samba - Aug 2019 - Problems joining Samba 4 in the domain

Hi,

I have restarted, but it didn't solve the problem.

/etc/init.d/samba-ad-dc status
  samba-ad-dc.service - Samba AD Daemon
   Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled; vendor
preset: enabled)
   Active: active (running) since Mon 2019-08-12 15:32:18 -03; 9s ago
     Docs: man:samba(8)
           man:samba(7)
           man:smb.conf(5)
 Main PID: 575 (samba)
   Status: "smbd: ready to serve connections..."
    Tasks: 22 (limit: 4915)
   CGroup: /system.slice/samba-ad-dc.service
           ??575 /usr/sbin/samba
           ??634 /usr/sbin/samba
           ??635 /usr/sbin/samba
           ??636 /usr/sbin/samba
           ??637 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ??638 /usr/sbin/samba
           ??639 /usr/sbin/samba
           ??640 /usr/sbin/samba
           ??641 /usr/sbin/samba
           ??642 /usr/sbin/samba
           ??643 /usr/sbin/samba
           ??644 /usr/sbin/samba
           ??645 /usr/sbin/samba
           ??646 /usr/sbin/samba
           ??647 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ??648 /usr/sbin/samba
           ??653 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ??654 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ??655 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground
           ??658 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ??659 /usr/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ??660 /usr/sbin/smbd -D --option=server role check:inhibit=yes
--foreground

ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359025,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate:
NTLMSSP Sign/Seal - Initialising with flags:
ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359054,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate: Got
NTLMSSP neg_flags=0x62088215
ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362538,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate:
NTLMSSP Sign/Seal - Initialising with flags:
ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362590,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate: Got
NTLMSSP neg_flags=0x62088215
ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.390860,  0]
../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate:
ERROR: Record already exists


Follows my smb.conf:

cat /etc/samba/smb.conf
# Global parameters
[global]
netbios name = SAMBA4-NEW-DC
realm = EMPRESA.COM.BR
workgroup = EMPRESA
log level = 3
server role = active directory domain controller
    dns forwarder = 192.168.1.1 192.168.1.2
    dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

[netlogon]
path = /var/lib/samba/sysvol/empresa.com.br/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No


Regards,

M?rcio Bacci

Em seg, 12 de ago de 2019 ?s 15:11, Rowland penny via samba <
samba at lists.samba.org> escreveu:
> On 12/08/2019 18:56, Marcio Demetrio Bacci wrote:
> > Hi,
> >
> > I have downgraded samba 4.7 (van-belle repository) to 4.5.16 from the
> > Debian 9 repository and was able to put it in the domain.
> >
> > root at samba4-new-dc:/etc/samba# samba -V
> > Version 4.5.16-Debian
> >
> > samba-tool domain join empresa.com.br <http://empresa.com.br> DC
-k
> > yes -d 3 --server=samba4-dc1.empresa.com.br
> > <http://samba4-dc1.empresa.com.br>
> >
> >
>
####################################################################################
>
> >
> >
> > However, I verified that the DNS records msdcs.empresa.com.br
> > <http://msdcs.empresa.com.br> and empresa.com.br
> > <http://empresa.com.br> (ldap, kerberos, gc, tcp, udp) were not
> > updated with the information of the new DC.
>
> Try restarting Samba, this should force samba_dnsupdate to run and
> hopefully fill in the gaps, if all else fails, reboot.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi

As described in (
https://wiki.samba.org/index.php/Distribution-specific_Package_Installation)
I haven't installed the follows packages: libpam-winbind libnss-winbind
libpam-krb5

Can this be the problem?

M?rcio Bacci

Em seg, 12 de ago de 2019 ?s 15:42, Marcio Demetrio Bacci <
marciobacci at gmail.com> escreveu:
> Hi,
>
> I have restarted, but it didn't solve the problem.
>
> /etc/init.d/samba-ad-dc status
>   samba-ad-dc.service - Samba AD Daemon
>    Loaded: loaded (/lib/systemd/system/samba-ad-dc.service; enabled;
> vendor preset: enabled)
>    Active: active (running) since Mon 2019-08-12 15:32:18 -03; 9s ago
>      Docs: man:samba(8)
>            man:samba(7)
>            man:smb.conf(5)
>  Main PID: 575 (samba)
>    Status: "smbd: ready to serve connections..."
>     Tasks: 22 (limit: 4915)
>    CGroup: /system.slice/samba-ad-dc.service
>            ??575 /usr/sbin/samba
>            ??634 /usr/sbin/samba
>            ??635 /usr/sbin/samba
>            ??636 /usr/sbin/samba
>            ??637 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>            ??638 /usr/sbin/samba
>            ??639 /usr/sbin/samba
>            ??640 /usr/sbin/samba
>            ??641 /usr/sbin/samba
>            ??642 /usr/sbin/samba
>            ??643 /usr/sbin/samba
>            ??644 /usr/sbin/samba
>            ??645 /usr/sbin/samba
>            ??646 /usr/sbin/samba
>            ??647 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??648 /usr/sbin/samba
>            ??653 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??654 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>            ??655 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>            ??658 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??659 /usr/sbin/winbindd -D --option=server role
> check:inhibit=yes --foreground
>            ??660 /usr/sbin/smbd -D --option=server role check:inhibit=yes
> --foreground
>
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359025,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate:
> NTLMSSP Sign/Seal - Initialising with flags:
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359054,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate: Got
> NTLMSSP neg_flags=0x62088215
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362538,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate:
> NTLMSSP Sign/Seal - Initialising with flags:
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362590,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate: Got
> NTLMSSP neg_flags=0x62088215
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.390860,  0]
> ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]:   /usr/sbin/samba_dnsupdate:
> ERROR: Record already exists
>
>
> Follows my smb.conf:
>
> cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = SAMBA4-NEW-DC
> realm = EMPRESA.COM.BR
> workgroup = EMPRESA
> log level = 3
> server role = active directory domain controller
>     dns forwarder = 192.168.1.1 192.168.1.2
>     dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>
> [netlogon]
> path = /var/lib/samba/sysvol/empresa.com.br/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> Regards,
>
> M?rcio Bacci
>
> Em seg, 12 de ago de 2019 ?s 15:11, Rowland penny via samba <
> samba at lists.samba.org> escreveu:
>
>> On 12/08/2019 18:56, Marcio Demetrio Bacci wrote:
>> > Hi,
>> >
>> > I have downgraded samba 4.7 (van-belle repository) to 4.5.16 from
the
>> > Debian 9 repository and was able to put it in the domain.
>> >
>> > root at samba4-new-dc:/etc/samba# samba -V
>> > Version 4.5.16-Debian
>> >
>> > samba-tool domain join empresa.com.br
<http://empresa.com.br> DC -k
>> > yes -d 3 --server=samba4-dc1.empresa.com.br
>> > <http://samba4-dc1.empresa.com.br>
>> >
>> >
>>
####################################################################################
>>
>> >
>> >
>> > However, I verified that the DNS records msdcs.empresa.com.br
>> > <http://msdcs.empresa.com.br> and empresa.com.br
>> > <http://empresa.com.br> (ldap, kerberos, gc, tcp, udp) were
not
>> > updated with the information of the new DC.
>>
>> Try restarting Samba, this should force samba_dnsupdate to run and
>> hopefully fill in the gaps, if all else fails, reboot.
>>
>> Rowland
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

On 12/08/2019 19:42, Marcio Demetrio Bacci wrote:
> Hi,
>
> I have restarted, but it didn't solve the problem.
>
>
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359025, 
> ?0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: 
> NTLMSSP Sign/Seal - Initialising with flags:
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.359054, 
> ?0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: 
> Got NTLMSSP neg_flags=0x62088215
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362538, 
> ?0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: 
> NTLMSSP Sign/Seal - Initialising with flags:
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.362590, 
> ?0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: 
> Got NTLMSSP neg_flags=0x62088215
> ago 12 15:32:21 samba4-new-dc samba[646]: [2019/08/12 15:32:21.390860, 
> ?0] ../lib/util/util_runcmd.c:316(samba_runcmd_io_handler)
> ago 12 15:32:21 samba4-new-dc samba[646]: /usr/sbin/samba_dnsupdate: 
> ERROR: Record already exists
>
The whole point behind 'samba_dnsupdate' is to check a list of records 
that should be in AD for a DC and create them if they do not exist, so 
how can trying to create a record that already exists be an error ?

I will check the python code and see I can work out what is going on.

Rowland

On 12/08/2019 19:52, Marcio Demetrio Bacci wrote:
> Hi
>
> As described in 
>
(https://wiki.samba.org/index.php/Distribution-specific_Package_Installation)
> I haven't installed the follows packages: libpam-winbind 
> libnss-winbind libpam-krb5
> Can this be the problem?
No, they are the packages required (along with /etc/nsswitch.conf mods) 
to make 'getent' work and are not required on a DC.

Rowland