I've successfully joined two Linux Domain Members to two different Domains. Now, I'm joining a second Linux host as a Domain Member to a Samba4 (4.18.9) Domain. I'm having some possible issues this time. Issue #1 Reverse Zone On the SambaWiki: https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, under 2.5 Forward Lookup, no problem: # host mail mail.hprs.local has address 192.168.0.2 2.6 Reverse Lookup is not working: # host 192.168.0.2 Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) This is true for the other Linux domain member as well. I did create the reverse zone when provisioning the DC, and when I get a zonelist on the DC it does show the reverse zone (I think): # samba-tool dns zonelist mail pszZoneName : 0.168.192.in-addr.arpa <---- Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE ZoneType : DNS_ZONE_TYPE_PRIMARY Version : 50 dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED pszDpFqdn : DomainDnsZones.hprs.local What's up here and is this a problem? Issue #2: "DNS Update failed" When joining the domain member, it joins (I think), but I get "DNS update failed" messages: # net ads join -U Administrator Using short domain name -- HPRS Joined 'WEBSERVER' to dns domain 'hprs.local' DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL I'm hoping this is just because I had added an A record for this host back when I provisioned the domain (and this host was not a domain member). In fact, at the time I added A records for all the non-Domain-Member Linux hosts and other devices (like network printers). I'm hopig this is not a real error, but is basically saying the A record already exists and it can't "update" the DNS. If so, a less scarey message would be nice. Please advise. Issue #3: getent not working After joining this Domain Member I ran the getent test: # getent passwd HPRS\\mark Nothing came back. I do get results if I run it on the other Domain Member: # getent passwd HPRS\\mark HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash winbindd is running and the /etc/nsswitch.conf file has been appropriately modified. The only config different I know of between this member and the one where getent works is that in /etc/samba/smb.conf I added: username map = /var/lib/samba/etc/user.map and in /var/lib/samba/etc/user.map I have: !root = hprs\Administrator uid = 0 wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work? Thanks --Mark
Rowland Penny
2024-Apr-28 07:42 UTC
[Samba] Joining Linux Domain Member to Samba DC, issues
On Sat, 27 Apr 2024 20:38:34 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> I've successfully joined two Linux Domain Members to two different > Domains. Now, I'm joining a second Linux host as a Domain Member to a > Samba4 (4.18.9) Domain. I'm having some possible issues this time. > > Issue #1 Reverse Zone > > On the SambaWiki: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, > under 2.5 Forward Lookup, no problem: > > # host mail > mail.hprs.local has address 192.168.0.2 > > 2.6 Reverse Lookup is not working: > > # host 192.168.0.2 > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) > > This is true for the other Linux domain member as well. I did create > the reverse zone when provisioning the DC, and when I get a zonelist > on the DC it does show the reverse zone (I think): > > # samba-tool dns zonelist mail > > pszZoneName : 0.168.192.in-addr.arpa <---- > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.hprs.local > > What's up here and is this a problem?Linux dhcp has no direct method to add/update a computers reverse record in AD, you either need to use a script called by your dhcp server, or add them manually.> > > Issue #2: "DNS Update failed" > > When joining the domain member, it joins (I think), but I get "DNS > update failed" messages: > > # net ads join -U Administrator > Using short domain name -- HPRS > Joined 'WEBSERVER' to dns domain 'hprs.local' > DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED > DNS update failed: NT_STATUS_UNSUCCESSFUL > > I'm hoping this is just because I had added an A record for this host > back when I provisioned the domain (and this host was not a domain > member). In fact, at the time I added A records for all the > non-Domain-Member Linux hosts and other devices (like network > printers). I'm hopig this is not a real error, but is basically > saying the A record already exists and it can't "update" the DNS. If > so, a less scarey message would be nice. Please advise. >This is probably down to a dns problem, I usually give my servers a fixed IP and then add the machines dns info to /etc/hosts: IPADDRESS FQDN SHORT_HOSTNAME I never have the problem you are having. If you do not want to set a fixed ip, then ensure that your dhcp server is supplying all the required dns data and that your server knows it. I also hope that '.local' is a placeholder for the real TLD.> > Issue #3: getent not working > > After joining this Domain Member I ran the getent test: > > # getent passwd HPRS\\mark > > Nothing came back. I do get results if I run it on the other Domain > Member: > > # getent passwd HPRS\\mark > HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash > > winbindd is running and the /etc/nsswitch.conf file has been > appropriately modified. The only config different I know of between > this member and the one where getent works is that in > /etc/samba/smb.conf I added: > > username map = /var/lib/samba/etc/user.map > > and in /var/lib/samba/etc/user.map I have: > > !root = hprs\Administrator > uid = 0 > > wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work?If smb.conf is set up correctly and winbind is running (which it seems it is), then, have you set up the libnss winbind links ? Rowland