Dynamic DNS Update Error GSS failure

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Dynamic DNS Update Error GSS failure

Samba - General mailing list
Hi @ all,

 

I try to update the DNS records from my DHCP Clients to my AD DC but there
ist an issue with the GSSAPI I don't know how to solve.

 

For this I followed this guide.

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_B
IND9

 

GSSAPI Error:

start_gssrequest

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
code may provide more information, Minor = No credentials found with
supported encryption types (filename: /tmp/dhcp-dyndns.cc).

 

Here is my keytab file:

 

ktutil -k /etc/dhcpduser.keytab list

/etc/dhcpduser.keytab:

 

Vno  Type                     Principal                Aliases

  2  aes256-cts-hmac-sha1-96  [hidden email]
<mailto:[hidden email]>

  2  aes128-cts-hmac-sha1-96  [hidden email]
<mailto:[hidden email]>

  2  arcfour-hmac-md5         [hidden email]
<mailto:[hidden email]>

  2  des-cbc-md5              [hidden email]
<mailto:[hidden email]>

  2  des-cbc-crc              [hidden email]
<mailto:[hidden email]>

 

System Information

 

- Raspberry Pi 3 Model B

- Raspian Stretch

- Samba Version 4.7.4

- BIND Version 9.11.2

- BIND9 built by

make '--prefix' '/usr/local/bind9' '--enable-shared'

 

   '--enable-static' '--with-openssl=/usr'

   '--with-gssapi=/usr/include/gssapi' '--with-libtool'

   '--with-dlopen=yes' '--enable-threads' '--enable-largefile'

   '--with-gnu-ld' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing'

   'CFLAGS=-DDIG_SIGCHASE' 'CFLAGS=-O2'

 

bind9 named.conf https://pastebin.com/HW88rwbe

 

samba named.conf https://pastebin.com/zi7Fm27T

 

samba smb.conf https://pastebin.com/i1fmj56T

 

If more information needed, feel free and ask me, I'll do my best to provide
them.

 

Greetings Ronny

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Dynamic DNS Update Error GSS failure

Samba - General mailing list
On Sun, 7 Jan 2018 23:02:20 +0100
Ronny Preiss via samba <[hidden email]> wrote:

> Hi @ all,
>
>  
>
> I try to update the DNS records from my DHCP Clients to my AD DC but
> there ist an issue with the GSSAPI I don't know how to solve.
>
>  
>
> For this I followed this guide.
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_B
> IND9
>
>  
>
> GSSAPI Error:
>
> start_gssrequest
>
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = No credentials found
> with supported encryption types (filename: /tmp/dhcp-dyndns.cc).
>
>  
>
> Here is my keytab file:
>
>  
>
> ktutil -k /etc/dhcpduser.keytab list
>
> /etc/dhcpduser.keytab:
>
>  
>
> Vno  Type                     Principal                Aliases
>
>   2  aes256-cts-hmac-sha1-96  [hidden email]
> <mailto:[hidden email]>
>
>   2  aes128-cts-hmac-sha1-96  [hidden email]
> <mailto:[hidden email]>
>
>   2  arcfour-hmac-md5         [hidden email]
> <mailto:[hidden email]>
>
>   2  des-cbc-md5              [hidden email]
> <mailto:[hidden email]>
>
>   2  des-cbc-crc              [hidden email]
> <mailto:[hidden email]>
>
>

Don't you mean ' klist -e -k /etc/dhcpduser.keytab' ?

If so, it should show something like this:

Keytab name: FILE:/etc/dhcpduser.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 [hidden email] (aes256-cts-hmac-sha1-96)
   1 [hidden email] (aes128-cts-hmac-sha1-96)
   1 [hidden email] (arcfour-hmac)
   1 [hidden email] (des-cbc-md5)
   1 [hidden email] (des-cbc-crc)

>
> System Information
>
>  
>
> - Raspberry Pi 3 Model B
>
> - Raspian Stretch
>
> - Samba Version 4.7.4
>
> - BIND Version 9.11.2
>
> - BIND9 built by
>
> make '--prefix' '/usr/local/bind9' '--enable-shared'
>
>  
>
>    '--enable-static' '--with-openssl=/usr'
>
>    '--with-gssapi=/usr/include/gssapi' '--with-libtool'
>
>    '--with-dlopen=yes' '--enable-threads' '--enable-largefile'
>
>    '--with-gnu-ld' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing'
>
>    'CFLAGS=-DDIG_SIGCHASE' 'CFLAGS=-O2'
>
>  

There is no need to build Bind on strech, just use the debian package,
also '--with-dlopen' is now built in, the setting no longer exists.

>
> bind9 named.conf https://pastebin.com/HW88rwbe

Yes, but what is in:

/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

>
>  
>
> samba named.conf https://pastebin.com/zi7Fm27T

nothing wrong there.

>
>  
>
> samba smb.conf https://pastebin.com/i1fmj56T

Nothing wrong there either.

>
>  
>
> If more information needed, feel free and ask me, I'll do my best to
> provide them.

Post what is in /etc/hostname, etc/hosts, /etc/resolv.conf
and /etc/krb5.conf.

Rowland
 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba