samba - Jun 2024 - Member server: Failed to join domain: failed to find DC for

Agree.

But I don?t think it is. See:

root at member:/# cat /etc/hostname
member

root at member:/# cat /etc/hosts
127.0.0.1 localhost
192.168.3.1 member.mad.mater.int member

root at member:/# cat /etc/resolv.conf
search mad.mater.int
nameserver 192.168.0.12 -> DC1
nameserver 192.168.0.13 -> DC2
nameserver 192.168.0.14 -> DC3
nameserver 192.168.0.62 -> DC4

root at member:/# cat /etc/krb5.conf
[libdefaults]
?default_realm = MAD.MATER.INT
?dns_lookup_realm = false
?dns_lookup_kdc = true


root at member:/# cat /etc/samba/smb.conf
# Global parameters
[global]
?security = ADS
?workgroup = MAD
?realm = MAD.MATER.INT
?netbios name = MEMBER
?server role = member server
?log file = /var/log/samba/%m.log


# Disable Netbios
?disable netbios = yes

# Enforce minimum protolo SMB3
# server min protocol = SMB3

# To enable Group Policy application in winbind,
?apply group policies = yes


# Default ID mapping configuration for local BUILTIN accounts
?idmap config * : backend = tdb
?idmap config * : range = 3000-7999


# idmap config for the MAD domain
?idmap config MAD : backend = ad
?idmap config MAD : schema_mode = rfc2307
?idmap config MAD : range = 10000-999999
?idmap config MAD : unix_nss_info = yes

# Read AD unix attributes to allow ssh login to server:
# winbind nss info = rfc2307


# winbind config:
?winbind use default domain = yes



# renew the kerberos ticket
?winbind refresh tickets = yes
?dedicated keytab file = /etc/krb5.keytab
?kerberos method = secrets and keytab

# Map Administrator to root
# username map = /etc/samba/user.map
# min domain uid = 0


# To configure shares using extended access control lists (ACL)
?vfs objects = acl_xattr
# map acl inherit = yes
?acl_xattr:ignore system acls = yes


[test]
?hide unreadable = Yes
?path = /test
?read only = No



root at member:/# host -t SRV _ldap._tcp.mad.mater.int
_ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
_ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
_ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
_ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.

root at member:/# host -t SRV _ldap._tcp.mad.mater.int
_ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
_ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
_ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
_ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.

root at member:/# host -t SRV _kerberos._udp.mad.mater.int
_kerberos._udp.mad.mater.int has SRV record 0 100 88 bwing.mad.mater.int.
_kerberos._udp.mad.mater.int has SRV record 0 100 88 awing.mad.mater.int.
_kerberos._udp.mad.mater.int has SRV record 0 100 88 dwing.mad.mater.int.
_kerberos._udp.mad.mater.int has SRV record 0 100 88 cwing.mad.mater.int.


Tried again:

root at member:/# net ads leave domain -Uadministrator
Password for [MAD\administrator]:
Deleted account for 'MEMBER' in realm 'MAD.MATER.INT'

root at member:/# net ads join domain -Uadministrator
Password for [MAD\administrator]:
Failed to join domain: failed to find DC for domain domain - A domain controller
for this domain was not found.

root at member:/# samba-tool domain join MEMBER -Uadministrator
WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program start.
Password for [MAD\administrator]:
ERROR(runtime): uncaught exception - (2453, 'failed to find DC for domain
MAD - The request is not supported.')
?File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
285, in _run
?return self.run(*args, **kwargs)
?^^^^^^^^^^^^^^^^^^^^^^^^^
?File "/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
line 121, in run
?(sid, domain_name) = s3_net.join_member(netbios_name,


root at member:/# samba-tool domain join mad.mater.int MEMBER -Uadministrator
WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program start.
Password for [MAD\administrator]:
DNS Update for member.mad.mater.int failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
Joined domain mad.mater.int (S-1-5-21-2152908145-95474353-1514027631)


I am a bit lost to be honest.

LP
On Jun 9, 2024 at 09:13 +0100, samba at lists.samba.org <samba at
lists.samba.org>, wrote:
>
> This all sounds dns related, can you post the contents of these files:
>
> /etc/hostname
> /etc/hosts
> /etc/resolv.conf
> /etc/krb5.conf
>
> What OS is this ?
>
> Rowland

And Bookwork with samba from back ports 4.20.1

LP
On Jun 9, 2024 at 10:20 +0100, Luis Peromarta <lperoma at icloud.com>,
wrote:
> Agree.
>
> But I don?t think it is. See:
>
> root at member:/# cat /etc/hostname
> member
>
> root at member:/# cat /etc/hosts
> 127.0.0.1 localhost
> 192.168.3.1 member.mad.mater.int member
>
> root at member:/# cat /etc/resolv.conf
> search mad.mater.int
> nameserver 192.168.0.12 -> DC1
> nameserver 192.168.0.13 -> DC2
> nameserver 192.168.0.14 -> DC3
> nameserver 192.168.0.62 -> DC4
>
> root at member:/# cat /etc/krb5.conf
> [libdefaults]
> ?default_realm = MAD.MATER.INT
> ?dns_lookup_realm = false
> ?dns_lookup_kdc = true
>
>
> root at member:/# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> ?security = ADS
> ?workgroup = MAD
> ?realm = MAD.MATER.INT
> ?netbios name = MEMBER
> ?server role = member server
> ?log file = /var/log/samba/%m.log
>
>
> # Disable Netbios
> ?disable netbios = yes
>
> # Enforce minimum protolo SMB3
> # server min protocol = SMB3
>
> # To enable Group Policy application in winbind,
> ?apply group policies = yes
>
>
> # Default ID mapping configuration for local BUILTIN accounts
> ?idmap config * : backend = tdb
> ?idmap config * : range = 3000-7999
>
>
> # idmap config for the MAD domain
> ?idmap config MAD : backend = ad
> ?idmap config MAD : schema_mode = rfc2307
> ?idmap config MAD : range = 10000-999999
> ?idmap config MAD : unix_nss_info = yes
>
> # Read AD unix attributes to allow ssh login to server:
> # winbind nss info = rfc2307
>
>
> # winbind config:
> ?winbind use default domain = yes
>
>
>
> # renew the kerberos ticket
> ?winbind refresh tickets = yes
> ?dedicated keytab file = /etc/krb5.keytab
> ?kerberos method = secrets and keytab
>
> # Map Administrator to root
> # username map = /etc/samba/user.map
> # min domain uid = 0
>
>
> # To configure shares using extended access control lists (ACL)
> ?vfs objects = acl_xattr
> # map acl inherit = yes
> ?acl_xattr:ignore system acls = yes
>
>
> [test]
> ?hide unreadable = Yes
> ?path = /test
> ?read only = No
>
>
>
> root at member:/# host -t SRV _ldap._tcp.mad.mater.int
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.
>
> root at member:/# host -t SRV _ldap._tcp.mad.mater.int
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.
>
> root at member:/# host -t SRV _kerberos._udp.mad.mater.int
> _kerberos._udp.mad.mater.int has SRV record 0 100 88 bwing.mad.mater.int.
> _kerberos._udp.mad.mater.int has SRV record 0 100 88 awing.mad.mater.int.
> _kerberos._udp.mad.mater.int has SRV record 0 100 88 dwing.mad.mater.int.
> _kerberos._udp.mad.mater.int has SRV record 0 100 88 cwing.mad.mater.int.
>
>
> Tried again:
>
> root at member:/# net ads leave domain -Uadministrator
> Password for [MAD\administrator]:
> Deleted account for 'MEMBER' in realm 'MAD.MATER.INT'
>
> root at member:/# net ads join domain -Uadministrator
> Password for [MAD\administrator]:
> Failed to join domain: failed to find DC for domain domain - A domain
controller for this domain was not found.
>
> root at member:/# samba-tool domain join MEMBER -Uadministrator
> WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program start.
> Password for [MAD\administrator]:
> ERROR(runtime): uncaught exception - (2453, 'failed to find DC for
domain MAD - The request is not supported.')
> ?File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line 285, in _run
> ?return self.run(*args, **kwargs)
> ?^^^^^^^^^^^^^^^^^^^^^^^^^
> ?File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py", line
121, in run
> ?(sid, domain_name) = s3_net.join_member(netbios_name,
>
>
> root at member:/# samba-tool domain join mad.mater.int MEMBER
-Uadministrator
> WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program start.
> Password for [MAD\administrator]:
> DNS Update for member.mad.mater.int failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
> Joined domain mad.mater.int (S-1-5-21-2152908145-95474353-1514027631)
>
>
> I am a bit lost to be honest.
>
> LP
> On Jun 9, 2024 at 09:13 +0100, samba at lists.samba.org <samba at
lists.samba.org>, wrote:
> >
> > This all sounds dns related, can you post the contents of these files:
> >
> > /etc/hostname
> > /etc/hosts
> > /etc/resolv.conf
> > /etc/krb5.conf
> >
> > What OS is this ?
> >
> > Rowland

On Sun, 9 Jun 2024 10:20:46 +0100
Luis Peromarta <lperoma at icloud.com> wrote:
> Agree.
> 
> But I don?t think it is. See:
> 
> root at member:/# cat /etc/hostname
> member
> 
> root at member:/# cat /etc/hosts
> 127.0.0.1 localhost
> 192.168.3.1 member.mad.mater.int member
> 
> root at member:/# cat /etc/resolv.conf
> search mad.mater.int
> nameserver 192.168.0.12 -> DC1
> nameserver 192.168.0.13 -> DC2
> nameserver 192.168.0.14 -> DC3
> nameserver 192.168.0.62 -> DC4
> 
> root at member:/# cat /etc/krb5.conf
> [libdefaults]
> ?default_realm = MAD.MATER.INT
> ?dns_lookup_realm = false
> ?dns_lookup_kdc = true
> 
> 
> root at member:/# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> ?security = ADS
> ?workgroup = MAD
> ?realm = MAD.MATER.INT
> ?netbios name = MEMBER
> ?server role = member server
> ?log file = /var/log/samba/%m.log
> 
> 
> # Disable Netbios
> ?disable netbios = yes
> 
> # Enforce minimum protolo SMB3
> # server min protocol = SMB3
> 
> # To enable Group Policy application in winbind,
> ?apply group policies = yes
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts
> ?idmap config * : backend = tdb
> ?idmap config * : range = 3000-7999
> 
> 
> # idmap config for the MAD domain
> ?idmap config MAD : backend = ad
> ?idmap config MAD : schema_mode = rfc2307
> ?idmap config MAD : range = 10000-999999
> ?idmap config MAD : unix_nss_info = yes
> 
> # Read AD unix attributes to allow ssh login to server:
> # winbind nss info = rfc2307
> 
> 
> # winbind config:
> ?winbind use default domain = yes
> 
> 
> 
> # renew the kerberos ticket
> ?winbind refresh tickets = yes
> ?dedicated keytab file = /etc/krb5.keytab
> ?kerberos method = secrets and keytab
> 
> # Map Administrator to root
> # username map = /etc/samba/user.map
> # min domain uid = 0
> 
> 
> # To configure shares using extended access control lists (ACL)
> ?vfs objects = acl_xattr
> # map acl inherit = yes
> ?acl_xattr:ignore system acls = yes
> 
> 
> [test]
> ?hide unreadable = Yes
> ?path = /test
> ?read only = No
> 
> 
> 
> root at member:/# host -t SRV _ldap._tcp.mad.mater.int
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.
> 
> root at member:/# host -t SRV _ldap._tcp.mad.mater.int
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.
> 
> root at member:/# host -t SRV _kerberos._udp.mad.mater.int
> _kerberos._udp.mad.mater.int has SRV record 0 100 88
> bwing.mad.mater.int. _kerberos._udp.mad.mater.int has SRV record 0
> 100 88 awing.mad.mater.int. _kerberos._udp.mad.mater.int has SRV
> record 0 100 88 dwing.mad.mater.int. _kerberos._udp.mad.mater.int has
> SRV record 0 100 88 cwing.mad.mater.int.
> 
> 
> Tried again:
> 
> root at member:/# net ads leave domain -Uadministrator
> Password for [MAD\administrator]:
> Deleted account for 'MEMBER' in realm 'MAD.MATER.INT'
> 
> root at member:/# net ads join domain -Uadministrator
> Password for [MAD\administrator]:
> Failed to join domain: failed to find DC for domain domain - A domain
> controller for this domain was not found.
> 
> root at member:/# samba-tool domain join MEMBER -Uadministrator
> WARNING: Using passwords on command line is insecure. Installing the
> setproctitle python module will hide these from shortly after program
> start. Password for [MAD\administrator]: ERROR(runtime): uncaught
> exception - (2453, 'failed to find DC for domain MAD - The request is
> not supported.') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
285,
> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
> File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> line 121, in run (sid, domain_name) = s3_net.join_member(netbios_name,
> 
> 
> root at member:/# samba-tool domain join mad.mater.int MEMBER
> -Uadministrator WARNING: Using passwords on command line is insecure.
> Installing the setproctitle python module will hide these from
> shortly after program start. Password for [MAD\administrator]: DNS
> Update for member.mad.mater.int failed: ERROR_DNS_UPDATE_FAILED DNS
> update failed: NT_STATUS_UNSUCCESSFUL Joined domain mad.mater.int
> (S-1-5-21-2152908145-95474353-1514027631)
> 
> 
> I am a bit lost to be honest.

Okay, please run this command on the Unix domain member and post the
output:

samba-tool dns zonelist awing.mad.mater.int --reverse

Rowland