Rowland Penny
2015-Dec-01 16:27 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 01/12/15 16:02, Jonathan S. Fisher wrote:> Well I got one step farther... > > hostname -d and hostname -f now work correctly if I add this line to > /etc/hosts > > /etc/hosts > 127.0.0.1 localhost > 127.0.1.1 freeradius.windows.corp.springventuregroup.com > <http://freeradius.windows.corp.springventuregroup.com> freeradius > > But same error on the rpc command. It's still asking DNS for > "_ldap._tcp.pdc._msdcs.WINDOWS" not > "_ldap._tcp.pdc._msdcs.WINDOWS.CORP.XXX.COM > <http://msdcs.WINDOWS.CORP.XXX.COM>" > > Can you do a tcpdump on yours and see what the desired behavior is? I > used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". > Start the dump, then run "sudo net rpc info -Uadministrator" > >If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using dnsmasq. If you are using dnsmasq, then it is unlikely your dns setup will find the DC Just a thought, is there a DNS server running on the AD DC ? There should be and your client should be using this as its DNS server, AD lives and dies on DNS. There shouldn't be a dns server running on your domain member, it should be using the AD dns server. Rowland
Jonathan S. Fisher
2015-Dec-01 16:36 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Checked with the network guy... yes, the main DNS is indeed dnsmasq. He has a delegation though, so any query for WINDOWS.corp.XXX.com winds up going to to the correct place: domain=/windows.corp.XXX.com/192.168.127.141 domain=/windows.corp.XXX.com/192.168.112.4 The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I can dig at them). Would it just be easier to make this host have a static IP? If so, what settings does samba need for DNS? Here's the other files as requested: /etc/resolv.conf # Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 192.168.127.129 search windows.corp.xxx.com /etc/krb5.conf [libdefaults] default_realm = WINDOWS.CORP.XXX.COM /etc/samba/smb.conf [global] netbios name=freeradius security=ADS workgroup=WINDOWS realm=WINDOWS.CORP.XXX.COM local master=no log file=/var/log/samba/%m.log log level=3 dedicated keytab file=/etc/krb5.keytab kerberos method=secrets and keytab winbind refresh tickets=yes winbind trusted domains only=no winbind enum users=yes winbind enum groups=yes winbind nested groups=yes load printers=no template shell=/bin/false idmap config WINDOWS:backend=autorid idmap config WINDOWS:range=10000-99999 On Tue, Dec 1, 2015 at 10:27 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 01/12/15 16:02, Jonathan S. Fisher wrote: > >> Well I got one step farther... >> >> hostname -d and hostname -f now work correctly if I add this line to >> /etc/hosts >> >> /etc/hosts >> 127.0.0.1 localhost >> 127.0.1.1 freeradius.windows.corp.springventuregroup.com < >> http://freeradius.windows.corp.springventuregroup.com> freeradius >> >> But same error on the rpc command. It's still asking DNS for >> "_ldap._tcp.pdc._msdcs.WINDOWS" not "_ldap._tcp.pdc._ >> msdcs.WINDOWS.CORP.XXX.COM <http://msdcs.WINDOWS.CORP.XXX.COM>" >> >> Can you do a tcpdump on yours and see what the desired behavior is? I >> used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". Start >> the dump, then run "sudo net rpc info -Uadministrator" >> >> >> > If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using > dnsmasq. > If you are using dnsmasq, then it is unlikely your dns setup will find the > DC > Just a thought, is there a DNS server running on the AD DC ? > There should be and your client should be using this as its DNS server, AD > lives and dies on DNS. > There shouldn't be a dns server running on your domain member, it should > be using the AD dns server. > > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Jonathan S. Fisher
2015-Dec-01 16:45 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
Rowland, any chance you could do the packet capture I described? It's really bothering me. Thank you! On Tue, Dec 1, 2015 at 10:36 AM, Jonathan S. Fisher < jonathan at springventuregroup.com> wrote:> Checked with the network guy... yes, the main DNS is indeed dnsmasq. He > has a delegation though, so any query for WINDOWS.corp.XXX.com winds up > going to to the correct place: > > domain=/windows.corp.XXX.com/192.168.127.141 > domain=/windows.corp.XXX.com/192.168.112.4 > > The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I can > dig at them). Would it just be easier to make this host have a static IP? > If so, what settings does samba need for DNS? > > Here's the other files as requested: > > /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.129 > search windows.corp.xxx.com > > /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM > > /etc/samba/smb.conf > [global] > netbios name=freeradius > security=ADS > workgroup=WINDOWS > realm=WINDOWS.CORP.XXX.COM > local master=no > > log file=/var/log/samba/%m.log > log level=3 > > dedicated keytab file=/etc/krb5.keytab > kerberos method=secrets and keytab > winbind refresh tickets=yes > > winbind trusted domains only=no > winbind enum users=yes > winbind enum groups=yes > winbind nested groups=yes > > load printers=no > template shell=/bin/false > > idmap config WINDOWS:backend=autorid > idmap config WINDOWS:range=10000-99999 > > On Tue, Dec 1, 2015 at 10:27 AM, Rowland Penny < > rowlandpenny241155 at gmail.com> wrote: > >> On 01/12/15 16:02, Jonathan S. Fisher wrote: >> >>> Well I got one step farther... >>> >>> hostname -d and hostname -f now work correctly if I add this line to >>> /etc/hosts >>> >>> /etc/hosts >>> 127.0.0.1 localhost >>> 127.0.1.1 freeradius.windows.corp.springventuregroup.com < >>> http://freeradius.windows.corp.springventuregroup.com> freeradius >>> >>> But same error on the rpc command. It's still asking DNS for >>> "_ldap._tcp.pdc._msdcs.WINDOWS" not "_ldap._tcp.pdc._ >>> msdcs.WINDOWS.CORP.XXX.COM <http://msdcs.WINDOWS.CORP.XXX.COM>" >>> >>> Can you do a tcpdump on yours and see what the desired behavior is? I >>> used this command: "sudo tcpdump-vvv -s 0 -l -n port 53 -w dns.pcap". Start >>> the dump, then run "sudo net rpc info -Uadministrator" >>> >>> >>> >> If you are using 127.0.1.1 in etc/hosts on Ubuntu, then you are using >> dnsmasq. >> If you are using dnsmasq, then it is unlikely your dns setup will find >> the DC >> Just a thought, is there a DNS server running on the AD DC ? >> There should be and your client should be using this as its DNS server, >> AD lives and dies on DNS. >> There shouldn't be a dns server running on your domain member, it should >> be using the AD dns server. >> >> >> Rowland >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Rowland Penny
2015-Dec-01 16:46 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 01/12/15 16:36, Jonathan S. Fisher wrote:> Checked with the network guy... yes, the main DNS is indeed dnsmasq. > He has a delegation though, so any query for WINDOWS.corp.XXX.com > <http://WINDOWS.corp.XXX.com> winds up going to to the correct place:Why, in your deity's name, why?????> > domain=/windows.corp.XXX.com/192.168.127.141 > <http://windows.corp.XXX.com/192.168.127.141> > domain=/windows.corp.XXX.com/192.168.112.4 > <http://windows.corp.XXX.com/192.168.112.4> > > The DC's (192.168.127.141, 192.168.112.4) are indeed running DNS (I > can dig at them). Would it just be easier to make this host have a > static IP? If so, what settings does samba need for DNS? > > Here's the other files as requested: > > /etc/resolv.conf > # Dynamic resolv.conf(5) file for glibc resolver(3) generated by > resolvconf(8) > # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN > nameserver 192.168.127.129Replace '192.168.127.129' with '192.168.127.141' # i.e. one of your DCs Mind you, until you get 'hostname -f' to return your FQDN, it will not work correctly. Rowland> search windows.corp.xxx.com <http://windows.corp.xxx.com> > > /etc/krb5.conf > [libdefaults] > default_realm = WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> > > /etc/samba/smb.conf > [global] > netbios name=freeradius > security=ADS > workgroup=WINDOWS > realm=WINDOWS.CORP.XXX.COM <http://WINDOWS.CORP.XXX.COM> > local master=no > > log file=/var/log/samba/%m.log > log level=3 > > dedicated keytab file=/etc/krb5.keytab > kerberos method=secrets and keytab > winbind refresh tickets=yes > > winbind trusted domains only=no > winbind enum users=yes > winbind enum groups=yes > winbind nested groups=yes > > load printers=no > template shell=/bin/false > > idmap config WINDOWS:backend=autorid > idmap config WINDOWS:range=10000-99999 >
Jonathan S. Fisher
2015-Dec-01 17:27 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
>It isn't running, one of the first things I do when setting up a new DC isto remove nscd if it is installed. Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a member? Otherwise I can remove it.> you get a caching dnsmasq server as standardNot on ubuntu server... There is no dnsmasq package installed nor is it in ps -ef> If you have to have that 127.0.1.1 line in /etc/hosts, you have dnsproblems. I'll try to figure out how to get the client to have a FQDN without the line in /etc/hosts I really am starting to hate Active Directory... On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny <rowlandpenny241155 at gmail.com> wrote:> On 01/12/15 17:09, Jonathan S. Fisher wrote: > > So your client did no DNS lookups?? That's crazy. Could they be cached? > (Can you disable nscd if you have it running and try again?) > > > It isn't running, one of the first things I do when setting up a new DC is > to remove nscd if it is installed. > > > >Why, in your deity's name, why????? > > I'm starting my own caliphate. Seems to be all the rage these days. > > Dnsmasq isn't running locally... it's the main DNS server at > 192.168.127.129. At one time I guess we were running Bind, but he switched > to dnsmasq for simplicity. If there's a legit reason why Windows needs to > handle 100% of the DNS and DHCP for the network... well