after DCs migration to 4.7, two things

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

after DCs migration to 4.7, two things

Samba - General mailing list
Hi,

I migrated our DCs from 4.5/internal dns to 4.7.1/bind9_dlz. Short
summary of the steps taken:

- added a new temp dc,
- removed the old DCs
- cleaned sam database
- installed new DCs, with their old dns/ip
- removed the temp dc again
- synced sysvol

and all is looking well: no db errors, no replication issues, ldapcmp
matches across DCs, etc.

So, I took things to production today, and now I see two things that I
would like some feedback on:

Bind complains:

> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA error=insufficient access rights
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#57335/key p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE': update failed: rejected by secure update (REFUSED)
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#51536: update 'samba.domain.com/IN' denied
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA error=insufficient access rights
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#59032/key p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE': update failed: rejected by secure update (REFUSED)
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com

Since this seems to be only about AAAA records... should I do something
to disable ipv6 perhaps..? It happens for many of our workstations.

A second (and perhaps more serious?) issue:

On all four DCs, we're seeing in log.smbd:
> [2017/11/07 18:23:25.114429,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:23:25.114456,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2017/11/07 18:30:02.741596,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:30:02.741629,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

The message is always about the local DC account, so DC4$ on dc4, DC3$
on dc3, DC2$ on dc2. Permissions on
/var/lib/samba/private/secrets.keytab are 600, root:root.

I guess this is relevant:

> root@dc3:/var/log/samba# klist -ek /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    2 HOST/[hidden email] (des-cbc-crc)
>    2 HOST/[hidden email] (des-cbc-crc)
>    2 DC3$@SAMBA.COMPANY.COM (des-cbc-crc)
>    2 HOST/[hidden email] (des-cbc-md5)
>    2 HOST/[hidden email] (des-cbc-md5)
>    2 DC3$@SAMBA.COMPANY.COM (des-cbc-md5)
>    2 HOST/[hidden email] (arcfour-hmac)
>    2 HOST/[hidden email] (arcfour-hmac)
>    2 DC3$@SAMBA.COMPANY.COM (arcfour-hmac)
>    2 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
>    2 HOST/[hidden email] (aes128-cts-hmac-sha1-96)
>    2 DC3$@SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96)
>    2 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
>    2 HOST/[hidden email] (aes256-cts-hmac-sha1-96)
>    2 DC3$@SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96)

The smb.conf on the DCs are basically as generated by the samba-tool
domain join, with only some minor additions:

> root@dc4:/var/lib/samba/private# cat /etc/samba/smb.conf
> # Global parameters
> [global]
> netbios name = DC4
> realm = SAMBA.COMPANY.COM
> server role = active directory domain controller
> # server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> server services = -dns
> workgroup = WRKGRP
>
> idmap_ldb:use rfc2307 = yes
> ldap server require strong auth = no
> ntlm auth = mschapv2-and-ntlmv2-only
> log level = 1 auth_audit:3
>
> [netlogon]
> path = /var/lib/samba/sysvol/samba.company.com/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No

Suggestions would be appreciated!

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: after DCs migration to 4.7, two things

Samba - General mailing list
Hi,

Am 07.11.2017 um 19:16 schrieb mj via samba:

> Bind complains:
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of
>> signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com
>> type=AAAA error=insufficient access rights
>> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#57335/key
>> p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE':
>> update failed: rejected by secure update (REFUSED)
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#51536: update
>> 'samba.domain.com/IN' denied
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of
>> signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com
>> type=AAAA error=insufficient access rights
>> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#59032/key
>> p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE':
>> update failed: rejected by secure update (REFUSED)
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on
>> zone samba.domain.com


Check if your dynamic DNS works. For details and troubleshooting, see:
https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates


Regards,
Marc



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: after DCs migration to 4.7, two things

Samba - General mailing list
Hi Marc,

Thanks for your reply!

> Check if your dynamic DNS works. For details and troubleshooting, see:
> https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates

I'm not sure about the "--all-names" option, but the regular
"samba_dnsupdate --verbose" updated all dns records for all DCs shortly
after I joined them.

The problematic dns records here are workstations, trying to add a
dynamic dns record.

I took a look with the Microsoft DNS tool, and noticed that the current
workstation dns records are listed with timestamp 'static'. As I come
from samba 4.5 with internal dns, perhaps this is the way samba adds them..?

So I removed both A/AAAA for the p002507 dns entry, and ran on the
windows p002507 workstation: "ipconfig /registerdns"
suddenly it worked: A new dns record appeared, now with timestamp
"7-11-2017 20:00:00", both A and AAAA records. And they are renewed
every hour, I noticed.

As I don't think we require dns of our domain clients, I am now thinking
to simply delete all regular workstation "static" dns records, to allow
them to be be recreated automatically using bind9_dlz.

This seems kind of drastic... Would doing this have unforeseen
side-effects I should take into consideration?

And anyone on my second issue, on
> [2017/11/07 18:23:25.114429,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:23:25.114456,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

That one worries me a bit more than the DNS thing...

Have a nice evening everyone!

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: after DCs migration to 4.7, two things

Samba - General mailing list
On Tue, 7 Nov 2017 21:07:21 +0100
lists via samba <[hidden email]> wrote:

> Hi Marc,
>
> Thanks for your reply!
>
> > Check if your dynamic DNS works. For details and troubleshooting,
> > see: https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
>
> I'm not sure about the "--all-names" option, but the regular
> "samba_dnsupdate --verbose" updated all dns records for all DCs
> shortly after I joined them.
>
> The problematic dns records here are workstations, trying to add a
> dynamic dns record.
>
> I took a look with the Microsoft DNS tool, and noticed that the
> current workstation dns records are listed with timestamp 'static'.
> As I come from samba 4.5 with internal dns, perhaps this is the way
> samba adds them..?
>
> So I removed both A/AAAA for the p002507 dns entry, and ran on the
> windows p002507 workstation: "ipconfig /registerdns"
> suddenly it worked: A new dns record appeared, now with timestamp
> "7-11-2017 20:00:00", both A and AAAA records. And they are renewed
> every hour, I noticed.
>
> As I don't think we require dns of our domain clients, I am now
> thinking to simply delete all regular workstation "static" dns
> records, to allow them to be be recreated automatically using
> bind9_dlz.
>
> This seems kind of drastic... Would doing this have unforeseen
> side-effects I should take into consideration?

I think what happened here was that the records had been created by
something else and where not owned by the computer, so the update was
refused. After deletion, the computer created the records again, and as
the computer now 'owns' the records, it can now update them.

>
> And anyone on my second issue, on
> > [2017/11/07 18:23:25.114429,
> > 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> > GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
> > (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab
> > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> > [2017/11/07 18:23:25.114456,
> > 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
> > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>
> That one worries me a bit more than the DNS thing...
>

It seems that something is looking for 'key version number 1' (kvno 1)
but the klist you posted shows kvno 2

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: after DCs migration to 4.7, two things

Samba - General mailing list
Hi Rowland,

On 7-11-2017 21:51, Rowland Penny wrote:
> I think what happened here was that the records had been created by
> something else and where not owned by the computer, so the update was
> refused. After deletion, the computer created the records again, and as
> the computer now 'owns' the records, it can now update them.

But, since AD is so picky about dns, etc... Can I simply delete the
records, and will the workstations still be able to logon without their
dns record present?

(and then add and update their own dns record)

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: after DCs migration to 4.7, two things

Samba - General mailing list
In reply to this post by Samba - General mailing list
Hi,

On 11/07/2017 09:51 PM, Rowland Penny wrote:

>> And anyone on my second issue, on
>>> [2017/11/07 18:23:25.114429,
>>> 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>>> GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
>>> (see text): Failed to findDC4$@SAMBA.COMPANY.COM(kvno 1) in keytab
>>> FILE:/var/lib/samba/private/secrets.keytab  (arcfour-hmac-md5)
>>> [2017/11/07 18:23:25.114456,
>>> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
>> That one worries me a bit more than the DNS thing...
>>
> It seems that something is looking for 'key version number 1' (kvno 1)
> but the klist you posted shows kvno 2

For the archives: the errors above have disappeared automatically.

Perhaps they were caused by the fact that I had replaced all three old
4.5 DCs with three new 4.7 DCs, but using the same dns name and ip.

Perhaps some clients noticed the later than others or so.

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba