Samba with Mit-krb5, update ddns fails

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Samba with Mit-krb5, update ddns fails

Samba - General mailing list
hi,
  I built samba v4.7.0 with Mit-krb5-1.15.2-x86-64( and also  tried with
Mit-krb5-1.15.1-x86-86), everything works fine.

 But when client windows7 joins AD, a new DNS A record should be added into
DNS(Bind), but it fails.

I test via administrator and its ticket.
====================================
[root@pdc samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [hidden email]

Valid starting       Expires              Service principal
09/29/2017 16:05:25  09/30/2017 02:05:25  krbtgt/[hidden email]
        renew until 09/30/2017 16:05:15
09/29/2017 16:05:37  09/30/2017 02:05:25  DNS/[hidden email]
        renew until 09/30/2017 16:05:15
=====================================

and run
=================================
nsupdate -g -d -L 9 -v<< UPDATE
server pdc.ad.pthl.hk
realm AD.PTHL.HK <http://ad.pthl.hk/>
update add test.ad.pthl.hk 3600 A 172.16.232.199
send
UPDATE

========================

Here is /var/log/message:

Sep 29 16:34:42 pdc named[1332]: samba_dlz: starting transaction on zone
ad.pthl.hk
Sep 29 16:34:42 pdc named[1332]: samba_dlz: GSS server Update(krb5)(1)
Update failed: Unspecified GSS failure.  Minor code may provide more
information: Request is a replay
Sep 29 16:34:42 pdc named[1332]: samba_dlz: spnego update failed
Sep 29 16:34:42 pdc named[1332]: client 172.16.232.204#43318/key
administrator\@AD.PTHL.HK <http://ad.pthl.hk/>: updating zone '
ad.pthl.hk/NONE': update failed: rejected by secure update (REFUSED)
Sep 29 16:34:42 pdc named[1332]: samba_dlz: cancelling transaction on zone
ad.pthl.hk

=================================================

The same thing is done without any error by Samba V4.7.0 with build-in
Heimedal-Krb5. So I guess there is something wrong with samba and mit-krb5.

Can someone offer me any suggestion?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Samba with Mit-krb5, update ddns fails

Samba - General mailing list
I can reproduce this behavior using Samba 4.7.0. This also affects
samba_dnsupdate.
If have filed a bug (https://bugzilla.samba.org/show_bug.cgi?id=13066).


luckydog xf via samba <[hidden email]> schrieb am Fr., 29. Sep. 2017
um 11:13 Uhr:

> hi,
>   I built samba v4.7.0 with Mit-krb5-1.15.2-x86-64( and also  tried with
> Mit-krb5-1.15.1-x86-86), everything works fine.
>
>  But when client windows7 joins AD, a new DNS A record should be added into
> DNS(Bind), but it fails.
>
> I test via administrator and its ticket.
> ====================================
> [root@pdc samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: [hidden email]
>
> Valid starting       Expires              Service principal
> 09/29/2017 16:05:25  09/30/2017 02:05:25  krbtgt/[hidden email]
>         renew until 09/30/2017 16:05:15
> 09/29/2017 16:05:37  09/30/2017 02:05:25  DNS/[hidden email]
>         renew until 09/30/2017 16:05:15
> =====================================
>
> and run
> =================================
> nsupdate -g -d -L 9 -v<< UPDATE
> server pdc.ad.pthl.hk
> realm AD.PTHL.HK <http://ad.pthl.hk/>
> update add test.ad.pthl.hk 3600 A 172.16.232.199
> send
> UPDATE
>
> ========================
>
> Here is /var/log/message:
>
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: starting transaction on zone
> ad.pthl.hk
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: GSS server Update(krb5)(1)
> Update failed: Unspecified GSS failure.  Minor code may provide more
> information: Request is a replay
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: spnego update failed
> Sep 29 16:34:42 pdc named[1332]: client 172.16.232.204#43318/key
> administrator\@AD.PTHL.HK <http://ad.pthl.hk/>: updating zone '
> ad.pthl.hk/NONE': update failed: rejected by secure update (REFUSED)
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: cancelling transaction on zone
> ad.pthl.hk
>
> =================================================
>
> The same thing is done without any error by Samba V4.7.0 with build-in
> Heimedal-Krb5. So I guess there is something wrong with samba and mit-krb5.
>
> Can someone offer me any suggestion?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba