samba - Jun 2024 - Member server: Failed to join domain: failed to find DC for

On Sun, 9 Jun 2024 10:20:46 +0100
Luis Peromarta <lperoma at icloud.com> wrote:
> Agree.
> 
> But I don?t think it is. See:
> 
> root at member:/# cat /etc/hostname
> member
> 
> root at member:/# cat /etc/hosts
> 127.0.0.1 localhost
> 192.168.3.1 member.mad.mater.int member
> 
> root at member:/# cat /etc/resolv.conf
> search mad.mater.int
> nameserver 192.168.0.12 -> DC1
> nameserver 192.168.0.13 -> DC2
> nameserver 192.168.0.14 -> DC3
> nameserver 192.168.0.62 -> DC4
> 
> root at member:/# cat /etc/krb5.conf
> [libdefaults]
> ?default_realm = MAD.MATER.INT
> ?dns_lookup_realm = false
> ?dns_lookup_kdc = true
> 
> 
> root at member:/# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> ?security = ADS
> ?workgroup = MAD
> ?realm = MAD.MATER.INT
> ?netbios name = MEMBER
> ?server role = member server
> ?log file = /var/log/samba/%m.log
> 
> 
> # Disable Netbios
> ?disable netbios = yes
> 
> # Enforce minimum protolo SMB3
> # server min protocol = SMB3
> 
> # To enable Group Policy application in winbind,
> ?apply group policies = yes
> 
> 
> # Default ID mapping configuration for local BUILTIN accounts
> ?idmap config * : backend = tdb
> ?idmap config * : range = 3000-7999
> 
> 
> # idmap config for the MAD domain
> ?idmap config MAD : backend = ad
> ?idmap config MAD : schema_mode = rfc2307
> ?idmap config MAD : range = 10000-999999
> ?idmap config MAD : unix_nss_info = yes
> 
> # Read AD unix attributes to allow ssh login to server:
> # winbind nss info = rfc2307
> 
> 
> # winbind config:
> ?winbind use default domain = yes
> 
> 
> 
> # renew the kerberos ticket
> ?winbind refresh tickets = yes
> ?dedicated keytab file = /etc/krb5.keytab
> ?kerberos method = secrets and keytab
> 
> # Map Administrator to root
> # username map = /etc/samba/user.map
> # min domain uid = 0
> 
> 
> # To configure shares using extended access control lists (ACL)
> ?vfs objects = acl_xattr
> # map acl inherit = yes
> ?acl_xattr:ignore system acls = yes
> 
> 
> [test]
> ?hide unreadable = Yes
> ?path = /test
> ?read only = No
> 
> 
> 
> root at member:/# host -t SRV _ldap._tcp.mad.mater.int
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.
> 
> root at member:/# host -t SRV _ldap._tcp.mad.mater.int
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 bwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 awing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 dwing.mad.mater.int.
> _ldap._tcp.mad.mater.int has SRV record 0 100 389 cwing.mad.mater.int.
> 
> root at member:/# host -t SRV _kerberos._udp.mad.mater.int
> _kerberos._udp.mad.mater.int has SRV record 0 100 88
> bwing.mad.mater.int. _kerberos._udp.mad.mater.int has SRV record 0
> 100 88 awing.mad.mater.int. _kerberos._udp.mad.mater.int has SRV
> record 0 100 88 dwing.mad.mater.int. _kerberos._udp.mad.mater.int has
> SRV record 0 100 88 cwing.mad.mater.int.
> 
> 
> Tried again:
> 
> root at member:/# net ads leave domain -Uadministrator
> Password for [MAD\administrator]:
> Deleted account for 'MEMBER' in realm 'MAD.MATER.INT'
> 
> root at member:/# net ads join domain -Uadministrator
> Password for [MAD\administrator]:
> Failed to join domain: failed to find DC for domain domain - A domain
> controller for this domain was not found.
> 
> root at member:/# samba-tool domain join MEMBER -Uadministrator
> WARNING: Using passwords on command line is insecure. Installing the
> setproctitle python module will hide these from shortly after program
> start. Password for [MAD\administrator]: ERROR(runtime): uncaught
> exception - (2453, 'failed to find DC for domain MAD - The request is
> not supported.') File
> "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line
285,
> in _run return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^
> File
"/usr/lib/python3/dist-packages/samba/netcmd/domain/join.py",
> line 121, in run (sid, domain_name) = s3_net.join_member(netbios_name,
> 
> 
> root at member:/# samba-tool domain join mad.mater.int MEMBER
> -Uadministrator WARNING: Using passwords on command line is insecure.
> Installing the setproctitle python module will hide these from
> shortly after program start. Password for [MAD\administrator]: DNS
> Update for member.mad.mater.int failed: ERROR_DNS_UPDATE_FAILED DNS
> update failed: NT_STATUS_UNSUCCESSFUL Joined domain mad.mater.int
> (S-1-5-21-2152908145-95474353-1514027631)
> 
> 
> I am a bit lost to be honest.

Okay, please run this command on the Unix domain member and post the
output:

samba-tool dns zonelist awing.mad.mater.int --reverse

Rowland

I have restored the container from an early snapshot. This has all bits
installed, but no config and not joined.

I needed -U with a username.

By the way my network is a /22

root at member:~# samba-tool dns zonelist awing.mad.mater.int --reverse
-U?MAD\luis"
WARNING: Using passwords on command line is insecure. Installing the
setproctitle python module will hide these from shortly after program start.
Password for [MAD\luis]:
?1 zone(s) found

?pszZoneName :?0.168.192.in-addr.arpa
?Flags : DNS_RPC_ZONE_DSINTEGRATED DNS_RPC_ZONE_UPDATE_SECURE
?ZoneType : DNS_ZONE_TYPE_PRIMARY
?Version : 50
?dwDpFlags : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT DNS_DP_ENLISTED
?pszDpFqdn : DomainDnsZones.mad.mater.int

LP
On Jun 9, 2024 at 11:44 +0100, samba at lists.samba.org <samba at
lists.samba.org>, wrote:
>
> samba-tool dns zonelist awing.mad.mater.int --reverse