Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.

All seem work fine: I can join to domain, add/remove dns records with
samba-tools, access to shared folder, use MS Management Console on
Win7, ecc

But when I join a new machine Samba winbind Member server to domain

    [    root@server-dati     ~]# net ads join DOGMA-TO -U administrator
    Using short domain name -- DOGMA-TO
    Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
    DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED
    DNS update failed: NT_STATUS_UNSUCCESSFUL

or run this command on Samba AD-DC:

    [    root@server-addc     ~]# samba_dnsupdate  --all-names --fail-immediately
    update failed: REFUSED

Into system log I get:

    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed
    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc

What kind of problem it's?

These are my config files and SElinux is Off

### Samba:
    [global]
            passdb backend = samba_dsdb
            realm = DOGMA-TO.LOC
            server role = active directory domain controller
            server
    services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
    ntp_signd, kcc, dnsupdate
            template homedir = /home/%U
            tem
    plate shell = /bin/bash
            workgroup = DOGMA-TO
            rpc_server:t
    cpip = no
            rpc_daemon:spoolssd = embedded
            rpc_server:spool
    ss = embedded
            rpc_server:winreg = embedded
            rpc_server:nts
    vcs = embedded
            rpc_server:eventlog = embedded
            rpc_server:
    srvsvc = embedded
            rpc_server:svcctl = embedded
            rpc_server
    :default = external
            winbindd:use external pipes = true
            id
    map_ldb:use rfc2307 = yes
            idmap config * : backend = tdb
           
    map archive = No
            map readonly = no
            store dos attributes =
    Yes
            vfs objects = dfs_samba4 acl_xattr

    [netlogon]
            path = /var/lib/samba/sysvol/dogma-to.loc/scripts
            read only = No

    [sysvol]
            path = /var/lib/samba/sysvol
            read only = No


Kerberos

    [    root@server-addc     ~]# cat /etc/krb5.conf
    [libdefaults]
            default_realm = DOGMA-TO.LOC
            dns_lookup_realm = false
            dns_lookup_kdc = true


### Bind

    options {
            listen-on port 53 { 127.0.0.1; 192.168.41.1; };
            //listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { localhost; 192.168.41.0/24; };

            /*
             - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
             - If you are building a RECURSIVE (caching) DNS server, you need to enable
               recursion.
             - If your recursive DNS server has a public IP address, you MUST enable access
               control to limit queries to your legitimate users. Failing to do so will
               cause your server to become part of large scale DNS amplification
               attacks. Implementing BCP38 within your network would greatly
               reduce such attack surface
            */
            recursion yes;

            dnssec-enable yes;
            dnssec-validation yes;

            managed-keys-directory "/var/named/dynamic";

            pid-file "/run/named/named.pid";
            session-keyfile "/run/named/session.key";

            /*     https://fedoraproject.org/wiki/Changes/CryptoPolicy     */
            include "/etc/crypto-policies/back-ends/bind.config";

            tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

    };

    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;
            };
    };

    zone "." IN {
            type hint;
            file "named.ca";
    };

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";

    include "/var/lib/samba/bind-dns/named.conf";


Someone can help me?

--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
On Mon, 04 Dec 2017 11:35:29 +0100
Dario Lesca via samba <[hidden email]> wrote:

> I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.
>

Try changing the 'options' of named.conf to this:

    options {
            directory       "/var/named";
            notify no;
            empty-zones-enable no;
            allow-query     { localhost; 192.168.41.0/24; };
            allow-recursion { 192.168.41.0/24;  127.0.0.1/32; };
            forwarders { 8.8.8.8; 8.8.4.4; };
            allow-transfer { none; };
            dnssec-validation no;
            dnssec-enable no;
            listen-on port 53 { 127.0.0.1; 192.168.41.1; };
            //listen-on-v6 port 53 { ::1; };
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

    };

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha
scritto:
> Try changing the 'options' of named.conf to this:

Thanks Rowland

Integrated your suggested changes and restart samba and named

Now my named.conf is this[1], but none is change:
    [    root@server-addc     ~]# samba_dnsupdate  --all-names --fail-immediately
    update failed: REFUSED

    dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz: spnego update failed
    dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: client @0x7fc9310a5e80 192.168.41.1#60981/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)

I have also try this:

    [    root@server-addc     ~]# samba_dnsupdate  --all-names --use-samba-tool --fail-immediately
    ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
      File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
        return self.run(*args, **kwargs)
      File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
        raise e

But also fail.

Some other suggest?

