samba - Oct 2015 - joining second DC to domain and non creation of DC DNS records

Hi Rowland,

I have similar problem with sernet  4.2.4 package: no dns entry created and logs
are showing NOTAUTH for dnsupdate
Here is my work around:

New DC joins domain with:
--dns-backend=BIND9_DLZ and --server=partnerDC.contoso.com

Don't start samba or bind yet !!

After that I've to correct some permissions rights on these folders/files
(bind can read):
- private
- dns
- dns/*
- sam.ldb
- sam.ldb.d
- sam.ldb.d/*
- dns.keytab

If I start samba + bind, i have dnsupdate failed
Tips is to restart bind on partnerDC.contoso.com (partner replication on domain
joined)
L.P.H von BELLE have similar troube, see:
https://lists.samba.org/archive/samba/2015-April/191143.html

After bind restarted on partnerDC, you can start samba + bind after
All dns entry are created and replicated :-)

I don't know why I have to restart bind on partnerDC between second DC
domain join and second DC samba start...


-----Message d'origine-----
De : samba [mailto:samba-bounces at lists.samba.org] De la part de Dirk Laurenz
Envoyé : vendredi 23 octobre 2015 12:01
À : Rowland Penny <rowlandpenny241155 at gmail.com>; sambalist <samba
at lists.samba.org>
Objet : Re: [Samba] joining second DC to domain and non creation of DC DNS
records

Hello Rowland,

just hat a similar problem with 4.3.0. What fixed my problem was:

stop samba
switch to samba internal backend
remove dns-dc record
switch back to bind backend
afterwards, everything worked for me

Am 22.10.2015 um 22:06 schrieb Rowland Penny:
> Hi, I am in the middle of creating (or should that be re-creating) my 
> test domain, creation of the first DC went without incidence, so I 
> moved on to the second DC and this is where the problems started.
>
> I downloaded samba 4.3.1 and compiled it, I then setup bind9 etc and 
> joined the new DC to the domain, everything seemed ok, so I then 
> started testing DNS. This is where I found that my nice new DC did not 
> have a DNS record.
>
> I then remember that there was a problem, so scanned the wiki (well 
> somebody has to read it) and found this page:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> This described my problem precisely, so I started to follow it, but it 
> didn't fully fix my problem, in fact it changed it to another.
>
> So I went to this page : 
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacce
> ptable
>
> and started to follow it, but it all went pear shaped when I deleted 
> the bind dns account and then samba flatly refused to recreate it, 
> saying it still existed, when plainly it didn't ( I later found lower 
> down the page, that this was another known bug, but I totally missed 
> it when I first read the page. Note to Marc, I will be altering that
> page!)
>
> So, having totally missed the next bug, what did I do, well as this 
> was a new DC, I stopped bind and samba, removed /usr/local/samba and 
> re-ran 'make install' and tried again, this time everything worked.
> The only difference was that this time the new DCs dns record was 
> already in AD on the first DC.
>
> I now know how to join any more DCs, precreate the new DCs dns records 
> in AD before joining it.
>
> Rowland
>
>

