Difference between revisions of "Troubleshooting Samba Domain Members"

(Rewrote page. Clearer descriptions of the examples, better structure)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
If you're joining a Member to your domain, various errors may appear. The following gives an overview of errors that can come up and possible reasons/solutions to fix them.
+
This documentation helps you to troubleshoot problems users are frequently having when running Samba as a member in an Active Directory (AD) forest or NT4 domain.
  
  
  
  
= Samba =
 
  
== Active Directory Domain Members ==
+
= General =
  
=== No DNS domain configured for ... Unable to perform DNS Update. ===
+
== Setting the Samba Log Level ==
 +
 
 +
For details, see [[Setting_the_Samba_Log_Level|Setting the Samba Log Level]].
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Domain Members in an Active Directory Forest =
 +
 
 +
== Troubleshooting the Domain Join Procedure ==
 +
 
 +
=== Error: No DNS domain configured. Unable to perform DNS Update. ===
 +
 
 +
When joining a host to an Active Directory (AD), the <code>net</code> command fails to update the DNS:
  
 
  # net ads join -U administrator
 
  # net ads join -U administrator
 
  Enter administrator's password:
 
  Enter administrator's password:
 
  Using short domain name -- SAMDOM
 
  Using short domain name -- SAMDOM
  Joined 'M1' to dns domain 'samdom.example.com'
+
  Joined 'AD-Member' to dns domain 'samdom.example.com'
  No DNS domain configured for m1. Unable to perform DNS Update.
+
  No DNS domain configured for AD-Member. Unable to perform DNS Update.
 
  DNS update failed: NT_STATUS_INVALID_PARAMETER
 
  DNS update failed: NT_STATUS_INVALID_PARAMETER
  
This error appears, because Samba can't find a DNS domain the host belongs to. Run the following command
+
Note, that the join was successful and only the DNS updated failed.
 +
 
 +
After the client was joined to the domain, the <code>net</code> command look up the fully qualified domain name (FQDN) using name service switch (NSS) libraries. If the FQDN can not be resolved, for example using DNS or the <code>/etc/hosts</code> file, the DNS update fails.
  
# getent hosts M1
+
To solve the problem:
10.99.0.5      M1.samdom.example.com    M1
 
  
The commands output must show the correct LAN interface IP (not 127.*.*.*!) and the hostname including the AD DNS zone. Additional alias names are optional. If you're getting a different or no output, fix it in your DNS or by adding/changing the /etc/hosts entry:
+
* Add the IP address and FQDN to the <code>/etc/hosts</code> file. For example:
  
  10.99.0.5     M1.samdom.example.com   M1
+
  10.99.0.5     AD-Member.samdom.example.com     AD-Member
  
 +
* Run the <code>net ads join</code> command again.
  
 +
If dynamic DNS updates still fail, verify on the AD DNS server that dynamic updates are working.
  
=== DNS Update for ... failed: ERROR_DNS_GSS_ERROR ===
+
 
 +
 
 +
 
 +
=== DNS Update failed: ERROR_DNS_GSS_ERROR ===
 +
 
 +
When using the <code>BIND9_DLZ</code> back end, dynamic DNS updates can fail because of an incorrect Kerberos setup on the AD domain controller (DC) running the DNS server:
  
 
  # net ads join -U administrator
 
  # net ads join -U administrator
 
  Enter administrator's password:
 
  Enter administrator's password:
 
  Using short domain name -- SAMDOM
 
  Using short domain name -- SAMDOM
  Joined 'M1' to dns domain 'samdom.example.com'
+
  Joined 'AD-Member' to dns domain 'samdom.example.com'
  DNS Update for m1.samdom.example.com failed: ERROR_DNS_GSS_ERROR
+
  DNS Update for AD-Member.samdom.example.com failed: ERROR_DNS_GSS_ERROR
 
  DNS update failed: NT_STATUS_UNSUCCESSFUL
 
  DNS update failed: NT_STATUS_UNSUCCESSFUL
  
The dynamic DNS update failed. See [[Configuring_BIND9_DLZ_as_Back_End_for_Samba_AD#DDNS_updates_not_working|DDNS updates not working]]
+
To solve the problem, see [[Configuring_BIND9_DLZ_as_Back_End_for_Samba_AD#Reconfiguring_the_BIND9_DLZ_Back_End|Reconfiguring the BIND9_DLZ Back End]].
 
 
 
 
 
 
== NT4 Domain Members ==
 
 
 
Coming soon.
 
  
  
Line 51: Line 66:
  
  
= Windows =
+
= Domain Members in an NT4 Domain =
  
See http://social.technet.microsoft.com/wiki/contents/articles/1935.troubleshooting-domain-join-error-messages.aspx
+
Currently, we do not have content here.

Revision as of 22:59, 11 October 2016

Introduction

This documentation helps you to troubleshoot problems users are frequently having when running Samba as a member in an Active Directory (AD) forest or NT4 domain.



General

Setting the Samba Log Level

For details, see Setting the Samba Log Level.



Domain Members in an Active Directory Forest

Troubleshooting the Domain Join Procedure

Error: No DNS domain configured. Unable to perform DNS Update.

When joining a host to an Active Directory (AD), the net command fails to update the DNS:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'AD-Member' to dns domain 'samdom.example.com'
No DNS domain configured for AD-Member. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER

Note, that the join was successful and only the DNS updated failed.

After the client was joined to the domain, the net command look up the fully qualified domain name (FQDN) using name service switch (NSS) libraries. If the FQDN can not be resolved, for example using DNS or the /etc/hosts file, the DNS update fails.

To solve the problem:

  • Add the IP address and FQDN to the /etc/hosts file. For example:
10.99.0.5     AD-Member.samdom.example.com     AD-Member
  • Run the net ads join command again.

If dynamic DNS updates still fail, verify on the AD DNS server that dynamic updates are working.



DNS Update failed: ERROR_DNS_GSS_ERROR

When using the BIND9_DLZ back end, dynamic DNS updates can fail because of an incorrect Kerberos setup on the AD domain controller (DC) running the DNS server:

# net ads join -U administrator
Enter administrator's password:
Using short domain name -- SAMDOM
Joined 'AD-Member' to dns domain 'samdom.example.com'
DNS Update for AD-Member.samdom.example.com failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

To solve the problem, see Reconfiguring the BIND9_DLZ Back End.



Domain Members in an NT4 Domain

Currently, we do not have content here.