On Wed Aug 2 10:25:00 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> On 02/08/2023 15:04, Mark Foley via samba wrote: > > > Yeah, those command on my system simply return the 'help' syntax info for the host command.Actually, I must correct this a bit. Running those commands on my current dc give the "prohibited character found" error.> >> I suggest you start Samba, wait a short while and then try again. > > > > Do you mean to start Samba on the new DC (which I haven't done yet) or [re]start > > Samba on the current DC? > > When you 'join' a new DC to the domain, only minimal critical DNS > records are created annd the GUID records are not amongst them. When > Samba on the new DC is started, a script <samba_dnsupdate> is run (it > then runs every 10 minutes after that). This script uses a file > <dns_update_list> to check if various DNS records for the DC exist, if > they do not exist, they are created, amongst these DNS records is: > > ${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME} > > So the GUID record possibly doesn't exist on your new DC because you > haven't started it. > > RowlandPer the wiki, I ran 'samba' on the new DC, then tried the 'samba-tool drs showrepl' on the new DC. No go: # samba-tool drs showrepl Failed to connect host 127.0.0.1 on port 135 - NT_STATUS_CONNECTION_REFUSED Failed to connect host 127.0.0.1 (dc1.hprs.local) on port 135 - NT_STATUS_CONNECTION_REFUSED. ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.hprs.local failed - drsException: DRS connection to dc1.hprs.local failed: (3221226038, 'The transport-connection attempt was refused by the remote system.') File "/usr/lib64/python3.9/site-packages/samba/netcmd/drs.py", line 55, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib64/python3.9/site-packages/samba/drs_utils.py", line 71, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) I then tried 'samba-tool drs showrepl' on the current DC and got: # samba-tool drs showrepl : : (bunch of gensec stuff) : Default-First-Site-Name\MAIL DSA Options: 0x00000001 DSA object GUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c DSA invocationId: efd15371-9645-4a1a-b9eb-f4db28add590 ==== INBOUND NEIGHBORS === Sealed 64 bytes, and got 76 bytes header/signature. Unsealed 2816 bytes, with 76 bytes header/signature. CN=Schema,CN=Configuration,DC=hprs,DC=local Default-First-Site-Name\DC1 via RPC DSA object GUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0 Last attempt @ Wed Aug 2 16:31:57 2023 EDT failed, result 2 (WERR_FILE_NOT_FOUND) 2678 consecutive failure(s). Last success @ NTTIME(0) The above starting with "Default-First-Site-Name\DC1 via RPC" was be repeated 4 more times, but note the failure which occured in each repeat. After that: ==== OUTBOUND NEIGHBORS === Sealed 64 bytes, and got 76 bytes header/signature. Unsealed 32 bytes, with 76 bytes header/signature. ==== KCC CONNECTION OBJECTS === Connection -- Connection name: 34b6cbf3-f021-4922-9b55-6dc26cb833be Enabled : TRUE Server DNS name : dc1.hprs.local Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Kerberos commands still not working: # kinit administrator Password for administrator at hprs.local: kinit: KDC reply did not match expectations while getting initial credentials # klist klist: No credentials cache found (filename: /tmp/krb5cc_0) /etc/resolv.conf still not working with the new DC's IP. All these failures are likely because samba failed, /var/log/syslog: Aug 2 16:53:14 DC1 samba[16433]: [2023/08/02 16:53:14.573450, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) Aug 2 16:53:14 DC1 samba[16433]: /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful : : (another 26 errors like this) : Aug 2 16:53:15 DC1 samba[16433]: [2023/08/02 16:53:15.236106, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Aug 2 16:53:15 DC1 samba[16433]: dnsupdate_nameupdate_done: Failed DNS update with exit code 27 As it stands, samba doesn't run, kerberos doesn't run, DNS not working. Note that the 1st place I'm failing per the wiki procedure is with: # host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') I'm about ready to give up and start from scratch, maybe going back and attempting to upgrade the existing Samba 4.8.2 if you think the current course is irredeemable and out of control. I started down the "upgrade" line of thinking in thread "Upgrading from Samba 4.8.2 to 4.15.5" from January 28th, but advice from you and others was to try adding a DC and "promoting" it. Is that still viable? I could also give this 2nd DC another clean retry by removing it from the domain, wiping the drive and starting over. Perhaps joining with a specified backend so DNS works right away -- or getting that to work before moving on. At the same time I could put the latest BIND package on the current 4.8.2 DC and get away from the "prohibited character found" error. --Mark :(
Here's another idea to hack my way out of this quagmire ... When I first installed the Samba AD/DC to replace the SBS 2008 server 10 years ago, I provisioned the Samba DC without connection to the Windows hprs.local domain. Then I un-joined the domain on all Windows domain members, turned off the SBS server, and joined all the Windows workstations to the new domain. Sure, I'd have to create new domain users, and I'd probably have to re-add the GPOs, but that might actually be eaiser. This thread has been a lot of work with no solution in sight. The current Samba 4.8.2 DC may just be too old to work with. I could try it with one or two guinea pig workstations. And ... I could change the .local domain name bit while I'm at it. --Mark -----Original Message----- Date: Wed, 02 Aug 2023 17:38:59 -0400 To: samba at lists.samba.org Subject: Re: [Samba] Joining a new Samba AD DC From: Mark Foley via samba <samba at lists.samba.org> On Wed Aug 2 10:25:00 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:> On 02/08/2023 15:04, Mark Foley via samba wrote: > > > Yeah, those command on my system simply return the 'help' syntax info for the host command.Actually, I must correct this a bit. Running those commands on my current dc gives the "prohibited character found" error.> >> I suggest you start Samba, wait a short while and then try again. > > > > Do you mean to start Samba on the new DC (which I haven't done yet) or [re]start > > Samba on the current DC? > > When you 'join' a new DC to the domain, only minimal critical DNS > records are created annd the GUID records are not amongst them. When > Samba on the new DC is started, a script <samba_dnsupdate> is run (it > then runs every 10 minutes after that). This script uses a file > <dns_update_list> to check if various DNS records for the DC exist, if > they do not exist, they are created, amongst these DNS records is: > > ${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${HOSTNAME} > > So the GUID record possibly doesn't exist on your new DC because you > haven't started it. > > RowlandPer the wiki, I ran 'samba' on the new DC, then tried the 'samba-tool drs showrepl' on the new DC. No go: # samba-tool drs showrepl Failed to connect host 127.0.0.1 on port 135 - NT_STATUS_CONNECTION_REFUSED Failed to connect host 127.0.0.1 (dc1.hprs.local) on port 135 - NT_STATUS_CONNECTION_REFUSED. ERROR(<class 'samba.drs_utils.drsException'>): DRS connection to dc1.hprs.local failed - drsException: DRS connection to dc1.hprs.local failed: (3221226038, 'The transport-connection attempt was refused by the remote system.') File "/usr/lib64/python3.9/site-packages/samba/netcmd/drs.py", line 55, in drsuapi_connect (ctx.drsuapi, ctx.drsuapi_handle, ctx.bind_supported_extensions) = drs_utils.drsuapi_connect(ctx.server, ctx.lp, ctx.creds) File "/usr/lib64/python3.9/site-packages/samba/drs_utils.py", line 71, in drsuapi_connect raise drsException("DRS connection to %s failed: %s" % (server, e)) I then tried 'samba-tool drs showrepl' on the current DC and got: # samba-tool drs showrepl : : (bunch of gensec stuff) : Default-First-Site-Name\MAIL DSA Options: 0x00000001 DSA object GUID: 48c0208f-0646-42f6-89bf-dc9b81b3442c DSA