samba - Jul 2018 - Can login but can't add a machine to AD.

I'm finally moving to ad, after way way too long. I did the classic 
upgrade, and my existing PC's all can log in fine. I can make new user 
accounts, and log in on those machines fine. My ddns (with bindz) seems 
to be working, and I do see

new ip addresses pop up in there.

The problem is I can't add a new Windows machine to the domain. When I 
trying joining the domain from Windows 10, I get


"The following domain  controllers were identified by the query:

dc1.junglevision.junglevision.com

However no domain controllers could be contacted.


I can telnet to dc1.junglevision.junglevision.com 389 and I see 
something connect. And I'll see samba logs when this happens. When I try 
to join, nothing shows up in log.samba.

I've tried monkeying with firewall settings, but I don't think it's 
that, but maybe I'm missing something? I do notice that 
junglevision.junglevision.com and dc1.junglevision.junglevision.com are 
now resolving to both ip's. Is this bad?



[root at junglevision etc]# cat hosts
127.0.0.1   localhost
192.168.1.145 dc1.junglevision.junglevision.com
50.79.209.145 junglevision.junglevision.com
50.79.209.145 junglevision
[root at junglevision etc]# cat resolv.conf
# Generated by NetworkManager
domain junglevision.junglevision.com
search junglevision.com junglevision.junglevision.com
nameserver 50.79.209.145
nameserver 50.79.209.146
[root at junglevision etc]# cat samba/smb.conf
# Global parameters
[global]
     netbios name = JUNGLEVISION
     realm = JUNGLEVISION.JUNGLEVISION.COM
     server role = active directory domain controller
     server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, 
winbindd, ntp_signd, kcc, dnsupdate
     workgroup = JUNGLEVISION
     idmap_ldb:use rfc2307 = yes
     template shell = /bin/bash
     template homedir = /home/%U
     hosts allow = 127.0.0.0/8 50.79.209.144/28 192.168.1.0/24
     hosts deny = 0.0.0.0/0
     interfaces = 50.79.209.145/28 127.0.0.1/8 192.168.1.145/24
     bind interfaces only = yes
     log level = 5


[netlogon]
     path = /var/lib/samba/sysvol/junglevision.junglevision.com/scripts
     read only = No

[sysvol]
     path = /var/lib/samba/sysvol
     read only = No

[root at junglevision etc]# cat krb5.conf
[libdefaults]
     default_realm = JUNGLEVISION.JUNGLEVISION.COM
     dns_lookup_realm = false
     dns_lookup_kdc = true

See inline comments

On Sat, 21 Jul 2018 00:51:51 -0700
Cathryn Mataga via samba <samba at lists.samba.org> wrote:
> I'm finally moving to ad, after way way too long. I did the classic 
> upgrade, and my existing PC's all can log in fine. I can make new
> user accounts, and log in on those machines fine. My ddns (with
> bindz) seems to be working, and I do see
> 
> new ip addresses pop up in there.
> 
> The problem is I can't add a new Windows machine to the domain. When
> I trying joining the domain from Windows 10, I get
> 
> 
> "The following domain  controllers were identified by the query:
> 
> dc1.junglevision.junglevision.com
> 
> However no domain controllers could be contacted.
> 
> 
> I can telnet to dc1.junglevision.junglevision.com 389 and I see 
> something connect. And I'll see samba logs when this happens. When I
> try to join, nothing shows up in log.samba.
> 
> I've tried monkeying with firewall settings, but I don't think
it's
> that, but maybe I'm missing something? I do notice that 
> junglevision.junglevision.com and dc1.junglevision.junglevision.com
> are now resolving to both ip's. Is this bad?
> 
> 
> 
> [root at junglevision etc]# cat hosts
> 127.0.0.1   localhost
> 192.168.1.145 dc1.junglevision.junglevision.com
> 50.79.209.145 junglevision.junglevision.com
> 50.79.209.145 junglevision
What the heck is that all about ?
What is '50.79.209.145' and why is it pointing to your dns domain and
your workgroup ?
Or to put it another way, remove them.
> [root at junglevision etc]# cat resolv.conf
> # Generated by NetworkManager
> domain junglevision.junglevision.com
> search junglevision.com junglevision.junglevision.com
> nameserver 50.79.209.145
> nameserver 50.79.209.146
This is a DC, so it should be:

search junglevision.junglevision.com
nameserver 192.168.0.145
> [root at junglevision etc]# cat samba/smb.conf
> # Global parameters
> [global]
>      netbios name = JUNGLEVISION
>      realm = JUNGLEVISION.JUNGLEVISION.COM
>      server role = active directory domain controller
>      server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>      workgroup = JUNGLEVISION
And there is a BIG problem, if the short hostname is
'dc1' (see /etc/hosts), why is the 'netbios name' JUNGLEVISION ?
also
it is the same as the 'workgroup' name, this is not allowed.

Rowland