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On 23/10/15 11:23, MORILLO Jordi wrote:
> Hi Rowland,
>
> I have similar problem with sernet  4.2.4 package: no dns entry created and
logs are showing NOTAUTH for dnsupdate
> Here is my work around:
>
> New DC joins domain with:
> --dns-backend=BIND9_DLZ and --server=partnerDC.contoso.com
>
> Don't start samba or bind yet !!
>
> After that I've to correct some permissions rights on these
folders/files (bind can read):
> - private
> - dns
> - dns/*
> - sam.ldb
> - sam.ldb.d
> - sam.ldb.d/*
> - dns.keytab
>
> If I start samba + bind, i have dnsupdate failed
> Tips is to restart bind on partnerDC.contoso.com (partner replication on
domain joined)
> L.P.H von BELLE have similar troube, see:
https://lists.samba.org/archive/samba/2015-April/191143.html
>
> After bind restarted on partnerDC, you can start samba + bind after
> All dns entry are created and replicated :-)
>
> I don't know why I have to restart bind on partnerDC between second DC
domain join and second DC samba start...
>
>
> -----Message d'origine-----
> De : samba [mailto:samba-bounces at lists.samba.org] De la part de Dirk
Laurenz
> Envoyé : vendredi 23 octobre 2015 12:01
> À : Rowland Penny <rowlandpenny241155 at gmail.com>; sambalist
<samba at lists.samba.org>
> Objet : Re: [Samba] joining second DC to domain and non creation of DC DNS
records
>
> Hello Rowland,
>
> just hat a similar problem with 4.3.0. What fixed my problem was:
>
> stop samba
> switch to samba internal backend
> remove dns-dc record
> switch back to bind backend
> afterwards, everything worked for me
>
> Am 22.10.2015 um 22:06 schrieb Rowland Penny:
>> Hi, I am in the middle of creating (or should that be re-creating) my
>> test domain, creation of the first DC went without incidence, so I
>> moved on to the second DC and this is where the problems started.
>>
>> I downloaded samba 4.3.1 and compiled it, I then setup bind9 etc and
>> joined the new DC to the domain, everything seemed ok, so I then
>> started testing DNS. This is where I found that my nice new DC did not
>> have a DNS record.
>>
>> I then remember that there was a problem, so scanned the wiki (well
>> somebody has to read it) and found this page:
>>
>> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>>
>> This described my problem precisely, so I started to follow it, but it
>> didn't fully fix my problem, in fact it changed it to another.
>>
>> So I went to this page :
>> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacce
>> ptable
>>
>> and started to follow it, but it all went pear shaped when I deleted
>> the bind dns account and then samba flatly refused to recreate it,
>> saying it still existed, when plainly it didn't ( I later found
lower
>> down the page, that this was another known bug, but I totally missed
>> it when I first read the page. Note to Marc, I will be altering that
>> page!)
>>
>> So, having totally missed the next bug, what did I do, well as this
>> was a new DC, I stopped bind and samba, removed /usr/local/samba and
>> re-ran 'make install' and tried again, this time everything
worked.
>> The only difference was that this time the new DCs dns record was
>> already in AD on the first DC.
>>
>> I now know how to join any more DCs, precreate the new DCs dns records
>> in AD before joining it.
>>
>> Rowland
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
You are missing the point as well, I joined the second DC and the New 
DCs A record was *not* created. I tried to follow the instructions on 
the Samba wiki but had problems and missed the fix on the webpage.

I then removed the /usr/local/samba directory and re-ran 'make install' 
and then joined the DC again, exactly as I did the first time and 
everything worked as it should, all the CNAME records were created and I 
didn't need to change anything other than what I would normally do i.e. 
/etc/resolv.conf

So, until the bug is fixed, I 'think' the cure is, add the new DCs A 
record to AD before doing the join.

Rowland

> 
> You are missing the point as well, I joined the second DC and the New
> DCs A record was *not* created. I tried to follow the instructions on
> the Samba wiki but had problems and missed the fix on the webpage.
> 
> I then removed the /usr/local/samba directory and re-ran 'make
install'
> and then joined the DC again, exactly as I did the first time and
> everything worked as it should, all the CNAME records were created and I
> didn't need to change anything other than what I would normally do i.e.
> /etc/resolv.conf
> 
> So, until the bug is fixed, I 'think' the cure is, add the new DCs
A
> record to AD before doing the join.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
[L.P.H. van Belle] 

This is an old bug, which is handled by my scripts for some time now ;-) 


If you take this code and run it after install its fixed. 
################################
#!/bin/bash 
SETDNSDOMAIN=`hostname -d`
SETHOSTNAME=`hostname -s`
BIND9_IP_ADDC=`hostname -i`
SAMBA_NT_ADMIN="Administrator"
SAMBA_NT_ADMIN_PASS="PUT_YOUR_ADMINISTRATOR_PASSWORD_HERE"


