samba - Aug 2016 - Samba 4.2.14 Group Policy (GPO) sync error

On Thu, 4 Aug 2016 17:51:09 +0200
rme at bluemail.ch wrote:
> Even some more observations.
> 
> I noticed when I join my machine to AD it prompts a second time for
> the credentials. It does not matter what I enter or even cancel the
> dialog it will always display an error:
> 
> Changing the Primary Domain DNS name of this computer to ""
failed.
> The name will remain "ad.cyberdyne.local".
> 
> Well, actualy this is what I want anyway. I found this Microsoft
> article about:
> <https://support.microsoft.com/en-us/kb/2018583>
> But also forcing NetBIOS over TCP did not help. I have the follwowing
> in my dhcpd.conf anyway:
>      option netbios-name-servers 10.0.1.6;
>      option netbios-node-type 8;
> 
> 
> In any case this should not harm as far as I understood.
> 
> 
> But I went a bit more into DNS topics and came across a potential
> issue or at least nuisance.
> I am currently using BIND and it manages the zone cyberdyne.local.
> Where I also manage a reverse-DNS zone (zone 
> "1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa" in). This zone is
managing
> PTR entries for my local LAN eqipment with fixed IP addresses.
> 
> It looks like when a machine is domain-joined the clients try to
> update those records and I see the following in my BIND logs (starts
> after domain join):
> 
> 04-Aug-2016 17:09:52.381 update-security: error: client 
> fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update 
> '1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN' denied
> 04-Aug-2016 17:09:52.382 update: info: client 
> fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#54604/key 
> cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone 
> '1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN': update failed:
> rejected by secure update (REFUSED)
> 
> 
> I am in question to myself how to resolve this.
> One possibility might be to remove the reverse DNS zone and let 
> Samba_DLZ manage it. This might work but does not allow me to manage
> the PTR records for my static LAN equipment in BIND.
> 
> A second possibility might be to allow secure updates. Though I
> haven't been able to find some working guide how to allow
> kerberos-authenticated secure updates. Somewhere I found to use
> something like
> 
>      update-policy {
>           grant AD.CYBERDYNE.LOCAL krb5-self * PTR;
>      };
> 
> in my zone definition. However it didn't work as expected.
> I also found this: 
>
<http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/>
> However I didn't go through the complete instruction. As of my 
> understanding it will forward the verification of the request to an 
> external script.
> Well, I think it's far too complex and kerberos authentication should
> be possible with BIND directly.
> 
> 
No its not, its fairly easy, once you get your head around it. I have
been using something based on that webpage for nearly 4 years now and
 only had self inflicted problems.

Rowland

Hello Rowland,
> No its not, its fairly easy, once you get your head around it. I have
> been using something based on that webpage for nearly 4 years now and
> only had self inflicted problems.
Thanks for the heads-up. Perhaps my wording wasn't very good on it. I 
would actually just prefer something built-in into BIND rather than 
using an external script. That's why I was hoping for something like the 
krb5 grant. So as I understood you're using the script method instead. 
Is it because at the time you put your solution in place there was no 
support for Kerberos in BIND or is it because you investigated and found 
BIND not to support authorization via Kerberos and Samba?

Perhaps somebody knows more about the Kerberos support in BIND and can 
point me to a guide. Else I will likely go for the external script 
solution as well for production.

Anyway I need to get a solution for the GPO issues before even to think 
about some productive use of Samba 4 with Win10 + AD.


Thank you!
Rainer

On Thu, 4 Aug 2016 21:14:39 +0200
rme at bluemail.ch wrote:
> Hello Rowland,
> 
> > No its not, its fairly easy, once you get your head around it. I
> > have been using something based on that webpage for nearly 4 years
> > now and only had self inflicted problems.
> 
> Thanks for the heads-up. Perhaps my wording wasn't very good on it. I 
> would actually just prefer something built-in into BIND rather than 
> using an external script. That's why I was hoping for something like
> the krb5 grant. So as I understood you're using the script method
> instead. Is it because at the time you put your solution in place
> there was no support for Kerberos in BIND or is it because you
> investigated and found BIND not to support authorization via Kerberos
> and Samba?
No, the kerberos support was built into Bind, but it isn't Bind that
runs the script, it is DHCP.
> 
> Perhaps somebody knows more about the Kerberos support in BIND and
> can point me to a guide. Else I will likely go for the external
> script solution as well for production.
Windows can update the forward zone, but, if I understand it correctly,
it doesn't update the reverse zone, Unix clients does neither

Rowland

Hai, 
> 
> Windows can update the forward zone, but, if I understand it correctly,
> it doesn't update the reverse zone, Unix clients does neither
> 
> Rowland
> 
> --
Some more info on this.

- Windows 7/Static ip's
Here windows does update there forward and reverse zone, 
but only when u use static ip, so to avoid problems here,
all my normal pcs have static ip. 

- Windows 7/dhcp ip's
My dhcp clients only update te forward zones no reverve, 
but this should be fixable, i just havent lookt into this (yet). 
( i didnt need it (yet) ) 

Win 10, im configureing a pc now and settting up the gpo. 
When done, i'll test that and report back how that goes. 



Greetz, 

Louis