It was systemd-resolved. I disabled that. Now samba is binding to the port. But I'm still getting the dnsupdate failure. And, I can't ping anything. I get the "unknown host or service" error. So names are not getting resolved on the machine. I have to admit to complete ignorance about how this part of linux works. When running systemd-networkd, what normally does name resolution? Or can systemd-networkd do it without listening on port 53? This works on my older dc's, which are not running system-resolved. Steve -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Monday, February 10, 2025 1:36 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Problems after DC upgrade On Mon, 10 Feb 2025 02:24:31 +0000 Stephen Brandli via samba <samba at lists.samba.org> wrote:> Well, it almost went okay. > > Thumbnail: I had two DCs, running the latest in buster. I created a > new one running bookworm and 4.21.3. I joined the new machine as a > DC. I then transferred the FSMO roles from one of the old ones and > demoted that one. My plan is to create a fourth new one and demote > the other old one. But, two problems: > > > 1. The dns on the new DC is not responding. It did when I got it > started, but in a reboot, it stopped responding. Don't know why it's > trying to bind to 0.0.0.0. The hosts is set up correctly. Log:0.0.0.0 is another way of saying 'all IPv4 on this machine'> > Feb 09 18:11:11 minister2 samba[88]: dnsupdate_nameupdate_done: > Failed DNS update with exit code 26That explains your missing dns records, samba_dnsupdate cannot add them.> Feb 09 18:11:11 minister2 > samba[88]: [2025/02/09 18:11:11.816359, 0] > source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09 > 18:01:10 minister2 samba[88]: dnsupdate_nameupdate_done: Failed DNS > update with exit code 26 Feb 09 18:01:10 minister2 samba[88]: > [2025/02/09 18:01:10.720661, 0] > source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09 > 18:01:07 minister2 winbindd[80]: Copyright Andrew Tridgell and the > Samba Team 1992-2024 Feb 09 18:01:07 minister2 winbindd[80]: > winbindd version 4.21.3-Debian-4.21.3+dfsg-6~bpo12+1 started. Feb 09 > 18:01:07 minister2 winbindd[80]: [2025/02/09 18:01:07.051147, 0] > source3/winbindd/winbindd.c:1447(main) Feb 09 18:01:07 minister2 > samba[90]: Failed to bind to 0.0.0.0:53 TCP - > NT_STATUS_ADDRESS_ALREADY_ASSOCIATEDCould it be that something like Bind9 is also running ? If that is the case, when you joined the new DC, did you add '--dns-backend=BIND9_DLZ' ? If you didn't, you now have two choices, either turn off Bind9 or run samba_upgradedns to change to Bind9 instead of the builtin dns server, see here: https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
You need to remove the symlink /etc/resolv.conf (probably points to /run/systemd/resolved/stub-resolv.conf) and create a new /etc/resolv.conf that has your DC as nameserver. Den m?n 10 feb. 2025 15:57Stephen Brandli via samba <samba at lists.samba.org> skrev:> It was systemd-resolved. I disabled that. Now samba is binding to the > port. > > But I'm still getting the dnsupdate failure. > > And, I can't ping anything. I get the "unknown host or service" error. > So names are not getting resolved on the machine. I have to admit to > complete ignorance about how this part of linux works. When running > systemd-networkd, what normally does name resolution? Or can > systemd-networkd do it without listening on port 53? This works on my > older dc's, which are not running system-resolved. > > Steve > > -----Original Message----- > From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny > via samba > Sent: Monday, February 10, 2025 1:36 AM > To: samba at lists.samba.org > Cc: Rowland Penny <rpenny at samba.org> > Subject: Re: [Samba] Problems after DC upgrade > > On Mon, 10 Feb 2025 02:24:31 +0000 > Stephen Brandli via samba <samba at lists.samba.org> wrote: > > > Well, it almost went okay. > > > > Thumbnail: I had two DCs, running the latest in buster. I created a > > new one running bookworm and 4.21.3. I joined the new machine as a > > DC. I then transferred the FSMO roles from one of the old ones and > > demoted that one. My plan is to create a fourth new one and demote > > the other old one. But, two problems: > > > > > > 1. The dns on the new DC is not responding. It did when I got it > > started, but in a reboot, it stopped responding. Don't know why it's > > trying to bind to 0.0.0.0. The hosts is set up correctly. Log: > > 0.0.0.0 is another way of saying 'all IPv4 on this machine' > > > > > Feb 09 18:11:11 minister2 samba[88]: dnsupdate_nameupdate_done: > > Failed DNS update with exit code 26 > > That explains your missing dns records, samba_dnsupdate cannot add them. > > > Feb 09 18:11:11 minister2 > > samba[88]: [2025/02/09 18:11:11.816359, 0] > > source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09 > > 18:01:10 minister2 samba[88]: dnsupdate_nameupdate_done: Failed DNS > > update with exit code 26 Feb 09 18:01:10 minister2 samba[88]: > > [2025/02/09 18:01:10.720661, 0] > > source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09 > > 18:01:07 minister2 winbindd[80]: Copyright Andrew Tridgell and the > > Samba Team 1992-2024 Feb 09 18:01:07 minister2 winbindd[80]: > > winbindd version 4.21.3-Debian-4.21.3+dfsg-6~bpo12+1 started. Feb 09 > > 18:01:07 minister2 winbindd[80]: [2025/02/09 18:01:07.051147, 0] > > source3/winbindd/winbindd.c:1447(main) Feb 09 18:01:07 minister2 > > samba[90]: Failed to bind to 0.0.0.0:53 TCP - > > NT_STATUS_ADDRESS_ALREADY_ASSOCIATED > > Could it be that something like Bind9 is also running ? > If that is the case, when you joined the new DC, did you add > '--dns-backend=BIND9_DLZ' ? > If you didn't, you now have two choices, either turn off Bind9 or run > samba_upgradedns to change to Bind9 instead of the builtin dns server, see > here: > > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Mon, 10 Feb 2025 14:56:02 +0000 Stephen Brandli <steve at brandli.com> wrote:> It was systemd-resolved. I disabled that. Now samba is binding to > the port. > > But I'm still getting the dnsupdate failure. > > And, I can't ping anything. I get the "unknown host or service" > error. So names are not getting resolved on the machine. I have to > admit to complete ignorance about how this part of linux works. When > running systemd-networkd, what normally does name resolution? Or can > systemd-networkd do it without listening on port 53? This works on > my older dc's, which are not running system-resolved.On a Samba AD DC, it is the DC that is authoritative for the AD dns domain, that is, every DC must use itself as its nameserver, so if your dns domain is 'samdom.example.com' and the DC IP address is 192.168.1.2, then /etc/resolv.conf should just contain this: search samdom.example,com nameserver 192.168.1.2 If you are using the Samba internal dns server, you will require a line like 'dns forwarder = 8.8.8.8' in the DCs smb.conf file (other internet nameservers are available). If using Bind9, you require a similar line in its named.conf file. You should only run either Bind9 or the Samba internal dns server on a Samba AD DC, they are the only ones able to 'talk' to the DNS records stored in AD. Rowland PS Please do not 'CC' me, just reply to the list.
Update: I had resolv.conf pointing to my dns servers on different machines, which serve other domains including brandli.com and have entries for the name servers of the ADS domain (domain.brandli.com). I change the pointer in resolv.conf to the local IP address, i.e. the samba internal dns. Now it resolves fully qualified names but not short names. I gather it does not look at the "search" records in resolv.conf, but I don't know. I've set "dns resolver" in samba.conf. resolv.conf (.8 is the local server) nameserver 10.65.187.8 options edns0 trust-ad search domain.brandli.com internal.brandli.com search domain.brandlilaw.com internal.brandlilaw.com search brandli.com brandlilaw.com nsswitch.conf had "hosts: files myhostname resolve [!UNAVAIL=return] dns" but I changed it to "hosts: files dns" just in case. Still getting the dnsupdate_nameupdate error. Steve -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Stephen Brandli via samba Sent: Monday, February 10, 2025 6:56 AM To: samba at lists.samba.org Subject: Re: [Samba] Problems after DC upgrade It was systemd-resolved. I disabled that. Now samba is binding to the port. But I'm still getting the dnsupdate failure. And, I can't ping anything. I get the "unknown host or service" error. So names are not getting resolved on the machine. I have to admit to complete ignorance about how this part of linux works. When running systemd-networkd, what normally does name resolution? Or can systemd-networkd do it without listening on port 53? This works on my older dc's, which are not running system-resolved. Steve -----Original Message----- From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba Sent: Monday, February 10, 2025 1:36 AM To: samba at lists.samba.org Cc: Rowland Penny <rpenny at samba.org> Subject: Re: [Samba] Problems after DC upgrade On Mon, 10 Feb 2025 02:24:31 +0000 Stephen Brandli via samba <samba at lists.samba.org> wrote:> Well, it almost went okay. > > Thumbnail: I had two DCs, running the latest in buster. I created a > new one running bookworm and 4.21.3. I joined the new machine as a > DC. I then transferred the FSMO roles from one of the old ones and > demoted that one. My plan is to create a fourth new one and demote > the other old one. But, two problems: > > > 1. The dns on the new DC is not responding. It did when I got it > started, but in a reboot, it stopped responding. Don't know why it's > trying to bind to 0.0.0.0. The hosts is set up correctly. Log:0.0.0.0 is another way of saying 'all IPv4 on this machine'> > Feb 09 18:11:11 minister2 samba[88]: dnsupdate_nameupdate_done: > Failed DNS update with exit code 26That explains your missing dns records, samba_dnsupdate cannot add them.> Feb 09 18:11:11 minister2 > samba[88]: [2025/02/09 18:11:11.816359, 0] > source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09 > 18:01:10 minister2 samba[88]: dnsupdate_nameupdate_done: Failed DNS > update with exit code 26 Feb 09 18:01:10 minister2 samba[88]: > [2025/02/09 18:01:10.720661, 0] > source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09 > 18:01:07 minister2 winbindd[80]: Copyright Andrew Tridgell and the > Samba Team 1992-2024 Feb 09 18:01:07 minister2 winbindd[80]: > winbindd version 4.21.3-Debian-4.21.3+dfsg-6~bpo12+1 started. Feb 09 > 18:01:07 minister2 winbindd[80]: [2025/02/09 18:01:07.051147, 0] > source3/winbindd/winbindd.c:1447(main) Feb 09 18:01:07 minister2 > samba[90]: Failed to bind to 0.0.0.0:53 TCP - > NT_STATUS_ADDRESS_ALREADY_ASSOCIATEDCould it be that something like Bind9 is also running ? If that is the case, when you joined the new DC, did you add '--dns-backend=BIND9_DLZ' ? If you didn't, you now have two choices, either turn off Bind9 or run samba_upgradedns to change to Bind9 instead of the builtin dns server, see here: https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC Rowland -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba