samba - Oct 2023 - Member join to Active Directory -> DNS-Update fails

Hi,
On Oct 27, 2023 at 15:41 +0200, Bestattungen Vitt - Thomas Reitelbach via samba
<samba at lists.samba.org>, wrote:
> Hello list,
>
>
> And this is the debug log on the machine where the DNS-Update is tried
> upon:
> Oct 27 14:58:21 vmads.vitt.site samba[16373]: [2023/10/27
> 14:58:21.679662, 0]
> ../source4/dns_server/dns_update.c:407(handle_one_update)
> Oct 27 14:58:21 vmads.vitt.site samba[16373]: Can't handle updates of
> type 255 yet
>
I assume your record does not exist already.
> I guess this is because this specific machine has an old samba version
> (4.6.4) which lacks the necessary functions.
>
> What are my options now?
> a) update Samba on the old machine to a current version? (not preferred)
Excelent idea. Try:

http://samba.bigbird.es/doku.php?id=samba:upgrade-sama
> b) let the joining Fileserver choose a different AD-Server preferred for
> DNS-Updates? (how would I do that?? the other AD servers are running on
> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD servers.
I don?t think you can do that unless you stop samba in the old server. Worth
trying .
> c) create the necessary DNS-Entry manually (tried that already with the
> Windows DNS Client, this works)
> d) ---another idea??? ---
>
> The server with the old samba version is my old File server and AD
> server in one machine
You probably refer to a DC server, not an AD server.
> ?and is going to be demoted and shut down soon (in
> the past I made the mistake to put File Server and AD Server on this
> machine)
Bad idea. You know that already ;)
> -> That's the reason why I want to join a new Fileserver to the
> domain.
Review your member server config, just in case your missing something:

http://samba.bigbird.es/doku.php?id=samba:file-server

And post your smb.conf on the new member server and one of the new DCs would
help diagnose.
> But unfortunately I cannot shut down the old server bevor the new one is
> in place.
>
> Sorry for the long explanation, hoping someone can push me in the right
> direction.
>
> Thank you in advance.
>

Hello Luis,

answering between the comments...
>> And this is the debug log on the machine where the DNS-Update is tried
>> upon:
>> Oct 27 14:58:21 vmads.vitt.site samba[16373]: [2023/10/27
>> 14:58:21.679662, 0]
>> ../source4/dns_server/dns_update.c:407(handle_one_update)
>> Oct 27 14:58:21 vmads.vitt.site samba[16373]: Can't handle updates
of
>> type 255 yet
>> 
> I assume your record does not exist already.
Correct, it does not exist already. Neither the A nor the PTR record do 
exist at this moment.
>> I guess this is because this specific machine has an old samba version
>> (4.6.4) which lacks the necessary functions.
>> 
>> What are my options now?
>> a) update Samba on the old machine to a current version? (not 
>> preferred)
> Excelent idea. Try:
Unfortunately this is complicated. Current samba configure scripts need 
python3 which is unavailable for this old server. I would have to 
compile python and all its dependencies as well. I'll try not to do this 
;-)
Well, I COULD do this, but this is my last choice...
>> b) let the joining Fileserver choose a different AD-Server preferred 
>> for
>> DNS-Updates? (how would I do that?? the other AD servers are running 
>> on
>> debian 11 with samba 4.17.9) All FSMO-Roles are at the other AD 
>> servers.
> I don?t think you can do that unless you stop samba in the old server.
> Worth trying .
I'll test when the old server is unused. At the working hours this is 
not possible.
>> c) create the necessary DNS-Entry manually (tried that already with 
>> the
>> Windows DNS Client, this works)
Do I have to expect any problems when I join the new Fileserver and 
create the DNS entries manually? If I do so, the DNS-Records are 
immediately beeing synced between the three samba-internal dns servers 
as expected. Is there anything more to take care of?
>> The server with the old samba version is my old File server and AD
>> server in one machine
> You probably refer to a DC server, not an AD server.
The old server has always been used as Active Directory Domain 
Controller (this is what I called an AD server), first installed samba 
version was 4.0.5, self-compiled, one of the first versions with support 
for it. It is NOT an old NT-style PDC, if you mean this.
> Review your member server config, just in case your missing something:
The config at time of the Join is very basic:
[global]
### Grundkonfiguration ###
      security = ADS
      workgroup = ADVITT
      realm = ADVITT.SITE

      log file = /var/log/samba/%m.log
      log level = 1

      idmap config * : backend = autorid
      idmap config * : range = 10000-9999999

      vfs objects = acl_xattr
      map acl inherit = yes

-> true, no shares at this point.

Kerberos config:
[libdefaults]
      default_realm = ADVITT.SITE
      dns_lookup_realm = false
      dns_lookup_kdc = true

Time Syncronization is pulled via NTP from the AD-DC Servers.
Name resolution is set to the three AD-DC servers and Name resolution 
tests are OK.

I don't think I'm missing something important so far.

Cheers
Thomas

-- 
Bestattungen Vitt oHG
Inhaber Willi & Thomas Reitelbach
Rochusstra?e 176
53123 Bonn-Duisdorf
Registergericht: Amtsgericht Bonn, HRA 7958

Facebook:     http://www.facebook.de/bestattungenvitt
Gedenkportal: http://begleiten.bestattungen-vitt.de
Internet:     http://www.bestattungen-vitt.de

Telefon: 0228 - 62 68 68
Fax: 0228 - 978 30 36