that's a little > scary of a thought. Are these things in no way interoperable? > > > On Ubuntu, you get a caching dnsmasq server as standard, this is > controlled by Network Manager, this shouldn't be running on an AD client > (note this is only from my experience, it seems to interfere with AD dns). > > DHCP doesn't need to be running on the DC, but it needs to give your > client the required info, see my previous post for what mine sends. > Your AD clients need to use your AD DCs as their DNS servers, anything > your DCs don't know about i.e. google should be forwarded to a DNS server > that does i.e. your dnsmasq machine > > Your problem isn't that net is using the workgroup name, it is that your > machine doesn't seem to know who it is and where the DCs are :-) > > > > Mind you, until you get 'hostname -f' to return your FQDN, it will not > work correctly. > Well this "works" right now with what I put into /etc/hosts. Are you > saying it has to work purely from dhcp? > > > > If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > problems. > > Rowland > >-- Email Confidentiality Notice: The information contained in this transmission is confidential, proprietary or privileged and may be subject to protection under the law, including the Health Insurance Portability and Accountability Act (HIPAA). The message is intended for the sole use of the individual or entity to whom it is addressed. If you are not the intended recipient, you are notified that any use, distribution or copying of the message is strictly prohibited and may subject you to criminal or civil penalties. If you received this transmission in error, please contact the sender immediately by replying to this email and delete the material from any computer.
Rowland Penny
2015-Dec-01 18:12 UTC
[Samba] After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
On 01/12/15 17:27, Jonathan S. Fisher wrote:>> It isn't running, one of the first things I do when setting up a new DC is > to remove nscd if it is installed. > Ah ok... well this isn't a DC, just a member... is NSCD ok to run as a > member? Otherwise I can remove it.I would remove it, everything dns wise should come from an AD DC> >> you get a caching dnsmasq server as standard > Not on ubuntu server... There is no dnsmasq package installed nor is it in > ps -efAh, so no GUI then, ok in this case you probably wont have Network Manager installed either.>> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns > problems. > I'll try to figure out how to get the client to have a FQDN without the > line in /etc/hostsIf this machine is going to be a fileserver, you would probably be better using a fixed ip, but if you going to have other Unix domain members using dhcp, you need to sort this problem.> > I really am starting to hate Active Directory...I just hate microsoft, it cuts out the middle man :-D Rowland> > On Tue, Dec 1, 2015 at 11:22 AM, Rowland Penny <rowlandpenny241155 at gmail.com >> wrote: >> On 01/12/15 17:09, Jonathan S. Fisher wrote: >> >> So your client did no DNS lookups?? That's crazy. Could they be cached? >> (Can you disable nscd if you have it running and try again?) >> >> >> It isn't running, one of the first things I do when setting up a new DC is >> to remove nscd if it is installed. >> >> >>> Why, in your deity's name, why????? >> I'm starting my own caliphate. Seems to be all the rage these days. >> >> Dnsmasq isn't running locally... it's the main DNS server at >> 192.168.127.129. At one time I guess we were running Bind, but he switched >> to dnsmasq for simplicity. If there's a legit reason why Windows needs to >> handle 100% of the DNS and DHCP for the network... well that's a little >> scary of a thought. Are these things in no way interoperable? >> >> >> On Ubuntu, you get a caching dnsmasq server as standard, this is >> controlled by Network Manager, this shouldn't be running on an AD client >> (note this is only from my experience, it seems to interfere with AD dns). >> >> DHCP doesn't need to be running on the DC, but it needs to give your >> client the required info, see my previous post for what mine sends. >> Your AD clients need to use your AD DCs as their DNS servers, anything >> your DCs don't know about i.e. google should be forwarded to a DNS server >> that does i.e. your dnsmasq machine >> >> Your problem isn't that net is using the workgroup name, it is that your >> machine doesn't seem to know who it is and where the DCs are :-) >> >> >>> Mind you, until you get 'hostname -f' to return your FQDN, it will not >> work correctly. >> Well this "works" right now with what I put into /etc/hosts. Are you >> saying it has to work purely from dhcp? >> >> >> >> If you have to have that 127.0.1.1 line in /etc/hosts, you have dns >> problems. >> >> Rowland >> >>
Possibly Parallel Threads
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command
- After joining domain, Samba uses the workgroup name, not the FQDN when running the net ads command