## the if the needed dns entries for kerberos are there.
if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not
found'`" ]; then
     echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. : ok"
     TEST1=0
else
     echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. :
FAILED"
     TEST1=1
fi
if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
    echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
ok";
    TEST2=0; 
else     
    echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
FAILED";
    TEST2=1; 
fi
if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
    echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
ok";
    TEST3=0; 
else     
    echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
FAILED";
    echo "trying to fix it now: ";
    echo ${SAMBA_NT_ADMIN_PASS}| samba-tool dns add
${SETHOSTNAME}.${SETDNSDOMAIN} ${SETDNSDOMAIN} ${SETHOSTNAME} A ${BIND9_IP_ADDC}
-U${SAMBA_NT_ADMIN};
fi

######### Add reverse DNS zone to samba ( a must ! )

REVERSEZONE=`echo $BIND9_IP_ADDC | awk 'BEGIN { FS = "." } ; {
print $3"."$2"."$1}'`
SINGLEDC1IPNUMBER=`echo $BIND9_IP_ADDC | rev | cut -d"." -f1 | rev`
echo "creating reverse zone: ${REVERSEZONE}.in-addr.arpa "
echo ${SAMBA_NT_ADMIN_PASS}| samba-tool dns zonecreate
${SETHOSTNAME}.${SETDNSDOMAIN} ${REVERSEZONE}.in-addr.arpa -U${SAMBA_NT_ADMIN}
sleep 2
echo "adding : ${SETHOSTNAME}.${SETDNSDOMAIN}  in reverse zone ( creating
PTR ) "
echo -n "PTR of ${SETHOSTNAME}.${SETDNSDOMAIN} : "
echo ${SAMBA_NT_ADMIN_PASS}| samba-tool dns add ${SETHOSTNAME}.${SETDNSDOMAIN}
${REVERSEZONE}.in-addr.arpa ${SINGLEDC1IPNUMBER} PTR
${SETHOSTNAME}.${SETDNSDOMAIN} -U${SAMBA_NT_ADMIN}
################################

On 23/10/15 13:12, L.P.H. van Belle wrote:
>> You are missing the point as well, I joined the second DC and the New
>> DCs A record was *not* created. I tried to follow the instructions on
>> the Samba wiki but had problems and missed the fix on the webpage.
>>
>> I then removed the /usr/local/samba directory and re-ran 'make
install'
>> and then joined the DC again, exactly as I did the first time and
>> everything worked as it should, all the CNAME records were created and
I
>> didn't need to change anything other than what I would normally do
i.e.
>> /etc/resolv.conf
>>
>> So, until the bug is fixed, I 'think' the cure is, add the new
DCs A
>> record to AD before doing the join.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> [L.P.H. van Belle]
>
> This is an old bug, which is handled by my scripts for some time now ;-)
>
>
> If you take this code and run it after install its fixed.
> ################################
> #!/bin/bash
> SETDNSDOMAIN=`hostname -d`
> SETHOSTNAME=`hostname -s`
> BIND9_IP_ADDC=`hostname -i`
> SAMBA_NT_ADMIN="Administrator"
> SAMBA_NT_ADMIN_PASS="PUT_YOUR_ADMINISTRATOR_PASSWORD_HERE"
>
>
> ## the if the needed dns entries for kerberos are there.
> if [ -z "`host -t SRV _ldap._tcp.${SETDNSDOMAIN}. | grep 'not
found'`" ]; then
>       echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. :
ok"
>       TEST1=0
> else
>       echo "testing of : host -t SRV _ldap._tcp.${SETDNSDOMAIN}. :
FAILED"
>       TEST1=1
> fi
> if [ -z "`host -t SRV _kerberos._udp.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
>      echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
ok";
>      TEST2=0;
> else
>      echo "testing of : host -t SRV _kerberos._udp.${SETDNSDOMAIN}. :
FAILED";
>      TEST2=1;
> fi
> if [ -z "`host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. | grep "not
found" `" ]; then
>      echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
ok";
>      TEST3=0;
> else
>      echo "testing of : host -t A ${SETHOSTNAME}.${SETDNSDOMAIN}. :
FAILED";
>      echo "trying to fix it now: ";
>      echo ${SAMBA_NT_ADMIN_PASS}| samba-tool dns add
${SETHOSTNAME}.${SETDNSDOMAIN} ${SETDNSDOMAIN} ${SETHOSTNAME} A ${BIND9_IP_ADDC}
-U${SAMBA_NT_ADMIN};
> fi
>
> ######### Add reverse DNS zone to samba ( a must ! )
>
> REVERSEZONE=`echo $BIND9_IP_ADDC | awk 'BEGIN { FS = "." } ;
{ print $3"."$2"."$1}'`
> SINGLEDC1IPNUMBER=`echo $BIND9_IP_ADDC | rev | cut -d"." -f1 |
rev`
> echo "creating reverse zone: ${REVERSEZONE}.in-addr.arpa "
> echo ${SAMBA_NT_ADMIN_PASS}| samba-tool dns zonecreate
${SETHOSTNAME}.${SETDNSDOMAIN} ${REVERSEZONE}.in-addr.arpa -U${SAMBA_NT_ADMIN}
> sleep 2
> echo "adding : ${SETHOSTNAME}.${SETDNSDOMAIN}  in reverse zone (
creating PTR ) "
> echo -n "PTR of ${SETHOSTNAME}.${SETDNSDOMAIN} : "
> echo ${SAMBA_NT_ADMIN_PASS}| samba-tool dns add
${SETHOSTNAME}.${SETDNSDOMAIN} ${REVERSEZONE}.in-addr.arpa ${SINGLEDC1IPNUMBER}
PTR ${SETHOSTNAME}.${SETDNSDOMAIN} -U${SAMBA_NT_ADMIN}
> ################################
>
>
>
Hi Louis, the first thing I knew of my problem was when I tried to test 
for 'host -t SRV _ldap._tcp.samdom.example.com.'
It didn't exist, so I tested for the hostname 'host -t A 
dc2.samdom.example.com.' and this didn't exist, this where I went 
looking for help from the wiki.

Tried what it suggested until I couldn't get Samba to re-create 
'dns-dc2', *totally missed the wiki cure*. Removed /usr/local/samba and 
re-ran 'make install' and started again, thinking I had messed up
somehow.

So from the old install, all that was left was the DNS A record for 
'dc2.samdom.example.com' in AD on dc1, I then re-ran the join, it 
deleted and recreated some records and when I tested the DNS records 
again they worked, something that didn't before the join.

I know it worked with 4.1.9 because this was the version I used when I 
last setup my test domain. So it would seem that somewhere between 4.1.9 
and 4.3.1, something changed, but I don't know what.

Rowland

Hai Rowland, 

Ok, thats a good to know, i'll go test also next week on 4.3.1 and see what
my scripts tell me.
I'll recreate a deb package for 4.3.1, so i can test the same way as always.
I'll let you know. 


Greetz, 

Louis

> > ################################
> >
> >
> >
> 
> Hi Louis, the first thing I knew of my problem was when I tried to test
> for 'host -t SRV _ldap._tcp.samdom.example.com.'
> It didn't exist, so I tested for the hostname 'host -t A
> dc2.samdom.example.com.' and this didn't exist, this where I went
> looking for help from the wiki.
> 
> Tried what it suggested until I couldn't get Samba to re-create
> 'dns-dc2', *totally missed the wiki cure*. Removed /usr/local/samba
and
> re-ran 'make install' and started again, thinking I had messed up
somehow.
> 
> So from the old install, all that was left was the DNS A record for
> 'dc2.samdom.example.com' in AD on dc1, I then re-ran the join, it
> deleted and recreated some records and when I tested the DNS records
> again they worked, something that didn't before the join.
> 
> I know it worked with 4.1.9 because this was the version I used when I
> last setup my test domain. So it would seem that somewhere between 4.1.9
> and 4.3.1, something changed, but I don't know what.
> 
> Rowland
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba