Dario Lesca
2017-Dec-04 14:34 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha scritto:> Is the DHCP server updating the records for you ?Yes, but for now the problem is not dhcp (see follow)> If so, you need to stop the windows clients trying to update their > own records, they don't own them.I have the problem when join to domani via samba on another server, or when I run samba_dnsupdate --all-name Now I have do this test: I have save the machine status with a snapshot. Then I have reload a snapshot done before deploy samba AD DC. Then, On A fresh Fedora 27 server up to date I have Stop selinux, restart and run this command: + dnf install samba-client samba-dc samba-winbind attr acl krb5- workstation tdb-tools samba-winbind-clients python bind bind-utils samba-dc-bind-dlz + test '!' -e /etc/krb5.conf.orig + test -e /etc/krb5.conf + test '!' -e /etc/samba/smb.conf.orig + test -e /etc/samba/smb.conf + samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P at ssw0rd Open the all port needed cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf Add this to the [global] of new smb.conf template shell = /bin/bash template homedir = /home/%U Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf Edit the /etc/named.conf and add listen-on port 53 { 127.0.0.1; 192.168.41.1; }; allow-query { localhost; 191.168.41.0/24; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; and at the end include "/var/lib/samba/bind-dns/named.conf"; without modify any other Start and enable named systemctl enable named systemctl restart named Point dns to my IP 192.168.41.1 and restart network # Start samba systemctl enable samba systemctl restart samba.service test some resolver ... host $(hostname) host -t SRV _ldap._tcp.$(hostname -d) try access to server smbclient -L $(hostname) -Uadministrator%P at aaw0rd Try add a dns record ... At this point All work fine Then I try samba_dnsupdate --verbose --all-names --fail-immediately And the problem persist: update failed: REFUSED Failed update with /tmp/tmpmRYs8r dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#26896: update 'dogma-to.loc/IN' denied dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc The problem is when the tools try execute this command: cat /tmp/tmpmRYs8r | nsupdate [ root at server-addc ~]# cat /tmp/tmpmRYs8r server server-addc.dogma-to.loc update add server-addc.dogma-to.loc. 900 A 192.168.41.1 show send seem that nsupdate cannot update dns I have add "debug" and remove "show" directive from this file [ root at server-addc ~]# cat /tmp/tmpmRYs8r debug server server-addc.dogma-to.loc update add server-addc.dogma-to.loc. 900 A 192.168.41.1 send the rerun it: [ root at server-addc ~]# cat /tmp/tmpmRYs8r|nsupdate Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16228 ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;server-addc.dogma-to.loc. IN SOA ;; AUTHORITY SECTION: dogma-to.loc. 3600 IN SOA server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400 3600 Found zone name: dogma-to.loc The master is: server-addc.dogma-to.loc Sending update to 192.168.41.1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 37799 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: server-addc.dogma-to.loc. 900 IN A 192.168.41.1 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 37799 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;dogma-to.loc. IN SOA dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#39052: update 'dogma-to.loc/IN' denied dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc Some error Someone have some suggest? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Rowland Penny
2017-Dec-04 14:48 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
On Mon, 04 Dec 2017 15:34:37 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha > scritto: > > Is the DHCP server updating the records for you ? > > Yes, but for now the problem is not dhcp (see follow) > > > If so, you need to stop the windows clients trying to update their > > own records, they don't own them. > > I have the problem when join to domani via samba on another server, or > when I run samba_dnsupdate --all-name > > Now I have do this test: > > I have save the machine status with a snapshot. > Then I have reload a snapshot done before deploy samba AD DC. > Then, On A fresh Fedora 27 server up to date I have > Stop selinux, restart and run this command: > > + dnf install samba-client samba-dc samba-winbind attr acl krb5- > workstation tdb-tools samba-winbind-clients python bind bind-utils > samba-dc-bind-dlz > > + test '!' -e /etc/krb5.conf.orig > + test -e /etc/krb5.conf > + test '!' -e /etc/samba/smb.conf.orig > + test -e /etc/samba/smb.conf > > + samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to > --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc > --function-level=2008_R2 --adminpass=P at ssw0rd > > Open the all port needed > > cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf > > Add this to the [global] of new smb.conf > template shell = /bin/bash > template homedir = /home/%U > > Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf > > Edit the /etc/named.conf and add > listen-on port 53 { 127.0.0.1; 192.168.41.1; }; > allow-query { localhost; 191.168.41.0/24; }; > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > and at the end > include "/var/lib/samba/bind-dns/named.conf"; > > without modify any other > > Start and enable named > systemctl enable named > systemctl restart named > > Point dns to my IP 192.168.41.1 and restart network > > # Start samba > systemctl enable samba > systemctl restart samba.service > > test some resolver ... > > host $(hostname) > host -t SRV _ldap._tcp.$(hostname -d) > > try access to server > > smbclient -L $(hostname) -Uadministrator%P at aaw0rd > > Try add a dns record ... > > At this point All work fine > > Then I try > > samba_dnsupdate --verbose --all-names --fail-immediately > > And the problem persist: > > update failed: REFUSED > Failed update with /tmp/tmpmRYs8r > dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: > starting transaction on zone dogma-to.loc dic 04 15:20:21 > server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 > 192.168.41.1#26896: update 'dogma-to.loc/IN' denied dic 04 15:20:21 > server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling > transaction on zone dogma-to.loc > > The problem is when the tools try execute this command: > > cat /tmp/tmpmRYs8r | nsupdate > > [ root at server-addc ~]# cat /tmp/tmpmRYs8r > server server-addc.dogma-to.loc > update add server-addc.dogma-to.loc. 900 A 192.168.41.1 > show > send > > seem that nsupdate cannot update dns > > I have add "debug" and remove "show" directive from this file > > [ root at server-addc ~]# cat /tmp/tmpmRYs8r > debug > server server-addc.dogma-to.loc > update add server-addc.dogma-to.loc. 900 A 192.168.41.1 > send > > the rerun it: > > [ root at server-addc ~]# cat /tmp/tmpmRYs8r|nsupdate > Reply from SOA query: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16228 > ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, > ADDITIONAL: 0 ;; QUESTION SECTION: > ;server-addc.dogma-to.loc. IN SOA > > ;; AUTHORITY SECTION: > dogma-to.loc. 3600 IN SOA > server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400 > 3600 > > Found zone name: dogma-to.loc > The master is: server-addc.dogma-to.loc > Sending update to 192.168.41.1#53 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 37799 > ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 > ;; UPDATE SECTION: > server-addc.dogma-to.loc. 900 IN A 192.168.41.1 > > > Reply from update query: > ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 37799 > ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; ZONE SECTION: > ;dogma-to.loc. IN SOA > > dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: > starting transaction on zone dogma-to.loc dic 04 15:26:14 > server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 > 192.168.41.1#39052: update 'dogma-to.loc/IN' denied dic 04 15:26:14 > server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling > transaction on zone dogma-to.loc > > Some error > > Someone have some suggest? > > Many thanks > >If you are using the script found here: https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 Then the records DO NOT belong to the computers, so they cannot update them. I am also very sure that there are log records that show the records are being updated by dhcpduser. The cure is to STOP your windows clients trying to update their own records. Rowland
Dario Lesca
2017-Dec-04 15:00 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 14.48 +0000, Rowland Penny via samba ha scritto:> > > The cure is to STOP your windows clients trying to update their own > records.Yes, this is true, on windows I will stop this service. But my problem now is another The samba command samba_dnsupdate --verbose --all-names --fail-immediately not work It's possible to resolve this problem? Or I have to ignore it ? Thanks Dario> > Rowland-- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Christian Naumer
2017-Dec-04 15:02 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
shoudn't samba_dnsupdate work regardless on all the _srv records? Even if the Server gets its IP by DHCP? Or is this not the case when using " --fail-immediately"? regards Christian -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
Possibly Parallel Threads
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed