On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote:> > Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba < > > samba at lists.samba.org> het volgende geschreven: > > > > ?On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote: > > > Rowland Penny via samba schreef op 2022-09-06 18:05: > > > > > On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba > > > > > wrote: > > > > > > According to the documentation[1], I'm trying to join a to- > > > > > > be DC > > > > > > to > > > > > > an > > > > > > existing domain with: > > > > > > samba-tool domain join cyberfusion.cloud DC -k yes > > > > > > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use > > > > > > rfc2307 > > > > > > yes' > > > > What version of Samba are you using ? From 4.15.0 '-k yes' has > > > > been > > > > replaced with '--use-kerberos=required', though the earlier > > > > form > > > > should > > > > still work. > > > > Does /etc/resolv.conf point to an existing AD DC ? > > > > What OS is this ? > > > > > With debug level 5, this fails with: > > > > > finddcs: searching for a DC by DNS domain > > > > > cyberfusion.cloud > > > > > finddcs: looking for SRV records for > > > > > _ldap._tcp.cyberfusion.cloud > > > > > resolve_lmhosts: Attempting lmhosts lookup for name > > > > > _ldap._tcp.cyberfusion.cloud<0x0> > > > > > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. > > > > > Error > > > > > was > > > > > No such file or directory > > > > > dns child failed to find name > > > > > '_ldap._tcp.cyberfusion.cloud' > > > > > of > > > > > type > > > > > SRV > > > > > finddcs: Failed to find SRV record for > > > > > _ldap._tcp.cyberfusion.cloud > > > > > ERROR: Failed to find a writeable DC for domain > > > > > 'cyberfusion.cloud': > > > > > The object name is not found. > > > > > File "/usr/lib/python3/dist-packages/samba/join.py", > > > > > line > > > > > 351, > > > > > in > > > > > find_dc > > > > > ctx.cldap_ret = ctx.net.finddc(domain=domain, > > > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | > > > > > nbt.NBT_SERVER_WRITABLE) > > > > > However, the lookup actually succeeds. I tcpdumped on the > > > > > existing > > > > > DC > > > > > that receives the DNS query, and on the to-be new DC. The SRV > > > > > lookup > > > > > succeeds, and Samba looks up the AAAA and A records for the > > > > > hosts > > > > > in > > > > > the > > > > > SRV RRSet. That also succeeds: the AAAA lookup returns the > > > > > IPv6 > > > > > addresses for the DCs, and the A lookups result in an empty > > > > > RRSet, > > > > > as > > > > > this is an IPv6-only setup. > > > > > I tried omitting --dns-backend and --option in the join > > > > > command. > > > > You do not need the dns one, it will used by default and the > > > > option > > > > makes samba use any uidNumber & gidNumber attributes found in > > > > AD > > > > instead of the xidNumber attributes found in idmap.ldb. > > > > > I also > > > > > tried using a username & password instead of Kerberos after > > > > > kinit. > > > > > Getting a token with `kinit administrator` succeeds. That > > > > > does > > > > > not > > > > > help. > > > > > Searching for the error messages "dns child failed to find > > > > > name" > > > > > and > > > > > "finddcs: Failed to find SRV record for" yielded a former > > > > > post[2] > > > > > on > > > > > the > > > > > mailing list, which suggests to set 'interfaces'. That does > > > > > not > > > > > help > > > > > either. > > > > > I hope someone has some pointers! > > > > It sounds like a dns problem. > > > As mentioned in my original email, tcpdump proves that the DNS > > > result > > > is > > > expected and correct. Something must be going wrong in userland. > > > > Rowland > > > > Would you please answer the questions that I asked. > > I did. I sent two emails in reply to yours. This is the second one. > Please see my email from 18:46. >Sorry, yes I know, your second reply arrived after I sent my reply. So, just to understand things, you are using Debian 10 and you are trying to add a Debian 11 machine (this would mean 4.9.5 and 4.13.? if using the standard distro packages) I take it that /etc/resolv.conf points to another Samba AD DC and there is nothing else using port 53. Provided that everything is set up correctly, the join should work, whether IPv4 or IPv6 is used. Rowland
On 9/6/22 12:29, Rowland Penny via samba wrote:> On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote: >>> Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba < >>> samba at lists.samba.org> het volgende geschreven: >>> >>> ?On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote: >>>> Rowland Penny via samba schreef op 2022-09-06 18:05: >>>>>> On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba >>>>>> wrote: >>>>>>> According to the documentation[1], I'm trying to join a to- >>>>>>> be DC >>>>>>> to >>>>>>> an >>>>>>> existing domain with: >>>>>>> samba-tool domain join cyberfusion.cloud DC -k yes >>>>>>> --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use >>>>>>> rfc2307 >>>>>>> yes' >>>>> What version of Samba are you using ? From 4.15.0 '-k yes' has >>>>> been >>>>> replaced with '--use-kerberos=required', though the earlier >>>>> form >>>>> should >>>>> still work. >>>>> Does /etc/resolv.conf point to an existing AD DC ? >>>>> What OS is this ? >>>>>> With debug level 5, this fails with: >>>>>> finddcs: searching for a DC by DNS domain >>>>>> cyberfusion.cloud >>>>>> finddcs: looking for SRV records for >>>>>> _ldap._tcp.cyberfusion.cloud >>>>>> resolve_lmhosts: Attempting lmhosts lookup for name >>>>>> _ldap._tcp.cyberfusion.cloud<0x0> >>>>>> startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. >>>>>> Error >>>>>> was >>>>>> No such file or directory >>>>>> dns child failed to find name >>>>>> '_ldap._tcp.cyberfusion.cloud' >>>>>> of >>>>>> type >>>>>> SRV >>>>>> finddcs: Failed to find SRV record for >>>>>> _ldap._tcp.cyberfusion.cloud >>>>>> ERROR: Failed to find a writeable DC for domain >>>>>> 'cyberfusion.cloud': >>>>>> The object name is not found. >>>>>> File "/usr/lib/python3/dist-packages/samba/join.py", >>>>>> line >>>>>> 351, >>>>>> in >>>>>> find_dc >>>>>> ctx.cldap_ret = ctx.net.finddc(domain=domain, >>>>>> flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | >>>>>> nbt.NBT_SERVER_WRITABLE) >>>>>> However, the lookup actually succeeds. I tcpdumped on the >>>>>> existing >>>>>> DC >>>>>> that receives the DNS query, and on the to-be new DC. The SRV >>>>>> lookup >>>>>> succeeds, and Samba looks up the AAAA and A records for the >>>>>> hosts >>>>>> in >>>>>> the >>>>>> SRV RRSet. That also succeeds: the AAAA lookup returns the >>>>>> IPv6 >>>>>> addresses for the DCs, and the A lookups result in an empty >>>>>> RRSet, >>>>>> as >>>>>> this is an IPv6-only setup. >>>>>> I tried omitting --dns-backend and --option in the join >>>>>> command. >>>>> You do not need the dns one, it will used by default and the >>>>> option >>>>> makes samba use any uidNumber & gidNumber attributes found in >>>>> AD >>>>> instead of the xidNumber attributes found in idmap.ldb. >>>>>> I also >>>>>> tried using a username & password instead of Kerberos after >>>>>> kinit. >>>>>> Getting a token with `kinit administrator` succeeds. That >>>>>> does >>>>>> not >>>>>> help. >>>>>> Searching for the error messages "dns child failed to find >>>>>> name" >>>>>> and >>>>>> "finddcs: Failed to find SRV record for" yielded a former >>>>>> post[2] >>>>>> on >>>>>> the >>>>>> mailing list, which suggests to set 'interfaces'. That does >>>>>> not >>>>>> help >>>>>> either. >>>>>> I hope someone has some pointers! >>>>> It sounds like a dns problem. >>>> As mentioned in my original email, tcpdump proves that the DNS >>>> result >>>> is >>>> expected and correct. Something must be going wrong in userland. >>>>> Rowland >>> >>> Would you please answer the questions that I asked. >> >> I did. I sent two emails in reply to yours. This is the second one. >> Please see my email from 18:46. >> > > Sorry, yes I know, your second reply arrived after I sent my reply. > > So, just to understand things, you are using Debian 10 and you are > trying to add a Debian 11 machine (this would mean 4.9.5 and 4.13.? if > using the standard distro packages)He mentioned that he's not using the standard distro packages; likely using Louis' repo: > What version of Samba are you using ? The existing DCs run 4.15.7. The to-be DC runs 4.16.4.> I take it that /etc/resolv.conf points to another Samba AD DC and there > is nothing else using port 53. Provided that everything is set up > correctly, the join should work, whether IPv4 or IPv6 is used. > > Rowland > > >
Hi Rowland, Rowland Penny via samba schreef op 2022-09-06 19:29:> On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote: >> > Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba < >> > samba at lists.samba.org> het volgende geschreven: >> > >> > ?On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote: >> > > Rowland Penny via samba schreef op 2022-09-06 18:05: >> > > > > On Tue, 2022-09-06 at 17:19 +0200, William Edwards via samba >> > > > > wrote: >> > > > > > According to the documentation[1], I'm trying to join a to- >> > > > > > be DC >> > > > > > to >> > > > > > an >> > > > > > existing domain with: >> > > > > > samba-tool domain join cyberfusion.cloud DC -k yes >> > > > > > --dns-backend=SAMBA_INTERNAL --option='idmap_ldb:use >> > > > > > rfc2307 >> > > > > > yes' >> > > > What version of Samba are you using ? From 4.15.0 '-k yes' has >> > > > been >> > > > replaced with '--use-kerberos=required', though the earlier >> > > > form >> > > > should >> > > > still work. >> > > > Does /etc/resolv.conf point to an existing AD DC ? >> > > > What OS is this ? >> > > > > With debug level 5, this fails with: >> > > > > finddcs: searching for a DC by DNS domain >> > > > > cyberfusion.cloud >> > > > > finddcs: looking for SRV records for >> > > > > _ldap._tcp.cyberfusion.cloud >> > > > > resolve_lmhosts: Attempting lmhosts lookup for name >> > > > > _ldap._tcp.cyberfusion.cloud<0x0> >> > > > > startlmhosts: Can't open lmhosts file /etc/samba/lmhosts. >> > > > > Error >> > > > > was >> > > > > No such file or directory >> > > > > dns child failed to find name >> > > > > '_ldap._tcp.cyberfusion.cloud' >> > > > > of >> > > > > type >> > > > > SRV >> > > > > finddcs: Failed to find SRV record for >> > > > > _ldap._tcp.cyberfusion.cloud >> > > > > ERROR: Failed to find a writeable DC for domain >> > > > > 'cyberfusion.cloud': >> > > > > The object name is not found. >> > > > > File "/usr/lib/python3/dist-packages/samba/join.py", >> > > > > line >> > > > > 351, >> > > > > in >> > > > > find_dc >> > > > > ctx.cldap_ret = ctx.net.finddc(domain=domain, >> > > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | >> > > > > nbt.NBT_SERVER_WRITABLE) >> > > > > However, the lookup actually succeeds. I tcpdumped on the >> > > > > existing >> > > > > DC >> > > > > that receives the DNS query, and on the to-be new DC. The SRV >> > > > > lookup >> > > > > succeeds, and Samba looks up the AAAA and A records for the >> > > > > hosts >> > > > > in >> > > > > the >> > > > > SRV RRSet. That also succeeds: the AAAA lookup returns the >> > > > > IPv6 >> > > > > addresses for the DCs, and the A lookups result in an empty >> > > > > RRSet, >> > > > > as >> > > > > this is an IPv6-only setup. >> > > > > I tried omitting --dns-backend and --option in the join >> > > > > command. >> > > > You do not need the dns one, it will used by default and the >> > > > option >> > > > makes samba use any uidNumber & gidNumber attributes found in >> > > > AD >> > > > instead of the xidNumber attributes found in idmap.ldb. >> > > > > I also >> > > > > tried using a username & password instead of Kerberos after >> > > > > kinit. >> > > > > Getting a token with `kinit administrator` succeeds. That >> > > > > does >> > > > > not >> > > > > help. >> > > > > Searching for the error messages "dns child failed to find >> > > > > name" >> > > > > and >> > > > > "finddcs: Failed to find SRV record for" yielded a former >> > > > > post[2] >> > > > > on >> > > > > the >> > > > > mailing list, which suggests to set 'interfaces'. That does >> > > > > not >> > > > > help >> > > > > either. >> > > > > I hope someone has some pointers! >> > > > It sounds like a dns problem. >> > > As mentioned in my original email, tcpdump proves that the DNS >> > > result >> > > is >> > > expected and correct. Something must be going wrong in userland. >> > > > Rowland >> > >> > Would you please answer the questions that I asked. >> >> I did. I sent two emails in reply to yours. This is the second one. >> Please see my email from 18:46. >> > > Sorry, yes I know, your second reply arrived after I sent my reply.Ah, it arrived here already. Sorry.> > So, just to understand things, you are using Debian 10 and you are > trying to add a Debian 11 machineCorrect.> (this would mean 4.9.5 and 4.13.? if > using the standard distro packages)No, the existing DCs run 4.15.7. The to-be DC runs 4.16.4.> I take it that /etc/resolv.conf points to another Samba AD DCIt points to one of the existing DCs, yes.> and there > is nothing else using port 53.Yes, i.e. it is Samba that responds to the DNS query. The result of the DNS query is also expected.> Provided that everything is set up > correctly, the join should work, whether IPv4 or IPv6 is used.That's what I'd think, but it doesn't. I hope someone has a clue!> > Rowland-- With kind regards, William Edwards