Patrick Goetz
2021-Nov-05 11:58 UTC
[Samba] Using samba-tool to join a linux file server to the domain doesn't appear to work
On 11/5/21 04:21, L.P.H. van Belle via samba wrote:> > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens >> Patrick Goetz via samba >> Verzonden: donderdag 4 november 2021 17:55 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Using samba-tool to join a linux file >> server to the domain doesn't appear to work >> >> >> >> On 11/4/21 11:09, Rowland Penny via samba wrote: >>> On Thu, 2021-11-04 at 11:00 -0500, Patrick Goetz via samba wrote: >>>> >>>> On 11/4/21 10:49, cn--- via samba wrote: >>>>> Am 04.11.21 um 16:43 schrieb Patrick Goetz via samba: >>>>>> While you're looking at this, would it be possible to add code to >>>>>> add >>>>>> a PTR record as well as the A record? This would match the >>>>>> behavior >>>>>> for Windows AD controllers. >>>>> >>>>> The default on Windows does not create the PTR. Usually >> you have to >>>>> set >>>>> up a GPO that the clients update their PTR. >>>>> >>>> >>>> I have no idea, but I checked with one of my colleagues who is a >>>> Windows >>>> guru/domain admin, and he insisted that both an A and PTR >> record are >>>> created for the domain member when you join the (Windows server) >>>> domain. >>> >>> He has probably inherited a domain that has a GPO set to do this (or >>> something similar), Windows does not, out of the box, create reverse >>> records. >>> >> >> Several people have mentioned that this can be done via GPO, >> but I can't >> fathom what kind of GPO this be. Where would it be applied? >> Is there a special GPO template for things like this? > > > As said, make sure your servers have a A and PTR record. > PC's, only A record is suffient, but if you need it, you can add the PTR by GPO. > > >> >> >>>> >>>> The caveat to this is the AD domain at my university is an >>>> unbelievable mess that they've tinkered with for over a decade. >>> >>> You just described all places of learning, they all appear to be a >>> mess, probably because all teachers think they know everything and >>> usually know nothing. >>> >>>> Imagine a book >>>> written by 100 monkeys, each with their own typewriter with pages >>>> assembled by an inebriated octopus, and you won't be too far off. >>> >>> Sounds about right. >>> >>>> >>>>> I would also like this to happen automatically but by default the >>>>> reverse zone is not created in a Samba AD. I don't know about >>>>> Windows >>>>> there but I doubt it done there. >>> >>> Windows will work without a reverse zone, so it isn't created by >>> default, but as they have found out, everything else that >>> Windows works with will not. > > Small correction here, windows "does" attempt to register PTR records (by default). > > And yes, Windows will work without reverse zone, but from a windows point of view, > a reverse zone is offent created after/at the DHCP is setup. > > The main reason its not created by default, no computer can determin the subnet. > I can have my pc's in (*example) 192.168.1.0/16 while the servers use 192.168.0.0/24Louis, I'm not following this. I can see how DHCP assignments can be an issue in a multi-subnet environment, but if I'm assigning a static IP address to the host: atomsmasher.ea.linuxcs.com. IN A 192.168.1.82 the PTR record is just the reverse of that: 82.1.168.192.in-addr.arpa. IN PTR atomsmasher.ea.linuxcs.com no subnets involved?> > But by default, DNS clients configured to perform dynamic DNS > registration will attempt to register PTR resource record > only if they successfully registered the corresponding A resource record. > > Its in de default Windows template. > https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.DNSClient::DNS_RegisterReverseLookup > > Simple way to verify if windows got all info correct. > Run : CMD > Type: ipconfig , look at these values, these must match with the primary dns domain of the AD-DC. > > Primary Dns Suffix . . . . . . . : your.primarydns.domain.tld <<< its all about this one. > DNS Suffix Search List. . . . . . : your.primarydns.domain.tld * > Connection-specific DNS Suffix . : your.primarydns.domain.tld * > > That makes sure the A record gets in the right zone. > > (* these can be different, but i suggest start here, complex enough already. ) > > > > Greetz, > > Louis > > > >
Peter Milesson
2021-Nov-08 16:09 UTC
[Samba] Using samba-tool to join a linux file server to the domain doesn't appear to work
On 2021-11-05 12:58, Patrick Goetz via samba wrote:> On 11/5/21 04:21, L.P.H. van Belle via samba wrote: >> On 11/4/21 11:09, Rowland Penny via samba wrote: >>>> On Thu, 2021-11-04 at 11:00 -0500, Patrick Goetz via samba wrote: >>>>> On 11/4/21 10:49, cn--- via samba wrote: >Hi folks, A lot written about the problem joining a domain using samba-tool. As Patrick described, I've got exactly the same behavior. I've got a newly installed VM with Debian Bullseye with Louis' packages 4.15.1, and I have joined it to my domain. The AD is also Bullseye using Louis' packages 4.15.1 (upgraded from Buster to Bullseye with the standard Samba packages 4.13, and then to Louis' packages). The AD has been working without problems for more than 18 months. Joining with samba-tool works, sort of, with a few error messages that some *.ldb files were not found, ending the command with domain successfully joined. Having a look with Users and Computers administrative tool under Windows, the member server is registered in AD. There is however, no DNS entry for the new member server. The older command net ads join works to the point. The member server is registered both in AD and DNS. I understand that it's a bit awkward getting a DNS registration, but not a PTR record. In a huge network it's certainly a great help. Personally, I can digest that I must set up a PTR record for the Linux box myself, as it's a very small network. I'm grateful that this problem is under active discussion, otherwise I would probably have been tearing my hair, and using foul language. As an advanced user I'm not going to dig down too much in the Samba innards, and I'm satisfied that I can continue with configuration of the server. Thanks to the developers for a great product, and the list moderators and members for really useful discussions! Peter