On Tue, 2022-09-06 at 22:07 +0200, William Edwards
wrote:> Hi Rowland,
>
> Rowland Penny via samba schreef op 2022-09-06 19:29:
> > On Tue, 2022-09-06 at 19:09 +0200, William Edwards wrote:
> > > > Op 6 sep. 2022 om 19:04 heeft Rowland Penny via samba <
> > > > samba at lists.samba.org> het volgende geschreven:
> > > >
> > > > ?On Tue, 2022-09-06 at 18:53 +0200, William Edwards wrote:
> > > > > Rowland Penny via samba schreef op 2022-09-06 18:05:
> > > > > > > On Tue, 2022-09-06 at 17:19 +0200, William
Edwards via
> > > > > > > samba
> > > > > > > wrote:
> > > > > > > > According to the documentation[1],
I'm trying to join a
> > > > > > > > to-
> > > > > > > > be DC
> > > > > > > > to
> > > > > > > > an
> > > > > > > > existing domain with:
> > > > > > > > samba-tool domain join
cyberfusion.cloud DC -k yes
> > > > > > > > --dns-backend=SAMBA_INTERNAL
--option='idmap_ldb:use
> > > > > > > > rfc2307 > > > > > >
> > yes'
> > > > > > What version of Samba are you using ? From 4.15.0
'-k yes'
> > > > > > has
> > > > > > been
> > > > > > replaced with '--use-kerberos=required',
though the earlier
> > > > > > form
> > > > > > should
> > > > > > still work.
> > > > > > Does /etc/resolv.conf point to an existing AD DC ?
> > > > > > What OS is this ?
> > > > > > > With debug level 5, this fails with:
> > > > > > > finddcs: searching for a DC by DNS domain
> > > > > > > cyberfusion.cloud
> > > > > > > finddcs: looking for SRV records for
> > > > > > > _ldap._tcp.cyberfusion.cloud
> > > > > > > resolve_lmhosts: Attempting lmhosts lookup
for name
> > > > > > > _ldap._tcp.cyberfusion.cloud<0x0>
> > > > > > > startlmhosts: Can't open lmhosts file
> > > > > > > /etc/samba/lmhosts.
> > > > > > > Error
> > > > > > > was
> > > > > > > No such file or directory
> > > > > > > dns child failed to find name
> > > > > > > '_ldap._tcp.cyberfusion.cloud'
> > > > > > > of
> > > > > > > type
> > > > > > > SRV
> > > > > > > finddcs: Failed to find SRV record for
> > > > > > > _ldap._tcp.cyberfusion.cloud
> > > > > > > ERROR: Failed to find a writeable DC for
domain
> > > > > > > 'cyberfusion.cloud':
> > > > > > > The object name is not found.
> > > > > > > File
"/usr/lib/python3/dist-packages/samba/join.py",
> > > > > > > line
> > > > > > > 351,
> > > > > > > in
> > > > > > > find_dc
> > > > > > > ctx.cldap_ret =
ctx.net.finddc(domain=domain,
> > > > > > > flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS
|
> > > > > > > nbt.NBT_SERVER_WRITABLE)
> > > > > > > However, the lookup actually succeeds. I
tcpdumped on the
> > > > > > > existing
> > > > > > > DC
> > > > > > > that receives the DNS query, and on the to-be
new DC. The
> > > > > > > SRV
> > > > > > > lookup
> > > > > > > succeeds, and Samba looks up the AAAA and A
records for
> > > > > > > the
> > > > > > > hosts
> > > > > > > in
> > > > > > > the
> > > > > > > SRV RRSet. That also succeeds: the AAAA
lookup returns
> > > > > > > the
> > > > > > > IPv6
> > > > > > > addresses for the DCs, and the A lookups
result in an
> > > > > > > empty
> > > > > > > RRSet,
> > > > > > > as
> > > > > > > this is an IPv6-only setup.
> > > > > > > I tried omitting --dns-backend and --option
in the join
> > > > > > > command.
> > > > > > You do not need the dns one, it will used by
default and
> > > > > > the
> > > > > > option
> > > > > > makes samba use any uidNumber & gidNumber
attributes found
> > > > > > in
> > > > > > AD
> > > > > > instead of the xidNumber attributes found in
idmap.ldb.
> > > > > > > I also
> > > > > > > tried using a username & password instead
of Kerberos
> > > > > > > after
> > > > > > > kinit.
> > > > > > > Getting a token with `kinit administrator`
succeeds. That
> > > > > > > does
> > > > > > > not
> > > > > > > help.
> > > > > > > Searching for the error messages "dns
child failed to
> > > > > > > find
> > > > > > > name"
> > > > > > > and
> > > > > > > "finddcs: Failed to find SRV record
for" yielded a former
> > > > > > > post[2]
> > > > > > > on
> > > > > > > the
> > > > > > > mailing list, which suggests to set
'interfaces'. That
> > > > > > > does
> > > > > > > not
> > > > > > > help
> > > > > > > either.
> > > > > > > I hope someone has some pointers!
> > > > > > It sounds like a dns problem.
> > > > > As mentioned in my original email, tcpdump proves that
the
> > > > > DNS
> > > > > result
> > > > > is
> > > > > expected and correct. Something must be going wrong in
> > > > > userland.
> > > > > > Rowland
> > > >
> > > > Would you please answer the questions that I asked.
> > >
> > > I did. I sent two emails in reply to yours. This is the second
> > > one.
> > > Please see my email from 18:46.
> > >
> >
> > Sorry, yes I know, your second reply arrived after I sent my reply.
>
> Ah, it arrived here already. Sorry.
>
> > So, just to understand things, you are using Debian 10 and you are
> > trying to add a Debian 11 machine
>
> Correct.
>
> > (this would mean 4.9.5 and 4.13.? if
> > using the standard distro packages)
>
> No, the existing DCs run 4.15.7. The to-be DC runs 4.16.4.
>
> > I take it that /etc/resolv.conf points to another Samba AD DC
>
> It points to one of the existing DCs, yes.
>
> > and there
> > is nothing else using port 53.
>
> Yes, i.e. it is Samba that responds to the DNS query. The result of
> the
> DNS query is also expected.
>
> > Provided that everything is set up
> > correctly, the join should work, whether IPv4 or IPv6 is used.
>
> That's what I'd think, but it doesn't. I hope someone has a
clue!
>
> > Rowland
Have you looked in /var/log/syslog ?
Rowland