samba - May 2020 - DNS names for AD joined samba server

I'm trying to figure out a puzzling thing that we are seeing with some
recently joined or re-joined samba servers.  Our linux servers are in a
different DNS domain than our AD machines (nwra.com or cora.nwra.com vs
ad.nwra.com for the AD machines).  Generally when we've joined a machine to
AD
the DNS name recorded in AD is their regular linux FQDN.  But a couple
machines have ended up with the "ad.nwra.com" domain.

In some way this is preferred as it allow for easier lookup of the appropriate
SPNs.  But I have no idea what is controlling this.  Could it possibly be a
change between 4.9.1-10.el7_7 and 4.10.4-10.el7 (but not in 4.10.4-101.el8_1) ?

Thanks,
  Orion


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/

On 20/05/2020 19:29, Orion Poplawski via samba wrote:
> I'm trying to figure out a puzzling thing that we are seeing with some
> recently joined or re-joined samba servers.  Our linux servers are in a
> different DNS domain than our AD machines
Then they cannot join the domain.
>   (nwra.com or cora.nwra.com vs
> ad.nwra.com for the AD machines).  Generally when we've joined a
machine to AD
> the DNS name recorded in AD is their regular linux FQDN.
If this is happening, then we need to know just how you are doing the 
join, so we can open a bug report. All AD machines must be in the same 
DNS domain.
>    But a couple
> machines have ended up with the "ad.nwra.com" domain.
That is what is supposed to happen.
> In some way this is preferred as it allow for easier lookup of the
appropriate
> SPNs.  But I have no idea what is controlling this.  Could it possibly be a
> change between 4.9.1-10.el7_7 and 4.10.4-10.el7 (but not in
4.10.4-101.el8_1) ?
Doubt it, you seem to have found a bug, you shouldn't be able to join a 
machine if it isn't in the same dns domain.

Rowland

On 20/05/2020 Rowland penny wrote:
> On 20/05/2020 19:29, Orion Poplawski via samba wrote:
>> I'm trying to figure out a puzzling thing that we are seeing with
some
>> recently joined or re-joined samba servers.  Our linux servers are in a
>> different DNS domain than our AD machines
> Then they cannot join the domain.
Interesting.
>>   (nwra.com or cora.nwra.com vs
>> ad.nwra.com for the AD machines).  Generally when we've joined a
machine to AD
>> the DNS name recorded in AD is their regular linux FQDN.
> If this is happening, then we need to know just how you are doing the 
> join, so we can open a bug report. All AD machines must be in the same 
> DNS domain.
I'm doing:

# sudo net ads join -U DOMAINADMIN
Enter DOMAINADMIN's password:

Using short domain name -- NWRA

Joined 'STOR-BOULDER01' to dns domain 'ad.nwra.com'

DNS Update for stor-boulder01.cora.nwra.com failed: ERROR_DNS_GSS_ERROR

DNS update failed: NT_STATUS_UNSUCCESSFUL


[global]
        workgroup = NWRA
        security = ads
        realm = AD.NWRA.COM
        idmap config * : backend = tdb
        idmap config * : range = 1000000-1999999
        idmap config NWRA : backend = nss
        idmap config NWRA : range = 1000-999999
        winbind scan trusted domains = no
        preferred master = no

This machine ends up with a cora.nwra.com SPN as usual:

# kvno cifs/stor-boulder01.cora.nwra.com at AD.NWRA.COM
cifs/stor-boulder01.cora.nwra.com at AD.NWRA.COM: kvno = 5

>>    But a couple
>> machines have ended up with the "ad.nwra.com" domain.
> That is what is supposed to happen.
>> In some way this is preferred as it allow for easier lookup of the
appropriate
>> SPNs.  But I have no idea what is controlling this.  Could it possibly
be a
>> change between 4.9.1-10.el7_7 and 4.10.4-10.el7 (but not in
4.10.4-101.el8_1) ?
> 
> Doubt it, you seem to have found a bug, you shouldn't be able to join a
> machine if it isn't in the same dns domain.
> 
> Rowland
Happy to file a bug if needed.

Thanks,

  Orion


-- 
Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/