Thanks
Dario

[1] /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 192.168.41.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.41.0/24; };
        recursion yes;
        //dnssec-enable yes;
        //dnssec-validation yes;
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
            allow-recursion { 192.168.41.0/24;  127.0.0.1/32; };
            notify no;
            empty-zones-enable no;
            forwarders { 8.8.8.8; 8.8.4.4; };
            dnssec-validation no;
            dnssec-enable no;
            allow-transfer { none; };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";


--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
On Mon, 04 Dec 2017 12:56:19 +0100
Dario Lesca via samba <[hidden email]> wrote:

> Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha
> scritto:
> > Try changing the 'options' of named.conf to this:
>
> Thanks Rowland
>
> Integrated your suggested changes and restart samba and named
>
> Now my named.conf is this[1], but none is change:
>     [    root@server-addc     ~]# samba_dnsupdate  --all-names
> --fail-immediately update failed: REFUSED
>
>     dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz:
> spnego update failed dic 04 12:46:43 server-addc.dogma-to.loc
> named[8474]: client @0x7fc9310a5e80 192.168.41.1#60981/key
> SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE':
> update failed: rejected by secure update (REFUSED)
>
> I have also try this:
>
>     [    root@server-addc     ~]# samba_dnsupdate  --all-names
> --use-samba-tool --fail-immediately ERROR(runtime): uncaught
> exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File
> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940,
> in run raise e
>

Is the DHCP server updating the records for you ?
If so, you need to stop the windows clients trying to update their own
records, they don't own them.

Rowland
 

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
Is

/var/lib/samba/bind-dns/

accessible by bind?


Regards


Christian






Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba:

> I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.
>
> All seem work fine: I can join to domain, add/remove dns records with
> samba-tools, access to shared folder, use MS Management Console on
> Win7, ecc
>
> But when I join a new machine Samba winbind Member server to domain
>
>     [    root@server-dati     ~]# net ads join DOGMA-TO -U administrator
>     Using short domain name -- DOGMA-TO
>     Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
>     DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED
>     DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> or run this command on Samba AD-DC:
>
>     [    root@server-addc     ~]# samba_dnsupdate  --all-names --fail-immediately
>     update failed: REFUSED
>
> Into system log I get:
>
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc
>
> What kind of problem it's?
>
> These are my config files and SElinux is Off
>
> ### Samba:
>     [global]
>             passdb backend = samba_dsdb
>             realm = DOGMA-TO.LOC
>             server role = active directory domain controller
>             server
>     services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
>     ntp_signd, kcc, dnsupdate
>             template homedir = /home/%U
>             tem
>     plate shell = /bin/bash
>             workgroup = DOGMA-TO
>             rpc_server:t
>     cpip = no
>             rpc_daemon:spoolssd = embedded
>             rpc_server:spool
>     ss = embedded
>             rpc_server:winreg = embedded
>             rpc_server:nts
>     vcs = embedded
>             rpc_server:eventlog = embedded
>             rpc_server:
>     srvsvc = embedded
>             rpc_server:svcctl = embedded
>             rpc_server
>     :default = external
>             winbindd:use external pipes = true
>             id
>     map_ldb:use rfc2307 = yes
>             idmap config * : backend = tdb
>            
>     map archive = No
>             map readonly = no
>             store dos attributes =
>     Yes
>             vfs objects = dfs_samba4 acl_xattr
>
>     [netlogon]
>             path = /var/lib/samba/sysvol/dogma-to.loc/scripts
>             read only = No
>
>     [sysvol]
>             path = /var/lib/samba/sysvol
>             read only = No
>
>
> Kerberos
>
>     [    root@server-addc     ~]# cat /etc/krb5.conf
>     [libdefaults]
>             default_realm = DOGMA-TO.LOC
>             dns_lookup_realm = false
>             dns_lookup_kdc = true
>
>
> ### Bind
>
>     options {
>             listen-on port 53 { 127.0.0.1; 192.168.41.1; };
>             //listen-on-v6 port 53 { ::1; };
>             directory       "/var/named";
>             dump-file       "/var/named/data/cache_dump.db";
>             statistics-file "/var/named/data/named_stats.txt";
>             memstatistics-file "/var/named/data/named_mem_stats.txt";
>             allow-query     { localhost; 192.168.41.0/24; };
>
>             /*
>              - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
>              - If you are building a RECURSIVE (caching) DNS server, you need to enable
>                recursion.
>              - If your recursive DNS server has a public IP address, you MUST enable access
>                control to limit queries to your legitimate users. Failing to do so will
>                cause your server to become part of large scale DNS amplification
>                attacks. Implementing BCP38 within your network would greatly
>                reduce such attack surface
>             */
>             recursion yes;
>
>             dnssec-enable yes;
>             dnssec-validation yes;
>
>             managed-keys-directory "/var/named/dynamic";
>
>             pid-file "/run/named/named.pid";
>             session-keyfile "/run/named/session.key";
>
>             /*     https://fedoraproject.org/wiki/Changes/CryptoPolicy     */
>             include "/etc/crypto-policies/back-ends/bind.config";
>
>             tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
>     };
>
>     logging {
>             channel default_debug {
>                     file "data/named.run";
>                     severity dynamic;
>             };
>     };
>
>     zone "." IN {
>             type hint;
>             file "named.ca";
>     };
>
>     include "/etc/named.rfc1912.zones";
>     include "/etc/named.root.key";
>
>     include "/var/lib/samba/bind-dns/named.conf";
>
>
> Someone can help me?
>

--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail [hidden email], homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
Il giorno lun, 04/12/2017 alle 13.17 +0100, Christian Naumer via samba
ha scritto:
> Is
>
> /var/lib/samba/bind-dns/
>
> accessible by bind?

Yes, and selinux is disable

    [    root@server-addc     ~]# find /var/lib/samba/bind-dns/ -ls
      3149158          0 drwxrwx---   3  root     named          95 dic  4 14:03 /var/lib/samba/bind-dns/
          111      0 drwxrwx---   3  root     named          38 dic  4 13:57 /var/lib/samba/bind-dns/dns
      1049422      4 drwxrwx---   2  root     named        4096 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d
      1049423   1256 -rw-rw----   1  root     named     1286144 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOGMA-TO,DC%3DLOC.ldb
      2118093    812 -rw-rw----   2  root     named      831488 dic  4 14:02 /var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb
      2118098   4148 -rw-rw----   2  root     named     4247552 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb
      2118099   4148 -rw-rw----   2  root     named     4247552 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DFORESTDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb
      2118101   6992 -rw-rw----   1  root     named     7159808 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb
      2118102   8300 -rw-rw----   1  root     named     8499200 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb
      1049424   2944 -rw-rw----   1  root     named     3014656 dic  4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb
      3149184      4 -rw-r--r--   1  root     root          721 dic  4 13:57 /var/lib/samba/bind-dns/named.conf
      3149185      4 -rw-r--r--   1  root     root         2092 dic  4 13:57 /var/lib/samba/bind-dns/named.txt
      1049430      4 -rw-r-----   2  root     named         772 dic  4 13:57 /var/lib/samba/bind-dns/dns.keytab
      3149744      4 -r--r--r--   1  root     root          230 dic  4 14:01 /var/lib/samba/bind-dns/named.conf.update


>
> Regards
>
>
> Christian
>
>
>
>
>
>
> Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba:
> > I have setup on Fedora 27 server a AD-DC samba server + bind +
> > dhcp.
> >
> > All seem work fine: I can join to domain, add/remove dns records
> > with
> > samba-tools, access to shared folder, use MS Management Console on
> > Win7, ecc
> >
> > But when I join a new machine Samba winbind Member server to
> > domain
> >
> >     [    root@server-dati     ~]# net ads join DOGMA-TO -U
> > administrator
> >     Using short domain name -- DOGMA-TO
> >     Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
> >     DNS Update for server-dati.dogma-to.loc failed:
> > ERROR_DNS_UPDATE_FAILED
> >     DNS update failed: NT_STATUS_UNSUCCESSFUL
> >
> > or run this command on Samba AD-DC:
> >
> >     [    root@server-addc     ~]# samba_dnsupdate  --all-names --
> > fail-immediately
> >     update failed: REFUSED
> >
> > Into system log I get:
> >
> >     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]:
> > samba_dlz: starting transaction on zone dogma-to.loc
> >     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]:
> > samba_dlz: spnego update failed
> >     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client
> > @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC:
> > updating zone 'dogma-to.loc/NONE': update failed: rejected by
> > secure update (REFUSED)
> >     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]:
> > samba_dlz: cancelling transaction on zone dogma-to.loc
> >
> > What kind of problem it's?
> >
> > These are my config files and SElinux is Off
> >
> > ### Samba:
> >     [global]
> >             passdb backend = samba_dsdb
> >             realm = DOGMA-TO.LOC
> >             server role = active directory domain controller
> >             server
> >     services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd,
> >     ntp_signd, kcc, dnsupdate
> >             template homedir = /home/%U
> >             tem
> >     plate shell = /bin/bash
> >             workgroup = DOGMA-TO
> >             rpc_server:t
> >     cpip = no
> >             rpc_daemon:spoolssd = embedded
> >             rpc_server:spool
> >     ss = embedded
> >             rpc_server:winreg = embedded
> >             rpc_server:nts
> >     vcs = embedded
> >             rpc_server:eventlog = embedded
> >             rpc_server:
> >     srvsvc = embedded
> >             rpc_server:svcctl = embedded
> >             rpc_server
> >     :default = external
> >             winbindd:use external pipes = true
> >             id
> >     map_ldb:use rfc2307 = yes
> >             idmap config * : backend = tdb
> >            
> >     map archive = No
> >             map readonly = no
> >             store dos attributes =
> >     Yes
> >             vfs objects = dfs_samba4 acl_xattr
> >
> >     [netlogon]
> >             path = /var/lib/samba/sysvol/dogma-to.loc/scripts
> >             read only = No
> >
> >     [sysvol]
> >             path = /var/lib/samba/sysvol
> >             read only = No
> >
> >
> > Kerberos
> >
> >     [    root@server-addc     ~]# cat /etc/krb5.conf
> >     [libdefaults]
> >             default_realm = DOGMA-TO.LOC
> >             dns_lookup_realm = false
> >             dns_lookup_kdc = true
> >
> >
> > ### Bind
> >
> >     options {
> >             listen-on port 53 { 127.0.0.1; 192.168.41.1; };
> >             //listen-on-v6 port 53 { ::1; };
> >             directory       "/var/named";
> >             dump-file       "/var/named/data/cache_dump.db";
> >             statistics-file "/var/named/data/named_stats.txt";
> >             memstatistics-file
> > "/var/named/data/named_mem_stats.txt";
> >             allow-query     { localhost; 192.168.41.0/24; };
> >
> >             /*
> >              - If you are building an AUTHORITATIVE DNS server, do
> > NOT enable recursion.
> >              - If you are building a RECURSIVE (caching) DNS
> > server, you need to enable
> >                recursion.
> >              - If your recursive DNS server has a public IP
> > address, you MUST enable access
> >                control to limit queries to your legitimate users.
> > Failing to do so will
> >                cause your server to become part of large scale DNS
> > amplification
> >                attacks. Implementing BCP38 within your network
> > would greatly
> >                reduce such attack surface
> >             */
> >             recursion yes;
> >
> >             dnssec-enable yes;
> >             dnssec-validation yes;
> >
> >             managed-keys-directory "/var/named/dynamic";
> >
> >             pid-file "/run/named/named.pid";
> >             session-keyfile "/run/named/session.key";
> >
> >             /*     https://fedoraproject.org/wiki/Changes/CryptoPol
> > icy     */
> >             include "/etc/crypto-policies/back-ends/bind.config";
> >
> >             tkey-gssapi-keytab "/var/lib/samba/bind-
> > dns/dns.keytab";
> >
> >     };
> >
> >     logging {
> >             channel default_debug {
> >                     file "data/named.run";
> >                     severity dynamic;
> >             };
> >     };
> >
> >     zone "." IN {
> >             type hint;
> >             file "named.ca";
> >     };
> >
> >     include "/etc/named.rfc1912.zones";
> >     include "/etc/named.root.key";
> >
> >     include "/var/lib/samba/bind-dns/named.conf";
> >
> >
> > Someone can help me?
> >
>
> --
> Dr. Christian Naumer
> Research Scientist
> Plattform-Koordinator Bioprozesstechnik
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail [hidden email], homepage www.brain-biotech.de
> fon +49-6251-9331-30  /   fax +49-6251-9331-11
>
> Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
>
--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
Am 04.12.2017 um 14:10 schrieb Dario Lesca via samba:

>       3149744      4 -r--r--r--   1  root     root          230 dic  4 14:01 /var/lib/samba/bind-dns/named.conf.update

what is in this file?


Regards

Christian

--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail [hidden email], homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha
scritto:
> Is the DHCP server updating the records for you ?

Yes, but for now the problem is not dhcp (see follow)

> If so, you need to stop the windows clients trying to update their
> own records, they don't own them.

I have the problem when join to domani via samba on another server, or
when I run samba_dnsupdate  --all-name

Now I have do this test:

I have save the machine status with a snapshot.
Then I have reload a snapshot done before deploy samba AD DC.
Then, On A fresh Fedora 27 server up to date I have
Stop selinux, restart and run this command:

+ dnf install samba-client samba-dc samba-winbind attr acl krb5-
workstation tdb-tools samba-winbind-clients python bind bind-utils
samba-dc-bind-dlz

+ test '!' -e /etc/krb5.conf.orig
+ test -e /etc/krb5.conf
+ test '!' -e /etc/samba/smb.conf.orig
+ test -e /etc/samba/smb.conf

+ samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P@ssw0rd

Open the all port needed

cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf

Add this to the [global] of new smb.conf
 template shell = /bin/bash
 template homedir = /home/%U

Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf

Edit the /etc/named.conf and add
    listen-on port 53 { 127.0.0.1; 192.168.41.1; };
    allow-query     { localhost; 191.168.41.0/24; };
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

and at the end
    include "/var/lib/samba/bind-dns/named.conf";

without modify any other

Start and enable named
    systemctl enable named
    systemctl restart named

Point dns to my IP 192.168.41.1 and restart network

# Start samba
    systemctl enable samba
    systemctl restart samba.service

test some resolver ...

    host $(hostname)
    host -t SRV _ldap._tcp.$(hostname -d)

try access to server

    smbclient -L $(hostname)     -Uadministrator%P@aaw0rd

Try add a dns record ...

