Rowland Penny
2024-Apr-28 07:42 UTC
[Samba] Joining Linux Domain Member to Samba DC, issues
On Sat, 27 Apr 2024 20:38:34 -0400 Mark Foley via samba <samba at lists.samba.org> wrote:> I've successfully joined two Linux Domain Members to two different > Domains. Now, I'm joining a second Linux host as a Domain Member to a > Samba4 (4.18.9) Domain. I'm having some possible issues this time. > > Issue #1 Reverse Zone > > On the SambaWiki: > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, > under 2.5 Forward Lookup, no problem: > > # host mail > mail.hprs.local has address 192.168.0.2 > > 2.6 Reverse Lookup is not working: > > # host 192.168.0.2 > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) > > This is true for the other Linux domain member as well. I did create > the reverse zone when provisioning the DC, and when I get a zonelist > on the DC it does show the reverse zone (I think): > > # samba-tool dns zonelist mail > > pszZoneName : 0.168.192.in-addr.arpa <---- > Flags : DNS_RPC_ZONE_DSINTEGRATED > DNS_RPC_ZONE_UPDATE_SECURE > ZoneType : DNS_ZONE_TYPE_PRIMARY > Version : 50 > dwDpFlags : DNS_DP_AUTOCREATED > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > pszDpFqdn : DomainDnsZones.hprs.local > > What's up here and is this a problem?Linux dhcp has no direct method to add/update a computers reverse record in AD, you either need to use a script called by your dhcp server, or add them manually.> > > Issue #2: "DNS Update failed" > > When joining the domain member, it joins (I think), but I get "DNS > update failed" messages: > > # net ads join -U Administrator > Using short domain name -- HPRS > Joined 'WEBSERVER' to dns domain 'hprs.local' > DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED > DNS update failed: NT_STATUS_UNSUCCESSFUL > > I'm hoping this is just because I had added an A record for this host > back when I provisioned the domain (and this host was not a domain > member). In fact, at the time I added A records for all the > non-Domain-Member Linux hosts and other devices (like network > printers). I'm hopig this is not a real error, but is basically > saying the A record already exists and it can't "update" the DNS. If > so, a less scarey message would be nice. Please advise. >This is probably down to a dns problem, I usually give my servers a fixed IP and then add the machines dns info to /etc/hosts: IPADDRESS FQDN SHORT_HOSTNAME I never have the problem you are having. If you do not want to set a fixed ip, then ensure that your dhcp server is supplying all the required dns data and that your server knows it. I also hope that '.local' is a placeholder for the real TLD.> > Issue #3: getent not working > > After joining this Domain Member I ran the getent test: > > # getent passwd HPRS\\mark > > Nothing came back. I do get results if I run it on the other Domain > Member: > > # getent passwd HPRS\\mark > HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash > > winbindd is running and the /etc/nsswitch.conf file has been > appropriately modified. The only config different I know of between > this member and the one where getent works is that in > /etc/samba/smb.conf I added: > > username map = /var/lib/samba/etc/user.map > > and in /var/lib/samba/etc/user.map I have: > > !root = hprs\Administrator > uid = 0 > > wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work?If smb.conf is set up correctly and winbind is running (which it seems it is), then, have you set up the libnss winbind links ? Rowland
On Sun Apr 28 03:42:51 2024 Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Sat, 27 Apr 2024 20:38:34 -0400 > Mark Foley via samba <samba at lists.samba.org> wrote: > > > I've successfully joined two Linux Domain Members to two different > > Domains. Now, I'm joining a second Linux host as a Domain Member to a > > Samba4 (4.18.9) Domain. I'm having some possible issues this time. > > > > Issue #1 Reverse Zone > > > > On the SambaWiki: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member, > > under 2.5 Forward Lookup, no problem: > > > > # host mail > > mail.hprs.local has address 192.168.0.2 > > > > 2.6 Reverse Lookup is not working: > > > > # host 192.168.0.2 > > Host 2.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) > > > > This is true for the other Linux domain member as well. I did create > > the reverse zone when provisioning the DC, and when I get a zonelist > > on the DC it does show the reverse zone (I think): > > > > # samba-tool dns zonelist mail > > > > pszZoneName : 0.168.192.in-addr.arpa <---- > > Flags : DNS_RPC_ZONE_DSINTEGRATED > > DNS_RPC_ZONE_UPDATE_SECURE > > ZoneType : DNS_ZONE_TYPE_PRIMARY > > Version : 50 > > dwDpFlags : DNS_DP_AUTOCREATED > > DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED > > pszDpFqdn : DomainDnsZones.hprs.local > > > > What's up here and is this a problem? > > Linux dhcp has no direct method to add/update a computers reverse > record in AD, you either need to use a script called by your dhcp > server, or add them manually.So creating the reverse zone: samba-tool dns zonecreate mail 0.168.192.in-addr.arpa Per the WiKi https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller#Create_a_reverse_zone has no effect on subdomain members? I would have to create individual rDNS records for each host: samba-tool dns zonecreate mail 3.168.192.in-addr.arpa right? What then is the point of creating the reverse zone for 192.168.0.0/24?> > Issue #2: "DNS Update failed" > > > > When joining the domain member, it joins (I think), but I get "DNS > > update failed" messages: > > > > # net ads join -U Administrator > > Using short domain name -- HPRS > > Joined 'WEBSERVER' to dns domain 'hprs.local' > > DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED > > DNS update failed: NT_STATUS_UNSUCCESSFUL > > > > I'm hoping this is just because I had added an A record for this host > > back when I provisioned the domain (and this host was not a domain > > member). In fact, at the time I added A records for all the > > non-Domain-Member Linux hosts and other devices (like network > > printers). I'm hopig this is not a real error, but is basically > > saying the A record already exists and it can't "update" the DNS. If > > so, a less scarey message would be nice. Please advise. > > > > This is probably down to a dns problem, I usually give my servers a > fixed IP and then add the machines dns info to /etc/hosts: > > IPADDRESS FQDN SHORT_HOSTNAME > > I never have the problem you are having. > > If you do not want to set a fixed ip, then ensure that your dhcp server > is supplying all the required dns data and that your server knows it.I've never had this problem either. I've joined Linux members in the past to both Samba DCs and Windows DCs. I've tried unjoining and re-joining with: # samba-tool domain join hprs.local MEMBER -U administrator DNS Update for webserver.hprs.local failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL Joined domain hprs.local (S-1-5-21-1179323223-1906255692-291620936) but still get that update failed message, even though it says, "Joined domain." This host is set up for a fixed IP address.> I also hope that '.local' is a placeholder for the real TLD.Nope. No choice in that. This domain started originally as a Windows SBS domain and that hprs.local was the way it was configured, long before I arrived on the scene. I have posts on this list describing my efforts to change the domain when I re-provisioned from scratch, but the hprs.local is scatter-shotted throughout all the Windows domain members' registries and attempts to change that failed.> > > > Issue #3: getent not working > > > > After joining this Domain Member I ran the getent test: > > > > # getent passwd HPRS\\mark > > > > Nothing came back. I do get results if I run it on the other Domain > > Member: > > > > # getent passwd HPRS\\mark > > HPRS\mark:*:11105:10513:Mark Foley:/home/mark:/bin/bash > > > > winbindd is running and the /etc/nsswitch.conf file has been > > appropriately modified. The only config different I know of between > > this member and the one where getent works is that in > > /etc/samba/smb.conf I added: > > > > username map = /var/lib/samba/etc/user.map > > > > and in /var/lib/samba/etc/user.map I have: > > > > !root = hprs\Administrator > > uid = 0 > > > > wbinfo -u and wbinfo -g do work. Any idea why my getent doesn't work? > > If smb.conf is set up correctly and winbind is running (which it seems > it is), then, have you set up the libnss winbind links ? > > RowlandI've previously joined several Linux domain members and I've never had to manually set libnss links. The wiki https://wiki.samba.org/index.php/Libnss_winbind_Links says, "You only need to do this if you compiled Samba yourself, otherwise your distro will provide packages to do this for you." I did not compile samba myself. I am using the Slackware 15.0 distro of Samba 4.18.9. The lib /usr/lib64/libnss_winbind.so.2 is the only winbind.so* that exists on any of these computers and getent works on the DC and the other domain member. I don't think there is anything else I can link. # smbd -b | grep LIBDIR LIBDIR: /usr/lib64 getent still doesn't work. In addition, the share I've created in smb.conf isn't working and I think it is related to this problem. Basically I moved another share definition from another domain member to this new member (which was the point of creating this new member). With the share hosted on the original member, there was no problem. Tha map-drive function used the users domain credentials without asking and the drive mapped. On this new domain member, Windows users mapping this drive are asked to enter credentials. And, once having done so the credentials are invalid -- even though they are valid domain user credentials. The windows computer says, "The mapped network drive could not be created because the following error has occured: The network login failed." I don't know what's going wrong. I joined this domain member exactly like the others as far as I can tell.