Samba AD DNS problem

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba AD DNS problem

Samba - General mailing list
Hello there.

I have a setup with Samba AD and a Named backend.
Everything has been working fine, until a few days ago, I cannot start the DNS snap-in from windows.  I get a dialog box saying
"Access was denied. Would you like to add it anyway?"

If I enable level 3 debugging in the samba.conf, I get the following:

[2017/05/11 07:25:30.413481,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ [hidden email] from ipv4:192.168.253.109:57310 for [hidden email] [canonicalize, renewable, forwardable]
[2017/05/11 07:25:30.414016,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Searching referral for DnsServerApp
[2017/05/11 07:25:30.414141,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database: [hidden email]: No such entry in the database
[2017/05/11 07:25:30.414215,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:192.168.253.109:57310
[2017/05/11 07:25:30.415231,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)


I googled a lot for this, particularly "DnsServerApp" and found no solution.  In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp".
This didn't resolve the issue, but changed it.  Now I get in the log:

[2017/05/11 12:23:29.195608,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/05/11 12:23:29.199719,  1] ../source4/auth/gensec/gensec_gssapi.c:622(gensec_gssapi_update)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC01$@RVX.IS(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
[2017/05/11 12:23:29.199832,  1] ../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit)
  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2017/05/11 12:23:29.199925,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_LOGON_FAILURE

The DC is called dc01.rvx.is.
Curiously, even after I removed the AD "computer" entry DnsServerApp, I still get the above, second, error in the log.

I'm relatively new to both Samba and AD configuration, but having failed to find any reference to the above problems on the net, I think they may be due to some internal database corruption or other such things.  Any thoughts?

Kv,
Kristján Valur Jónsson |CTA | RVX

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD DNS problem

Samba - General mailing list
Hi Kristján,


Am 17.05.2017 um 17:40 schrieb Kristján V. Jónsson via samba:
> Everything has been working fine, until a few days ago, I
 > cannot start the DNS snap-in from windows.  I get a dialog> box
saying "Access was denied. Would you like to add it anyway?"

The important question is: What has been changed in the meantime? Maybe
an updated BIND package messed up your configuration?

Use the docs to verify that everything is still correct:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End



> If I enable level 3 debugging in the samba.conf, I get the following:
>
> [2017/05/11 07:25:30.414141,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Server not found in database: [hidden email]: No such entry in the database
> I googled a lot for this, particularly "DnsServerApp" and found no solution.  In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp".
> This didn't resolve the issue, but changed it.

The dns-* accounts aren't computer accounts. Delete it again to avoid
problems.

"samba_upgradedns" can recreates the account correctly. Please try:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD DNS problem

Samba - General mailing list
In reply to this post by Samba - General mailing list
On Wed, 17 May 2017 15:40:03 +0000 (GMT)
Kristján V. Jónsson via samba <[hidden email]> wrote:

> I googled a lot for this, particularly "DnsServerApp" and found no
> solution.  In desperation, using the ActiveDirectory, I added a
> "Computer" entry called "DnsServerApp". This didn't resolve the
> issue, but changed it.  Now I get in the log:

As Marc has pointed out 'DnsServerApp' isn't a computer name
>
> text): Failed to find DC01$@RVX.IS(kvno 2) in keytab

If it was, it would be in the form shown above: DNSERVERAPP$@RVX.IS

My googlefu must be a bit better than yours ;-)

I found this:

https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&ved=0ahUKEwjVvIT1rPfTAhXKJMAKHcCZBqk4FBAWCCcwAA&url=https%3A%2F%2Friunet.upv.es%2Fbitstream%2Fhandle%2F10251%2F31637%2Ftesis_bmolina_v3.pdf%3Fsequence%3D1&usg=AFQjCNE_5tt3ySoIobXc3VXJ0pVlQQLfQw

Only problem, I don't speak Spanish LOL

But, Google translate seems to suggest that 'DnsServerApp' is a Class
of some sort, so the question seems to be, what have you installed on
the windows machine ?

Another question would be, what is the windows machine ?

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba AD DNS problem

Samba - General mailing list
In reply to this post by Samba - General mailing list
I hadn't been able to check this out for a while, but when I started to look at it today, all was ok again.
I definitely didn't do anything to the server.  Well, I rebooted my client machine, maybe somehow
my credentials had gone weird?
Strange.  If something like this happens again, I'll have another look.

p.s.
I'm running samba-4.5 locally compiled.  Should I consider upgrading?



Kv,
Kristján Valur Jónsson | CTA | RVX

----- Original Message -----
From: "Marc Muehlfeld" <[hidden email]>
To: "Kristján V. Jónsson" <[hidden email]>, [hidden email]
Sent: Wednesday, 17 May, 2017 16:17:56
Subject: Re: [Samba] Samba AD DNS problem

Hi Kristján,


Am 17.05.2017 um 17:40 schrieb Kristján V. Jónsson via samba:
> Everything has been working fine, until a few days ago, I
 > cannot start the DNS snap-in from windows.  I get a dialog> box
saying "Access was denied. Would you like to add it anyway?"

The important question is: What has been changed in the meantime? Maybe
an updated BIND package messed up your configuration?

Use the docs to verify that everything is still correct:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End



> If I enable level 3 debugging in the samba.conf, I get the following:
>
> [2017/05/11 07:25:30.414141,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
>    Kerberos: Server not found in database: [hidden email]: No such entry in the database
> I googled a lot for this, particularly "DnsServerApp" and found no solution.  In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp".
> This didn't resolve the issue, but changed it.

The dns-* accounts aren't computer accounts. Delete it again to avoid
problems.

"samba_upgradedns" can recreates the account correctly. Please try:
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End


Regards,
Marc

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba