Stefan Kania
2025-Nov-03 19:30 UTC
[Samba] Join linux-client trixi not working no dns update
Hello to everyone,
I just set up a new domain for testing Samba 4.22 with debian trixi. All
packages are direct from the distribution repository no backport no nothing
special.
I have two DCs who replicate everyting that is working fine. Then I try to join
a linux client, also with trixi and packages from the debian trixi repository.
Here is my smb.conf of the client:
---------
[global]
workgroup = example
realm = EXAMPLE.NET
security = ADS
winbind refresh tickets = Yes
winbind use default domain = yes
template shell = /bin/bash
idmap config * : range = 10000 - 19999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range = 1000000 - 1999999
interfaces = 192.168.56.33
bind interfaces only = yes
---------
Both DCs are as "nameserver" added to resolv.conf. The krb5.conf is
---------
[libdefaults]
default_realm = EXAMPLE.NET
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
EXAMPLE.NET = {
default_domain = example.net
---------
I can get a ticket with "kinit administrator" a "host -t srv
_kerberos._tcp.example.net" gives me the two DCs
then I join:
----------
root at client01:~# net ads join -U administrator
Password for [EXAMPLE\administrator]:
Using short domain name -- EXAMPLE
Joined 'CLIENT01' to dns domain 'example.net'
gse_get_client_auth_token: gss_init_sec_context failed with [A parameter was
malformed Miscellaneous failure (see text): Success]
DNS Update for client01.example.net failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed: NT_STATUS_UNSUCCESSFUL
----------
As you can see, the join is working, the acount will be created:
-----------
root at dc01:~# samba-tool computer list
DC02$
DC01$
CLIENT01$
-----------
The object is replicated to the other DC
On the DC I see:
------------
Nov 03 20:13:59 dc01 named[821]: samba_dlz: starting transaction on zone
example.net
Nov 03 20:13:59 dc01 named[821]: client @0x7f3e52b31000 192.168.56.33#38638:
updating zone 'example.net/NONE': update unsuccessful:
client01.example.net/A: 'RRset exists (value dependent)' prerequisite
not satisfied (NXRRSET)
Nov 03 20:13:59 dc01 named[821]: samba_dlz: cancelling transaction on zone
example.net
Nov 03 20:13:59 dc01 named[821]: samba_dlz: spnego update failed
Nov 03 20:13:59 dc01 named[821]: client @0x7f3e52b31000 192.168.56.33#38638:
updating zone 'example.net/NONE': update failed: rejected by secure
update (REFUSED)
------------
If I try a "net ads dns register -U administrator" the same result
_:-(
Any idea ?
Stefan
Rowland Penny
2025-Nov-03 19:57 UTC
[Samba] Join linux-client trixi not working no dns update
On Mon, 3 Nov 2025 20:30:53 +0100 Stefan Kania via samba <samba at lists.samba.org> wrote:> Hello to everyone, > > I just set up a new domain for testing Samba 4.22 with debian trixi. > All packages are direct from the distribution repository no backport > no nothing special. > > I have two DCs who replicate everyting that is working fine. Then I > try to join a linux client, also with trixi and packages from the > debian trixi repository. Here is my smb.conf of the client: --------- > [global] workgroup = example > realm = EXAMPLE.NET > security = ADS > winbind refresh tickets = Yes > winbind use default domain = yes > template shell = /bin/bash > idmap config * : range = 10000 - 19999 > idmap config EXAMPLE : backend = rid > idmap config EXAMPLE : range = 1000000 - 1999999 > interfaces = 192.168.56.33 > bind interfaces only = yes > --------- > > Both DCs are as "nameserver" added to resolv.conf. The krb5.conf is > --------- > [libdefaults] > default_realm = EXAMPLE.NET > dns_lookup_realm = false > dns_lookup_kdc = true > > [realms] > EXAMPLE.NET = { > default_domain = example.net > --------- > > I can get a ticket with "kinit administrator" a "host -t srv > _kerberos._tcp.example.net" gives me the two DCs > > then I join: > ---------- > root at client01:~# net ads join -U administrator > Password for [EXAMPLE\administrator]: > Using short domain name -- EXAMPLE > Joined 'CLIENT01' to dns domain 'example.net' > gse_get_client_auth_token: gss_init_sec_context failed with [A > parameter was malformed Miscellaneous failure (see text): Success] > DNS Update for client01.example.net failed: ERROR_DNS_INVALID_MESSAGE > DNS update failed: NT_STATUS_UNSUCCESSFUL ---------- > > As you can see, the join is working, the acount will be created: > ----------- > root at dc01:~# samba-tool computer list > DC02$ > DC01$ > CLIENT01$ > ----------- > The object is replicated to the other DC > On the DC I see: > ------------ > Nov 03 20:13:59 dc01 named[821]: samba_dlz: starting transaction on > zone example.net Nov 03 20:13:59 dc01 named[821]: client > @0x7f3e52b31000 192.168.56.33#38638: updating zone > 'example.net/NONE': update unsuccessful: client01.example.net/A: > 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) > Nov 03 20:13:59 dc01 named[821]: samba_dlz: cancelling transaction on > zone example.net Nov 03 20:13:59 dc01 named[821]: samba_dlz: spnego > update failed Nov 03 20:13:59 dc01 named[821]: client @0x7f3e52b31000 > 192.168.56.33#38638: updating zone 'example.net/NONE': update failed: > rejected by secure update (REFUSED) ------------ > > If I try a "net ads dns register -U administrator" the same result > _:-( > > Any idea ? > > > Stefan >First thoughts, what is in /etc/hosts ? Rowland
r.barclay at habmalnefrage.de
2025-Nov-04 15:43 UTC
[Samba] Join linux-client trixi not working no dns update
Hi Stefan, I've been getting a DNS error on client domain join since years, since setting up my domain. But I've always just ignored it since everything works fine in my case nevertheless. I started the domain back in Debian 10 days with the Debian standard packages. Yours, Reg