invocationId: efd15371-9645-4a1a-b9eb-f4db28add590 ==== INBOUND NEIGHBORS === Sealed 64 bytes, and got 76 bytes header/signature. Unsealed 2816 bytes, with 76 bytes header/signature. CN=Schema,CN=Configuration,DC=hprs,DC=local Default-First-Site-Name\DC1 via RPC DSA object GUID: 0d2a3ba9-4ade-45de-85c7-321ba69caee0 Last attempt @ Wed Aug 2 16:31:57 2023 EDT failed, result 2 (WERR_FILE_NOT_FOUND) 2678 consecutive failure(s). Last success @ NTTIME(0) The above starting with "Default-First-Site-Name\DC1 via RPC" was be repeated 4 more times, but note the failure which occured in each repeat. After that: ==== OUTBOUND NEIGHBORS === Sealed 64 bytes, and got 76 bytes header/signature. Unsealed 32 bytes, with 76 bytes header/signature. ==== KCC CONNECTION OBJECTS === Connection -- Connection name: 34b6cbf3-f021-4922-9b55-6dc26cb833be Enabled : TRUE Server DNS name : dc1.hprs.local Server DN name : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=hprs,DC=local TransportType: RPC options: 0x00000001 Warning: No NC replicated for Connection! Kerberos commands still not working: # kinit administrator Password for administrator at hprs.local: kinit: KDC reply did not match expectations while getting initial credentials # klist klist: No credentials cache found (filename: /tmp/krb5cc_0) /etc/resolv.conf still not working with the new DC's IP. All these failures are likely because samba failed, /var/log/syslog: Aug 2 16:53:14 DC1 samba[16433]: [2023/08/02 16:53:14.573450, 0] ../../lib/util/util_runcmd.c:355(samba_runcmd_io_handler) Aug 2 16:53:14 DC1 samba[16433]: /usr/sbin/samba_dnsupdate: response to GSS-TSIG query was unsuccessful : : (another 26 errors like this) : Aug 2 16:53:15 DC1 samba[16433]: [2023/08/02 16:53:15.236106, 0] ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Aug 2 16:53:15 DC1 samba[16433]: dnsupdate_nameupdate_done: Failed DNS update with exit code 27 As it stands, samba doesn't run, kerberos doesn't run, DNS not working. Note that the 1st place I'm failing per the wiki procedure is with: # host -t CNAME 0d2a3ba9-4ade-45de-85c7-321ba69caee0._msdcs.hprs.local. ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') I'm about ready to give up and start from scratch, maybe going back and attempting to upgrade the existing Samba 4.8.2 if you think the current course is irredeemable and out of control. I started down the "upgrade" line of thinking in thread "Upgrading from Samba 4.8.2 to 4.15.5" from January 28th, but advice from you and others was to try adding a DC and "promoting" it. Is that still viable? I could also give this 2nd DC another clean retry by removing it from the domain, wiping the drive and starting over. Perhaps joining with a specified backend so DNS works right away -- or getting that to work before moving on. At the same time I could put the latest BIND package on the current 4.8.2 DC and get away from the "prohibited character found" error. --Mark :( -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Mark Foley
2023-Oct-09 16:57 UTC
[Samba] Joining a Linux domain member to an actual Windows AD Domain
I am attempting to join a Linux host as a domain member to a Windows AD domain. I am following the instructions in https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member I am at the section in that doc, "Resolving SRV Records" which says, "Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the nslookup interactive shell:", and I go ahead and do the suggested commands: # nslookup> set type=SRV > _ldap._tcp.cwaserver1.cwa4502.localServer: 192.168.1.5 Address: 192.168.1.5#53 ** server can't find _ldap._tcp.cwaserver1.cwa4502.local: NXDOMAIN # host -t SRV _ldap._tcp.cwaserver1.cwa4502.local Host _ldap._tcp.cwaserver1.cwa4502.local not found: 3(NXDOMAIN) As you can see, this test appears to be failing. Other Windows workstations are connected to this Domain w/o problem. Is it critical for this SRV record thing to work? If so, what suggestions are there on what needs to be done in the domain controller to fix this? Thanks --Mark