Identification (SRV) [0][100][389] DC1.example.samdom.com. _ldap Service Identification (SRV) [0][100][389] DC2.example.samdom.com. (identical with folder above) Host (A) <IP Adress DC1> (identical with folder above) Host (A) <IP Adress DC2> pdc +- _tcp _ldap Service Identification (SRV) [0][100][389] DC1.example.samdom.com. <Unique ID of DC1> Alias (CNAME) DC1.example.samdom.com. <Unique ID of DC2> Alias (CNAME) DC2.example.samdom.com. (identical with folder above) Authority Source (SOA) [12], DC1.example.samdom.com., hostmaster.example.samdom.com. (identical with folder above) Nameserver (NS) DC1.example.samdom.com. (identical with folder above) Nameserver (NS) DC2.example.samdom.com. Regards Tim Am 10.03.2015 00:19, schrieb Richard Connon:> On 09/03/2015 22:36, Rowland Penny wrote: >> Hmm, everything looks ok and it shouldn't matter whether you use the >> standard 3.6 from debian or 4.1.17 from backports except for the fact >> that 3.6 isn't just old, it is EOL , so you may have to rely on debian >> backporting any security updates themselves. >> >> I take it that the three nameservers in the clients resolv.conf are >> all DC's, if not, I suggest you remove any that aren't, could you also >> have a look here: >> >> https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server >> >> Rowland > > Hi Rowland, > > I'm aware of 3.6's security status. I'm planning to count on debian > backporting fixes for now and move to 4.1 (or 4.2) if and when required. > I have just tried, as an experiment, upgrading this failing client to > 4.1.17 to no avail. > > The nameservers in resolv.conf are just forwarders. They forward to my > DCs for anything under ads.connon.me.uk. > As an experiment I tried changing the resolv.conf on both the DC and the > client to contain just the DC for this site rather than my normal > recursive servers. Again, this didn't change the behaviour. > > I'm not familiar with the RPC protocol very much. Are there some tools I > can use to perform some test queries against this DC? > > Regards, > Richard
Richard Connon
2015-Mar-10 14:11 UTC
[Samba] "failed to lookup DC info for domain over rpc" when joining samba4 domain
Hi Rowland, Please see comments inline. On 10/03/15 08:51, Rowland Penny wrote:> Your DC's must point to themselves for DNS and your domain clients must > point to the DC's, anything outside the domain the DC's will be obtain > from the forwarders set on them.This is contrary to what the wiki says. https://wiki.samba.org/index.php/Setup_a_Samba_AD_Member_Server This page indicates that as long as the client can resolve names in the domain DNS zone (in my case ads.connon.me.uk) they should be fine.> What I think is happening: your client is asking for the DC from your > forwarders, they do not know, so they ask the DC, who asks the > forwarder, who does not know and so on.I can confirm this isn't happening since I can resolve (for example) the SRV records on _ldap._tcp.ads.connon.me.uk through my forwarders, you can even test this yourself with `dig -t SRV _ldap._tcp.ads.connon.me.uk` or similar. I'm currently looking into whether there are any records missing. Regards, Richard
Maybe Matching Threads
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain
- "failed to lookup DC info for domain over rpc" when joining samba4 domain