Hello.
I have a problem when trying to add a samba as a member. I get the
samba authentication to work fine, but I can't get it to update the
dns records correctly.
root at fs06:~# samba-tool domain join EXAMPLE.COM.AR MEMBER
-Uadministrator --server=DC05 -v
Password for [EXAMPLE\administrator]:
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : 'DC05'
machine_name : 'FS06'
domain_name : *
domain_name : 'EXAMPLE.COM.AR'
domain_name_type : JoinDomNameTypeDNS (1)
account_ou : NULL
admin_account : 'administrator'
admin_domain : NULL
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_IGNORE_UNSUPPORTED_FLAGS
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
os_servicepack : NULL
create_upn : 0x00 (0)
upn : NULL
dnshostname : 'FS06'
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
use_kerberos : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
desired_encryption_types : 0x0000001f (31)
provision_computer_account_only: 0x00 (0)
odj_provision_data : NULL
request_offline_join : 0x00 (0)
libnet_join_precreate_machine_acct: Machine account successfully created
join: struct secrets_domain_infoB
version : SECRETS_DOMAIN_INFO_VERSION_1 (1)
reserved : 0x00000000 (0)
info : union secrets_domain_infoU(case 1)
info1 : *
info1: struct secrets_domain_info1
reserved_flags : 0x0000000000000000 (0)
join_time : Fri Dec 23 12:38:27 2022 -03
computer_name : 'FS06'
account_name : 'FS06$'
secure_channel_type : SEC_CHAN_WKSTA (2)
domain_info: struct lsa_DnsDomainInfo
name: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : 'EXAMPLE'
dns_domain: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : 'example.com.ar'
dns_forest: struct lsa_StringLarge
length : 0x0000 (0)
size : 0x0000 (0)
string : *
string : 'example.com.ar'
domain_guid :
83c96a45-1808-4bc2-9b58-0c535f3ed3da
sid : *
sid :
S-1-5-21-527077859-282153845-2196410814
trust_flags : 0x0000001a (26)
0: NETR_TRUST_FLAG_IN_FOREST
1: NETR_TRUST_FLAG_OUTBOUND
0: NETR_TRUST_FLAG_TREEROOT
1: NETR_TRUST_FLAG_PRIMARY
1: NETR_TRUST_FLAG_NATIVE
0: NETR_TRUST_FLAG_INBOUND
0: NETR_TRUST_FLAG_MIT_KRB5
0: NETR_TRUST_FLAG_AES
trust_type : LSA_TRUST_TYPE_UPLEVEL (2)
trust_attributes : 0x00000040 (64)
0: LSA_TRUST_ATTRIBUTE_NON_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_UPLEVEL_ONLY
0: LSA_TRUST_ATTRIBUTE_QUARANTINED_DOMAIN
0: LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
0: LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION
0: LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
1: LSA_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL
0: LSA_TRUST_ATTRIBUTE_USES_RC4_ENCRYPTION
0:
LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION
0: LSA_TRUST_ATTRIBUTE_PIM_TRUST
0:
LSA_TRUST_ATTRIBUTE_CROSS_ORGANIZATION_ENABLE_TGT_DELEGATION
reserved_routing : NULL
supported_enc_types : 0x0000001f (31)
1: KERB_ENCTYPE_DES_CBC_CRC
1: KERB_ENCTYPE_DES_CBC_MD5
1: KERB_ENCTYPE_RC4_HMAC_MD5
1: KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
1: KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
0: KERB_ENCTYPE_FAST_SUPPORTED
0: KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED
0: KERB_ENCTYPE_CLAIMS_SUPPORTED
0: KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED
salt_principal : *
salt_principal :
'host/fs06.example.com.ar at EXAMPLE.COM.AR'
password_last_change : Fri Dec 23 12:38:27 2022 -03
password_changes : 0x0000000000000001 (1)
next_change : NULL
password : *
password: struct secrets_domain_info1_password
change_time : Fri Dec 23 12:38:27 2022 -03
change_server : 'dc05.example.com.ar'
cleartext_blob : DATA_BLOB length=240
nt_hash: struct samr_Password
hash: ARRAY(16): <REDACTED SECRET VALUES>
salt_data : *
salt_data :
'EXAMPLE.COM.ARhostfs06.example.com.ar'
default_iteration_count : 0x00001000 (4096)
num_keys : 0x0003 (3)
keys: ARRAY(3)
keys: struct secrets_domain_info1_kerberos_key
keytype : 0x00000012 (18)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=32
keys: struct secrets_domain_info1_kerberos_key
keytype : 0x00000011 (17)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=16
keys: struct secrets_domain_info1_kerberos_key
keytype : 0x00000017 (23)
iteration_count : 0x00001000 (4096)
value : DATA_BLOB length=16
old_password : NULL
older_password : NULL
ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such
file or directory
ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with
backend 'tdb': Unable to open tdb
'/var/lib/samba/private/secrets.ldb': No such file or directory
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
odj_provision_data : NULL
account_name : 'FS06$'
netbios_domain_name : 'EXAMPLE'
dns_domain_name : 'example.com.ar'
forest_name : 'example.com.ar'
dn :
'CN=FS06,CN=Computers,DC=example,DC=com,DC=ar'
domain_guid : 83c96a45-1808-4bc2-9b58-0c535f3ed3da
domain_sid : *
domain_sid :
S-1-5-21-527077859-282153845-2196410814
modified_config : 0x00 (0)
error_string : NULL
domain_is_ad : 0x01 (1)
set_encryption_types : 0x0000001f (31)
krb5_salt : 'host/fs06.example.com.ar at
EXAMPLE.COM.AR'
dcinfo : *
dcinfo: struct netr_DsRGetDCNameInfo
dc_unc : *
dc_unc :
'\\dc05.example.com.ar'
dc_address : *
dc_address : '\\192.168.50.55'
dc_address_type : DS_ADDRESS_TYPE_INET (1)
domain_guid :
83c96a45-1808-4bc2-9b58-0c535f3ed3da
domain_name : *
domain_name : 'example.com.ar'
forest_name : *
forest_name : 'example.com.ar'
dc_flags : 0xe00013fc (3758101500)
0: DS_SERVER_PDC
1: DS_SERVER_GC
1: DS_SERVER_LDAP
1: DS_SERVER_DS
1: DS_SERVER_KDC
1: DS_SERVER_TIMESERV
1: DS_SERVER_CLOSEST
1: DS_SERVER_WRITABLE
1: DS_SERVER_GOOD_TIMESERV
0: DS_SERVER_NDNC
0: DS_SERVER_SELECT_SECRET_DOMAIN_6
1: DS_SERVER_FULL_SECRET_DOMAIN_6
0: DS_SERVER_WEBSERV
0: DS_SERVER_DS_8
1: DS_DNS_CONTROLLER
1: DS_DNS_DOMAIN
1: DS_DNS_FOREST_ROOT
dc_site_name : *
dc_site_name :
'Default-First-Site-Name'
client_site_name : *
client_site_name :
'Default-First-Site-Name'
account_rid : 0x00001247 (4679)
result : WERR_OK
Joined domain example.com.ar (S-1-5-21-527077859-282153845-2196410814)
root at fs06:~# samba_dnsupdate
The server update list was not found, and --update-list was not provided.
[Errno 2] No such file or directory:
'/var/lib/samba/private/dns_update_list'
Usage: samba_dnsupdate [options]
Password for [EXAMPLE\administrator]:
DNS Update for fs06.example.com.ar failed: ERROR_DNS_UPDATE_FAILED
DNS update failed!
root at fs06:~# ls -la /var/lib/samba/
total 2228
drwxr-xr-x 7 root root 4096 dic 23 12:35 .
drwxr-xr-x 42 root root 4096 nov 3 00:28 ..
-rw------- 1 root root 421888 nov 2 10:24 account_policy.tdb
drwxr-xr-x 4 root root 4096 nov 2 10:16 DriverStore
-rw------- 1 root root 425984 nov 2 10:29 group_mapping.tdb
drwxr-xr-x 12 root root 4096 nov 2 10:16 printers
drwxr-xr-x 3 root root 4096 dic 23 12:32 private
-rw------- 1 root root 528384 nov 2 10:24 registry.tdb
-rw------- 1 root root 421888 nov 2 10:24 share_info.tdb
drwxrwx--T 2 root sambashare 4096 nov 2 10:16 usershares
-rw------- 1 root root 32768 dic 23 12:35 winbindd_cache.tdb
-rw-r--r-- 1 root root 421888 nov 2 10:49 winbindd_idmap.tdb
drwxr-x--- 2 root winbindd_priv 4096 dic 23 12:35 winbindd_privileged
root at fs06:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy
root at fs06:~# dpkg --list | grep samba
ii python3-samba 2:4.15.9+dfsg-0ubuntu0.3
amd64 Python 3 bindings for Samba
ii samba 2:4.15.9+dfsg-0ubuntu0.3
amd64 SMB/CIFS file, print, and login server for
Unix
ii samba-common 2:4.15.9+dfsg-0ubuntu0.3
all common files used by both the Samba server and
client
ii samba-common-bin 2:4.15.9+dfsg-0ubuntu0.3
amd64 Samba common files used by both the server and
the client
ii samba-dsdb-modules:amd64 2:4.15.9+dfsg-0ubuntu0.3
amd64 Samba Directory Services Database
ii samba-libs:amd64 2:4.15.9+dfsg-0ubuntu0.3
amd64 Samba core libraries
ii samba-testsuite 2:4.15.9+dfsg-0ubuntu0.3
amd64 test suite from Samba
ii samba-vfs-modules:amd64 2:4.15.9+dfsg-0ubuntu0.3
amd64 Samba Virtual FileSystem plugins
On 23/12/2022 15:44, Epsilon Minus via samba wrote:> Hello. > > I have a problem when trying to add a samba as a member. I get the > samba authentication to work fine, but I can't get it to update the > dns records correctly. > > > root at fs06:~# samba-tool domain join EXAMPLE.COM.AR MEMBER > -Uadministrator --server=DC05 -v > Password for [EXAMPLE\administrator]: > > ldb: Unable to open tdb '/var/lib/samba/private/secrets.ldb': No such > file or directory > ldb: Failed to connect to '/var/lib/samba/private/secrets.ldb' with > backend 'tdb': Unable to open tdb > '/var/lib/samba/private/secrets.ldb': No such file or directoryYou can ignore the errors about the missing 'secrets.ldb', this no longer exists on a Unix domain member.> > Joined domain example.com.ar (S-1-5-21-527077859-282153845-2196410814)Yes, the computer joined okay.> > > root at fs06:~# samba_dnsupdate > The server update list was not found, and --update-list was not provided. > [Errno 2] No such file or directory: '/var/lib/samba/private/dns_update_list' > > Usage: samba_dnsupdate [options] > > > Password for [EXAMPLE\administrator]: > DNS Update for fs06.example.com.ar failed: ERROR_DNS_UPDATE_FAILED > DNS update failed!It would fail, that command should only be run on a DC and it isn't meant for what you are attempting to do, it is meant to add any missing DC dns records. The join should add the new Unix domain members dns records, if it doesn't, then there is usually a reason for this and that reason is that the computers /etc/hosts and /etc/resolv.conf are not correctly set up. Rowland