Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private/named.conf"; which loads the DLZ module for BIND 9.8. The /etc/named.conf also has in the options tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; Permissions of files: /var/lib/samba4/private/named.conf root:named 640 /var/lib/samba4/private/dns.keytab root:named 640 /var/lib/samba4/private/dns/ root:named 770 It all seems OK (I think), but no dynamic DNS updates. There is nothing in the samba.log file to suggest a problem. The system log has messages client <IP address>: update 'example.local/IN' denied samba_dlz: cancelling transaction on zone example.local Is there something I need to set in smb.conf? I see there are new options like "allow dns updates" and "dns update command", which I do not have specifically set, but I don't know if these only apply to Samba internal DNS. There is still really no documentation about smb.conf for Samba4. Can someone please explain what might be wrong or what I should look for. Regards, Stephen Jones -- Stephen Jones lloydsystems at fastmail.com.au
Thomas Simmons
2013-Apr-11 11:01 UTC
[Samba] Dynamic DNS updates not working with BIND DLZ
On Wed, Apr 10, 2013 at 10:22 PM, Stephen Jones < lloydsystems at fastmail.com.au> wrote:> Hi, > > A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using > the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. > > I tested with a Windows 7 VM client. When I joined the client to the > domain it was automatically added to the AD DNS and appeared in the > Windows DNS Manager. The VM had a static IP, but if I changed the IP > address that change was automatically reflected in the DNS entry. > > I am now adding new real clients to the domain and find that they are > not added to the AD domain DNS. The client has a dynamic IP, but I have > tried changing to a fixed IP address and it makes no difference. > > The only changes I can recall between the initial setup and now are: > > 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and > ran > samba-tool dbcheck --cross-ncs --fix > samba-tool ntacl sysvolreset > The upgrade changed the permissions of /var/lib/samba4/private back to > root:root 700, which is no good, so I changed back to root:named 750. > I also added "server services = -dns" to smb.conf as per the > instructions because internal DNS is now default. > > 2. Tested OpenChange. But, prior to doing anything I backed up entire > /var/lib/samba4 directory. When I removed OpenChange (as it is just not > stable yet) I removed /var/lib/samba4 and replaced it with the backup. > So this should not have any effect. > > I have checked everything against my notes made when installing Samba4 > and can't find anything wrong. In terms of DNS, /etc/named.conf > contains > include "/var/lib/samba4/private/named.conf"; > which loads the DLZ module for BIND 9.8. > The /etc/named.conf also has in the options > tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; > Permissions of files: > /var/lib/samba4/private/named.conf root:named 640 > /var/lib/samba4/private/dns.keytab root:named 640 > /var/lib/samba4/private/dns/ root:named 770 > > It all seems OK (I think), but no dynamic DNS updates. There is nothing > in the samba.log file to suggest a problem. The system log has messages > client <IP address>: update 'example.local/IN' denied > samba_dlz: cancelling transaction on zone example.local > > Is there something I need to set in smb.conf? I see there are new > options like "allow dns updates" and "dns update command", which I do > not have specifically set, but I don't know if these only apply to Samba > internal DNS. There is still really no documentation about smb.conf for > Samba4. > > Can someone please explain what might be wrong or what I should look > for. > >Hello Stephen, I have been experiencing the same problem for the past month or so. Unfortunately, I have been unable to find a solution. I was able to dig back through my logs and found that the last DNS update occurred very early in the morning, so for some reason it just stopped updating. You can start bind in debugging mode "named -u named -g -d 5", then run "ipconfig /registerdns" on the Windows client. If you see the following, then you are experiencing the same issue: 28-Mar-2013 08:26:15.759 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success. 28-Mar-2013 08:26:15.760 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = . 28-Mar-2013 08:26:15.760 process_gsstkey(): dns_tsigerror_badkey This is not a problem with the internal DNS server, so that may be a solution. Do be advised that MX and CNAME records are broken in the internal DNS server, so that may not work for you. I'm working on migrating everything to Windows Server in my test environment. Since there is no way to go back to Samba 3, that seems to be the only option I have. Please let me know if you see the same errors with named in debugging mode. Perhaps it's a different problem altogether. Regards,> > Stephen Jones > -- > Stephen Jones > lloydsystems at fastmail.com.au > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Stephen Jones
2013-Apr-28 02:51 UTC
[Samba] Dynamic DNS updates not working with BIND DLZ
Hi Lucas, Thanks for the suggestion but, unfortunately, it's not that. I am aware of the kerberos sensitivity to time differences. When I installed Samba4 I built a custom ntp rpm as the version shipped with RHEL/CentOS does not support signed ntp. I tested this by shifting the clock on the client and it worked its way back again. Out of interest I decided to try this again, some months after the initial install. My laptop's clock was about 10 sec off the DC. I changed it to 2 min, and it stays there. Running 'w32tm /resync /rediscover' just reports "no time data was available". So I actually have 2 problems. Dynamic dns updates, that DID work before, now do not, and ntp updates, that DID work before, now also do not. Nothing has changed on the server with dns or ntp configuration. There is only the upgrade of Samba from 4.0.0 to 4.0.1. It would seem that there is some problem with kerberos that the signed requests fail. Yet I can use kinit to authenticate and get a valid ticket. Kerberos is buried inside Samba so I have no idea what is wrong with it and why, nor do I have any idea how to fix it. I have trawled the web for hours on this. I read plenty of similar problems, but no solutions other than the obvious stuff I already checked. It's really very frustrating. Regards, Stephen Jones On Tue, Apr 23, 2013, at 01:30 AM, ?icro MEGAS wrote: Hey there, had a similar problem in the past and resolved it today. The error was caused by time mismatch between the host and the client. Did you check that ntp is working fine and your time between samba4 and windows host is in sync (<5min) ? Lucas. ??? 12 ??? 2013 03:00:41 +0400, Stephen Jones <lloydsystems at fastmail.com.au> ???????: Hi Thomas, Thanks for the information. I did as you suggested and ran named in debug mode and issued 'ipconfig /registerdns' from the client. The output was similar to your post: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success. gss-api source name (accept) is client_pc$@EXAMPLE.LOCAL process_gsstkey(): dns_tsigerror_noerror Looks like the server does not believe the client update request is signed appropriately. Strange, since I know Kerberos is setup fine and works. I can use nsupdate with Kerberos to edit the AD domain from the command line. Run 'kinit Administrator at EXAMPLE.LOCAL' gets a ticket, then 'nsupdate -g' and I can add/remove DNS entries. I know dynamic updates from the client worked before when I first setup Samba4. I don't know at what point it decided to stop working. The only thing I have done that I consider may have influence is upgrading Samba to 4.0.1. I don't really want to use the Samba internal DNS. The server runs an external domain as well as the internal AD domain with a split DNS setup, and I may not be able to run BIND and Samba DNS together. And if MX and CNAME in the Samba DNS is broken then it's no good to me running a mail server. The BIND DLZ seems a much better option to me. I certainly hope there is a fix for this problem. Regards, Stephen Jones On Thu, Apr 11, 2013, at 09:01 PM, Thomas Simmons wrote: On Wed, Apr 10, 2013 at 10:22 PM, Stephen Jones <[1]lloydsystems at fastmail.com.au> wrote: Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private/named.conf"; which loads the DLZ module for BIND 9.8. The /etc/named.conf also has in the options tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; Permissions of files: /var/lib/samba4/private/named.conf root:named 640 /var/lib/samba4/private/dns.keytab root:named 640 /var/lib/samba4/private/dns/ root:named 770 It all seems OK (I think), but no dynamic DNS updates. There is nothing in the samba.log file to suggest a problem. The system log has messages client <IP address>: update 'example.local/IN' denied samba_dlz: cancelling transaction on zone example.local Is there something I need to set in smb.conf? I see there are new options like "allow dns updates" and "dns update command", which I do not have specifically set, but I don't know if these only apply to Samba internal DNS. There is still really no documentation about smb.conf for Samba4. Can someone please explain what might be wrong or what I should look for. Hello Stephen, I have been experiencing the same problem for the past month or so. Unfortunately, I have been unable to find a solution. I was able to dig back through my logs and found that the last DNS update occurred very early in the morning, so for some reason it just stopped updating. You can start bind in debugging mode "named -u named -g -d 5", then run "ipconfig /registerdns" on the Windows client. If you see the following, then you are experiencing the same issue: 28-Mar-2013 08:26:15.759 failed gss_inquire_cred: GSSAPI error: Major = Unspecif ied GSS failure. Minor code may provide more information, Minor Success. 28-Mar-2013 08:26:15.760 failed gss_accept_sec_context: GSSAPI error: Major = Un specified GSS failure. Minor code may provide more information, Minor = . 28-Mar-2013 08:26:15.760 process_gsstkey(): dns_tsigerror_badkey This is not a problem with the internal DNS server, so that may be a solution. Do be advised that MX and CNAME records are broken in the internal DNS server, so that may not work for you. I'm working on migrating everything to Windows Server in my test environment. Since there is no way to go back to Samba 3, that seems to be the only option I have. Please let me know if you see the same errors with named in debugging mode. Perhaps it's a different problem altogether. Regards, Stephen Jones -- To unsubscribe from this list go to the following URL and read the instructions: [2][1]https://lists.samba.org/mailman/options/samba References 1. mailto:lloydsystems at fastmail.com.au 2. [2]https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: [3]https://lists.samba.org/mailman/options/samba References 1. https://lists.samba.org/mailman/options/samba 2. https://lists.samba.org/mailman/options/samba 3. https://lists.samba.org/mailman/options/samba
Apparently Analagous Threads
- Please Help! Dynamic DNS just will not work: " failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure"
- BDC Clients Unable to update DNS (PTR/A)
- dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
- Signed Dynamic DNS Updates with Internal DNS [SEC=UNCLASSIFIED]
- Samba4, DHCP, & BIND DLZ