At this point All work fine

Then I try

    samba_dnsupdate --verbose  --all-names --fail-immediately

And the problem persist:

    update failed: REFUSED
    Failed update with /tmp/tmpmRYs8r
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#26896: update 'dogma-to.loc/IN' denied
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc

The problem is when the tools try execute this command:

    cat /tmp/tmpmRYs8r | nsupdate

    [    root@server-addc     ~]# cat /tmp/tmpmRYs8r
    server server-addc.dogma-to.loc
    update add server-addc.dogma-to.loc. 900 A 192.168.41.1
    show
    send

seem that nsupdate cannot update dns

I have add "debug" and remove "show" directive from this file

    [    root@server-addc     ~]# cat /tmp/tmpmRYs8r
    debug
    server server-addc.dogma-to.loc
    update add server-addc.dogma-to.loc. 900 A 192.168.41.1
    send

the rerun it:

    [    root@server-addc     ~]# cat /tmp/tmpmRYs8r|nsupdate
    Reply from SOA query:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16228
    ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;server-addc.dogma-to.loc.      IN      SOA

    ;; AUTHORITY SECTION:
    dogma-to.loc.           3600    IN      SOA     server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400 3600

    Found zone name: dogma-to.loc
    The master is: server-addc.dogma-to.loc
    Sending update to 192.168.41.1#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37799
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
    ;; UPDATE SECTION:
    server-addc.dogma-to.loc. 900   IN      A       192.168.41.1


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  37799
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; ZONE SECTION:
    ;dogma-to.loc.                  IN      SOA

    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#39052: update 'dogma-to.loc/IN' denied
    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc

Some error

Someone have some suggest?

Many thanks


--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
On Mon, 04 Dec 2017 15:34:37 +0100
Dario Lesca via samba <[hidden email]> wrote:

> Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha
> scritto:
> > Is the DHCP server updating the records for you ?
>
> Yes, but for now the problem is not dhcp (see follow)
>
> > If so, you need to stop the windows clients trying to update their
> > own records, they don't own them.
>
> I have the problem when join to domani via samba on another server, or
> when I run samba_dnsupdate  --all-name
>
> Now I have do this test:
>
> I have save the machine status with a snapshot.
> Then I have reload a snapshot done before deploy samba AD DC.
> Then, On A fresh Fedora 27 server up to date I have
> Stop selinux, restart and run this command:
>
> + dnf install samba-client samba-dc samba-winbind attr acl krb5-
> workstation tdb-tools samba-winbind-clients python bind bind-utils
> samba-dc-bind-dlz
>
> + test '!' -e /etc/krb5.conf.orig
> + test -e /etc/krb5.conf
> + test '!' -e /etc/samba/smb.conf.orig
> + test -e /etc/samba/smb.conf
>
> + samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to
> --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc
> --function-level=2008_R2 --adminpass=P@ssw0rd
>
> Open the all port needed
>
> cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf
>
> Add this to the [global] of new smb.conf
>  template shell = /bin/bash
>  template homedir = /home/%U
>
> Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf
>
> Edit the /etc/named.conf and add
>     listen-on port 53 { 127.0.0.1; 192.168.41.1; };
>     allow-query     { localhost; 191.168.41.0/24; };
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
> and at the end
>     include "/var/lib/samba/bind-dns/named.conf";
>
> without modify any other
>
> Start and enable named
>     systemctl enable named
>     systemctl restart named
>
> Point dns to my IP 192.168.41.1 and restart network
>
> # Start samba
>     systemctl enable samba
>     systemctl restart samba.service
>
> test some resolver ...
>
>     host $(hostname)
>     host -t SRV _ldap._tcp.$(hostname -d)
>
> try access to server
>
>     smbclient -L $(hostname)     -Uadministrator%P@aaw0rd
>
> Try add a dns record ...
>
> At this point All work fine
>
> Then I try
>
>     samba_dnsupdate --verbose  --all-names --fail-immediately
>
> And the problem persist:
>
>     update failed: REFUSED
>     Failed update with /tmp/tmpmRYs8r
>     dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz:
> starting transaction on zone dogma-to.loc dic 04 15:20:21
> server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20
> 192.168.41.1#26896: update 'dogma-to.loc/IN' denied dic 04 15:20:21
> server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling
> transaction on zone dogma-to.loc
>
> The problem is when the tools try execute this command:
>
>     cat /tmp/tmpmRYs8r | nsupdate
>
>     [    root@server-addc     ~]# cat /tmp/tmpmRYs8r
>     server server-addc.dogma-to.loc
>     update add server-addc.dogma-to.loc. 900 A 192.168.41.1
>     show
>     send
>
> seem that nsupdate cannot update dns
>
> I have add "debug" and remove "show" directive from this file
>
>     [    root@server-addc     ~]# cat /tmp/tmpmRYs8r
>     debug
>     server server-addc.dogma-to.loc
>     update add server-addc.dogma-to.loc. 900 A 192.168.41.1
>     send
>
> the rerun it:
>
>     [    root@server-addc     ~]# cat /tmp/tmpmRYs8r|nsupdate
>     Reply from SOA query:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16228
>     ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL: 0 ;; QUESTION SECTION:
>     ;server-addc.dogma-to.loc.      IN      SOA
>
>     ;; AUTHORITY SECTION:
>     dogma-to.loc.           3600    IN      SOA
> server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400
> 3600
>
>     Found zone name: dogma-to.loc
>     The master is: server-addc.dogma-to.loc
>     Sending update to 192.168.41.1#53
>     Outgoing update query:
>     ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37799
>     ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
>     ;; UPDATE SECTION:
>     server-addc.dogma-to.loc. 900   IN      A       192.168.41.1
>
>
>     Reply from update query:
>     ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  37799
>     ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>     ;; ZONE SECTION:
>     ;dogma-to.loc.                  IN      SOA
>
>     dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz:
> starting transaction on zone dogma-to.loc dic 04 15:26:14
> server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20
> 192.168.41.1#39052: update 'dogma-to.loc/IN' denied dic 04 15:26:14
> server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling
> transaction on zone dogma-to.loc
>
> Some error
>
> Someone have some suggest?
>
> Many thanks
>
>

If you are using the script found here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Then the records DO NOT belong to the computers, so they cannot update
them. I am also very sure that there are log records that show the
records are being updated by dhcpduser.

The cure is to STOP your windows clients trying to update their own
records.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
Il giorno lun, 04/12/2017 alle 14.48 +0000, Rowland Penny via samba ha
scritto:
>
>
> The cure is to STOP your windows clients trying to update their own
> records.

Yes, this is true, on windows I will stop this service.

But my problem now is another

The samba command

    samba_dnsupdate --verbose  --all-names --fail-immediately

not work

It's possible to resolve this problem?
Or I have to ignore it ?

Thanks
Dario




>
> Rowland
--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
shoudn't samba_dnsupdate work regardless on all the _srv records? Even
if the Server gets its IP by DHCP? Or is this not the case when using "
--fail-immediately"?

regards


Christian

--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail [hidden email], homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno lun, 04/12/2017 alle 15.31 +0100, Christian Naumer via samba
ha scritto:
> Am 04.12.2017 um 14:10 schrieb Dario Lesca via samba:
>
> >        3149744      4 -r--r--r--   1  root     root          230
> > dic  4 14:01 /var/lib/samba/bind-dns/named.conf.update
>
> what is in this file?

this file readable for all contain this:

    [    root@server-addc     ~]# cat /var/lib/samba/bind-dns/named.conf.update
    /* this file is auto-generated - do not edit */
    update-policy {
            grant DOGMA-TO.LOC ms-self * A AAAA;
            grant     [hidden email]     wildcard * A AAAA SRV
    CNAME;
            grant     SERVER-ADDC$@dogma-to.loc     wildcard * A AAAA SRV CNAME;
    };

It's auto generate. Is the content correct?

I believe the access si right ... or not?

--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha
scritto:
> The samba command
>
>     samba_dnsupdate --verbose  --all-names --fail-immediately
>
> not work

I have add '-d 9' to dlz section

    dlz "AD DNS Zone" {
        # For BIND 9.11.x
         database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so -d 9";
    };

And this is the debug message:

    [    root@server-addc     ~]# samba_dnsupdate --all-names --fail-immediately
    update failed: REFUSED

    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC mechanism spnego
    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC submechanism gssapi_krb5
    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: GSS server Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor code may provide more information: Request is a replay
    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: spnego update failed
    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: client @0x7fafe90c3400 192.168.41.1#57335/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
    dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: cancelling transaction on zone dogma-to.loc

Can this help us?

Thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha
scritto:
> The samba command
>
>     samba_dnsupdate --verbose  --all-names --fail-immediately
>
> not work


Following this howto,
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC

I have try this:

    [    root@server-addc     ~]# LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn
    # Referral
    ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc

    # Referral
    ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc

    # Referral
    ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc

    # returned 3 records
    # 0 entries
    # 3 referrals

This is not output what howto say I can see.

Seem the account dns-DC1 not exist

    [    root@server-addc     ~]# samba-tool user list
    Administrator
    Guest
    krbtgt
    dns-server-addc
    ospite

Then I run

    [    root@server-addc     ~]# samba_upgradedns --verbose --dns-backend=BIND9_DLZ
    Reading domain information
    DNS accounts already exist
    No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone
    DNS records will be automatically created
    DNS partitions already exist
    dns-server-addc account already exists
    Could not remove /var/lib/samba/private/named.conf: No such file or directory
    Could not remove /var/lib/samba/private/named.conf.update: No such file or directory
    Could not remove /var/lib/samba/private/named.txt: No such file or directory
    Could not delete dir /var/lib/samba/private/dns: No such file or directory
    See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
    and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
    Finished upgrading DNS

But I cannot see the "Adding dns-DC1 account" message like howto say


I also run:

    [    root@server-addc     ~]# klist -k /var/lib/samba/bind-dns/dns.keytab
    Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab
    KVNO Principal
    ---- -------------------------------------------------------------
    -------------
       1     DNS/[hidden email]
   1 [hidden email]
   1 DNS/[hidden email]
   1 [hidden email]
   1 DNS/[hidden email]
   1 [hidden email]
   1 DNS/[hidden email]
   1 [hidden email]
   1 DNS/[hidden email]
   1 [hidden email]

Can help this?

Thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 04 Dec 2017 16:31:16 +0100
Dario Lesca via samba <[hidden email]> wrote:

> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha
> scritto:
> > The samba command
> >
> >     samba_dnsupdate --verbose  --all-names --fail-immediately
> >
> > not work
>
> I have add '-d 9' to dlz section
>
>     dlz "AD DNS Zone" {
>         # For BIND 9.11.x
>          database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so -d
> 9"; };
>
> And this is the debug message:
>
>     [    root@server-addc     ~]# samba_dnsupdate --all-names
> --fail-immediately update failed: REFUSED
>
>     dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz:
> starting transaction on zone dogma-to.loc dic 04 16:25:21
> server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC
> mechanism spnego dic 04 16:25:21 server-addc.dogma-to.loc
> named[1121]: samba_dlz: Starting GENSEC submechanism gssapi_krb5 dic
> 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: GSS
> server Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor
> code may provide more information: Request is a replay dic 04
> 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: spnego
> update failed dic 04 16:25:21 server-addc.dogma-to.loc named[1121]:
> client @0x7fafe90c3400 192.168.41.1#57335/key
> SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE':
> update failed: rejected by secure update (REFUSED) dic 04 16:25:21
> server-addc.dogma-to.loc named[1121]: samba_dlz: cancelling
> transaction on zone dogma-to.loc
>
> Can this help us?
>
> Thanks
>

The significant word there is 'replay'.

see here:

https://lists.samba.org/archive/samba/2017-November/211990.html

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Mon, 04 Dec 2017 16:57:15 +0100
Dario Lesca via samba <[hidden email]> wrote:

> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha
> scritto:
> > The samba command
> >
> >     samba_dnsupdate --verbose  --all-names --fail-immediately
> >
> > not work
>
>
> Following this howto,
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC
>
> I have try this:
>
>     [    root@server-addc     ~]#
> LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch
> -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn # Referral
> ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc
>
>     # Referral
>     ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc
>
>     # Referral
>     ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc
>
>     # returned 3 records
>     # 0 entries
>     # 3 referrals
>
> This is not output what howto say I can see.
>
> Seem the account dns-DC1 not exist
>
>     [    root@server-addc     ~]# samba-tool user list
>     Administrator
>     Guest
>     krbtgt
>     dns-server-addc
>     ospite
>
> Then I run
>
>     [    root@server-addc     ~]# samba_upgradedns --verbose
> --dns-backend=BIND9_DLZ Reading domain information
>     DNS accounts already exist
>     No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone
>     DNS records will be automatically created
>     DNS partitions already exist
>     dns-server-addc account already exists
>     Could not remove /var/lib/samba/private/named.conf: No such file
> or directory Could not
> remove /var/lib/samba/private/named.conf.update: No such file or
> directory Could not remove /var/lib/samba/private/named.txt: No such
> file or directory Could not delete dir /var/lib/samba/private/dns: No
> such file or directory See /var/lib/samba/bind-dns/named.conf for an
> example configuration include file for BIND
> and /var/lib/samba/bind-dns/named.txt for further documentation
> required for secure DNS updates Finished upgrading DNS
>
> But I cannot see the "Adding dns-DC1 account" message like howto say

Follow what it says in the blue box under the ldbsearch output on the
wiki page.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list


Am 04.12.2017 um 17:19 schrieb Rowland Penny via samba:

> On Mon, 04 Dec 2017 16:57:15 +0100
> Dario Lesca via samba <[hidden email]> wrote:
>
>> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha
>> scritto:
>>> The samba command
>>>
>>>      samba_dnsupdate --verbose  --all-names --fail-immediately
>>>
>>> not work
>>
>> Following this howto,
>> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC
>>
>> I have try this:
>>
>>      [    root@server-addc     ~]#
>> LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch
>> -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn # Referral
>> ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc
>>
>>      # Referral
>>      ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc
>>
>>      # Referral
>>      ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc
>>
>>      # returned 3 records
>>      # 0 entries
>>      # 3 referrals
>>
>> This is not output what howto say I can see.
>>
>> Seem the account dns-DC1 not exist
>>
>>      [    root@server-addc     ~]# samba-tool user list
>>      Administrator
>>      Guest
>>      krbtgt
>>      dns-server-addc
>>      ospite
>>
>> Then I run
>>
>>      [    root@server-addc     ~]# samba_upgradedns --verbose
>> --dns-backend=BIND9_DLZ Reading domain information
>>      DNS accounts already exist
>>      No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone
>>      DNS records will be automatically created
>>      DNS partitions already exist
>>      dns-server-addc account already exists
>>      Could not remove /var/lib/samba/private/named.conf: No such file
>> or directory Could not
>> remove /var/lib/samba/private/named.conf.update: No such file or
>> directory Could not remove /var/lib/samba/private/named.txt: No such
>> file or directory Could not delete dir /var/lib/samba/private/dns: No
>> such file or directory See /var/lib/samba/bind-dns/named.conf for an
>> example configuration include file for BIND
>> and /var/lib/samba/bind-dns/named.txt for further documentation
>> required for secure DNS updates Finished upgrading DNS
>>
>> But I cannot see the "Adding dns-DC1 account" message like howto say
> Follow what it says in the blue box under the ldbsearch output on the
> wiki page.
>
> Rowland
>
On a sidenote, your server has the name server-addc so your dns account
name is dns-server-addc which exists on your server.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
Il giorno lun, 04/12/2017 alle 18.12 +0100, Achim Gottinger via samba
ha scritto:

> > > But I cannot see the "Adding dns-DC1 account" message like howto
> > > say
> >
> > Follow what it says in the blue box under the ldbsearch output on
> > the wiki page.
> >
> > Rowland
> >
>
> On a sidenote, your server has the name server-addc so your dns
> account name is dns-server-addc which exists on your server.

Ok, thanks Achim, now I have understood

Then the DNS account exist.

Now I execute the dns backend swap, like the  blue box says, and when I
switch to BIND9_DLZ the account is recreated:

    [    root@server-addc     ~]# samba_upgradedns --dns-backend=BIND9_DLZ
    Reading domain information
    DNS accounts already exist
    No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone
    DNS records will be automatically created
    DNS partitions already exist
    Adding dns-server-addc account
    See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
    and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
    Finished upgrading DNS

Then restart samba and bind

    [    root@server-addc     ~]# systemctl restart named samba

But If I run the ldbsearch the account it still does not exist:

    [    root@server-addc     ~]# LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-server-addc' dn
    # Referral
    ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc

    # Referral
    ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc

    # Referral
    ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc

    # returned 3 records
    # 0 entries
    # 3 referrals

and the initial problem persist

    [    root@server-addc     ~]# samba_dnsupdate --all-names --fail-immediately
    update failed: REFUSED

    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: Starting GENSEC mechanism spnego
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: Starting GENSEC submechanism gssapi_krb5
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: GSS server Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor code may provide more information: Request is a replay
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: spnego update failed
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: client @0x7fb32d0c1320 192.168.41.1#36717/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: cancelling transaction on zone dogma-to.loc


--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
In reply to this post by Samba - General mailing list
Il giorno lun, 04/12/2017 alle 16.02 +0000, Rowland Penny via samba ha
scritto:
> The significant word there is 'replay'.
>
> see here:
>
> https://lists.samba.org/archive/samba/2017-November/211990.html
>
>

Thank Rowland, this tread
https://lists.samba.org/archive/samba/2017-November/thread.html#212035
is very usefull.

Then my problem is a bug already filled:
https://bugzilla.samba.org/show_bug.cgi?id=13066

I must only ignore this error, wait for a patch and follow the Andreas
suggest:

> > But what would be the right way to test DNS updates in this
> scenario?
>
> Use a joined workstation and run 'net ads dns register'? Or you
> disable the replay cache on the server side ...

Question: howto I can "disable the replay cache" ?

Thanks

--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Samba - General mailing list
On Mon, 04 Dec 2017 21:42:21 +0100
Dario Lesca via samba <[hidden email]> wrote:

> Il giorno lun, 04/12/2017 alle 16.02 +0000, Rowland Penny via samba ha
> scritto:
> > The significant word there is 'replay'.
> >
> > see here:
> >
> > https://lists.samba.org/archive/samba/2017-November/211990.html
> >
> >
>
> Thank Rowland, this tread
> https://lists.samba.org/archive/samba/2017-November/thread.html#212035
> is very usefull.
>
> Then my problem is a bug already filled:
> https://bugzilla.samba.org/show_bug.cgi?id=13066
>
> I must only ignore this error, wait for a patch and follow the Andreas
> suggest:
>
> > > But what would be the right way to test DNS updates in this
> > scenario?
> >
> > Use a joined workstation and run 'net ads dns register'? Or you
> > disable the replay cache on the server side ...
>
> Question: howto I can "disable the replay cache" ?
>
> Thanks
>

First and foremost, I do not use MIT kerberos, so I am not sure if this
will work, but I found this webpage:

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/rcache_def.html

Where it says that if you set the enviromental variable KRB5RCACHETYPE
to 'none' it will not be used i.e. 'export KRB5RCACHETYPE=none'

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba