samba - Feb 2020 - FW: samba_kcc issue after joining the domain as a DC

I'm  sorry,  after  double-checking  the Louis's link I've found
that the domain
zone  should  be domain-wide, while the _msdcs stuff should be forest wide.
I'll
change it and try again. Apologies.
>>>>> # samba-tool dns zonelist 172.26.1.81
>>>>> Password for [administrator at domain.com]:
>>>>>     2 zone(s) found
>>>>>
>>>>>     pszZoneName                 : _msdcs.domain.com
>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>     Version                     : 50
>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>>
>>>>>     pszZoneName                 : domain.com
>>>>>     Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>     Version                     : 50
>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>     pszDpFqdn                   : ForestDnsZones.domain.com
>>>>>
>>>> I have three zones, one being the reverse zone, but my domain
zone is this:
>>>>   ? pszZoneName??????? : samdom.example.com
>>>>   ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>>>>   ? Version??????????????????? : 50
>>>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT
>>>> DNS_DP_ENLISTED
>>>>   ? pszDpFqdn?????????????? : DomainDnsZones.samdom.example.com
>>>> Notice the difference in the last line.
>>> I see the difference. I guess it's b/c you didn't upgrade
the zone to
>>> forest-wide. Should I revert my zones to be domain-wide?
>>>
>> Alex, mine is correct, yours is wrong.
> Rowland,  I really appreciate your help and you're probably right. But
could you
> please  shed  some  light  on why yours is correct (or why mine is not)? At
this
> moment, my AD is fully functional, no issues at all.
> In my humble opinion, this looks more like a bug in Samba joining
procedure, b/c
> it should work well the existing AD configuration. However, it doesn't.
>> I could probably dump a list of dns DN's if needed.
> Yes, please do.
-- 
Best regards,
Alex Alex

Rowland,

Just to confirm: after changing the zone to a domain-wide, Samba has
successfully performed the join.

Samba daemon has also started well, but printed these errors in the log:
[2020/02/12 13:03:34.097665,  0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify
failure
[2020/02/12 13:03:34.169520,  0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
[2020/02/12 13:03:41.624259,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 2

Is  there  anything I should worry about? According to some posts, this seems to
be expected for SAMBA_INTERNAL backened. Can you confirm pls?

Anyway, thank you for your help very much!
> I'm  sorry,  after  double-checking  the Louis's link I've
found that the domain
> zone  should  be domain-wide, while the _msdcs stuff should be forest wide.
I'll
> change it and try again. Apologies.
>>>>>> # samba-tool dns zonelist 172.26.1.81
>>>>>> Password for [administrator at domain.com]:
>>>>>>     2 zone(s) found
>>>>>>
>>>>>>     pszZoneName                 : _msdcs.domain.com
>>>>>>     Flags                       :
DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
>>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>>     Version                     : 50
>>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>>     pszDpFqdn                   :
ForestDnsZones.domain.com
>>>>>>
>>>>>>     pszZoneName                 : domain.com
>>>>>>     Flags                       :
DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
>>>>>>     ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>>>>>>     Version                     : 50
>>>>>>     dwDpFlags                   : DNS_DP_AUTOCREATED
DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
>>>>>>     pszDpFqdn                   :
ForestDnsZones.domain.com
>>>>>>
>>>>> I have three zones, one being the reverse zone, but my
domain zone is this:
>>>>>   ? pszZoneName??????? : samdom.example.com
>>>>>   ? Flags?????????????????????? : DNS_RPC_ZONE_DSINTEGRATED
>>>>> DNS_RPC_ZONE_UPDATE_SECURE
>>>>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
>>>>>   ? Version??????????????????? : 50
>>>>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED
DNS_DP_DOMAIN_DEFAULT
>>>>> DNS_DP_ENLISTED
>>>>>   ? pszDpFqdn?????????????? :
DomainDnsZones.samdom.example.com
>>>>> Notice the difference in the last line.
>>>> I see the difference. I guess it's b/c you didn't
upgrade the zone to
>>>> forest-wide. Should I revert my zones to be domain-wide?
>>>>
>>> Alex, mine is correct, yours is wrong.
>> Rowland,  I really appreciate your help and you're probably right.
But could you
>> please  shed  some  light  on why yours is correct (or why mine is
not)? At this
>> moment, my AD is fully functional, no issues at all.
>> In my humble opinion, this looks more like a bug in Samba joining
procedure, b/c
>> it should work well the existing AD configuration. However, it
doesn't.
>>> I could probably dump a list of dns DN's if needed.
>> Yes, please do.
-- 
Best regards,
Alex

On 12/02/2020 10:16, Alex via samba wrote:
> Rowland,
>
> Just to confirm: after changing the zone to a domain-wide, Samba has
> successfully performed the join.
>
> Samba daemon has also started well, but printed these errors in the log:
> [2020/02/12 13:03:34.097665,  0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig
verify failure
> [2020/02/12 13:03:34.169520,  0]
../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
>    /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
> [2020/02/12 13:03:41.624259,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
>    dnsupdate_nameupdate_done: Failed DNS update with exit code 2
>
> Is  there  anything I should worry about? According to some posts, this
seems to
> be expected for SAMBA_INTERNAL backened. Can you confirm pls?
>
> Anyway, thank you for your help very much!
>
What is in /etc/resolv.conf ?

It should be like this:

search <your dns domain>

nameserver <your DCs IP>

Rowland

Failed DNS update with exit code 2
...  Hmm, i dont know that exit code 2 is.. Rowland you? 

But as far i know you can ignore them, however personaly I would suggest to
upgrade now to bind9_DLZ dns. Much more flexible, only bit more work to setup.

But what does ; 
/usr/local/samba/sbin/samba_dnsupdate -d10 
Or ; 
/usr/local/samba/sbin/samba_dnsupdate --use-samba-tool -d10 tell you. 

Show you because its actively : REFUSED 
So maybe the debug output tells a bit more. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Alex 
> via samba
> Verzonden: woensdag 12 februari 2020 11:16
> Aan: Rowland penny
> CC: Alex
> Onderwerp: Re: [Samba] FW: samba_kcc issue after joining the 
> domain as a DC
> 
> Rowland,
> 
> Just to confirm: after changing the zone to a domain-wide, Samba has
> successfully performed the join.
> 
> Samba daemon has also started well, but printed these errors 
> in the log:
> [2020/02/12 13:03:34.097665,  0] 
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with 
> server: tsig verify failure
> [2020/02/12 13:03:34.169520,  0] 
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
> [2020/02/12 13:03:41.624259,  0] 
> ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
>   dnsupdate_nameupdate_done: Failed DNS update with exit code 2
> 
> Is  there  anything I should worry about? According to some 
> posts, this seems to
> be expected for SAMBA_INTERNAL backened. Can you confirm pls?
> 
> Anyway, thank you for your help very much!
> 
> > I'm  sorry,  after  double-checking  the Louis's link I've
> found that the domain
> > zone  should  be domain-wide, while the _msdcs stuff should 
> be forest wide. I'll
> > change it and try again. Apologies.
> 
> >>>>>> # samba-tool dns zonelist 172.26.1.81
> >>>>>> Password for [administrator at domain.com]:
> >>>>>>     2 zone(s) found
> >>>>>>
> >>>>>>     pszZoneName                 :
_msdcs.domain.com
> >>>>>>     Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> >>>>>>     ZoneType                    :
DNS_ZONE_TYPE_PRIMARY
> >>>>>>     Version                     : 50
> >>>>>>     dwDpFlags                   :
DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> >>>>>>     pszDpFqdn                   :
ForestDnsZones.domain.com
> >>>>>>
> >>>>>>     pszZoneName                 : domain.com
> >>>>>>     Flags                       : 
> DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
> >>>>>>     ZoneType                    :
DNS_ZONE_TYPE_PRIMARY
> >>>>>>     Version                     : 50
> >>>>>>     dwDpFlags                   :
DNS_DP_AUTOCREATED
> DNS_DP_FOREST_DEFAULT DNS_DP_ENLISTED
> >>>>>>     pszDpFqdn                   :
ForestDnsZones.domain.com
> >>>>>>
> >>>>> I have three zones, one being the reverse zone, but my
> domain zone is this:
> >>>>>   ? pszZoneName??????? : samdom.example.com
> >>>>>   ? Flags?????????????????????? :
DNS_RPC_ZONE_DSINTEGRATED
> >>>>> DNS_RPC_ZONE_UPDATE_SECURE
> >>>>>   ? ZoneType??????????????? : DNS_ZONE_TYPE_PRIMARY
> >>>>>   ? Version??????????????????? : 50
> >>>>>   ? dwDpFlags?????????????? : DNS_DP_AUTOCREATED 
> DNS_DP_DOMAIN_DEFAULT
> >>>>> DNS_DP_ENLISTED
> >>>>>   ? pszDpFqdn?????????????? :
DomainDnsZones.samdom.example.com
> >>>>> Notice the difference in the last line.
> >>>> I see the difference. I guess it's b/c you didn't 
> upgrade the zone to
> >>>> forest-wide. Should I revert my zones to be domain-wide?
> >>>>
> >>> Alex, mine is correct, yours is wrong.
> 
> >> Rowland,  I really appreciate your help and you're 
> probably right. But could you
> >> please  shed  some  light  on why yours is correct (or why 
> mine is not)? At this
> >> moment, my AD is fully functional, no issues at all.
> 
> >> In my humble opinion, this looks more like a bug in Samba 
> joining procedure, b/c
> >> it should work well the existing AD configuration. 
> However, it doesn't.
> 
> >>> I could probably dump a list of dns DN's if needed.
> 
> >> Yes, please do.
> 
> -- 
> Best regards,
> Alex
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On 12/02/2020 11:43, Alex wrote:
> You're right. NetworkManager changed things back. Fixed now and no more
TSIG
> errors. Thank you!.
>
> PS It appeared that Samba didn't have dns service enabled in smb.conf
> by default for SAMBA_INTERNAL backend. Is there a reason for that?
Did it have a 'server services' line in smb.conf, if it didn't, then
all
the various services are enabled by default. If it did have a 'server 
services' line and 'dns' isn't there, then this usually only
happens
when '--dns-backend=BIND9_DLZ' is provided on the samba-tool
command.
>
> PPS It would be great to add the requirement of a time server to the
> Samba AD DC wiki.
>
Sigh, it is mentioned on the provision page, but not on the join page, I 
will fix this. Thanks for pointing this out ;-)

Rowland