samba - Sep 2017 - Samba with Mit-krb5, update ddns fails

hi,
  I built samba v4.7.0 with Mit-krb5-1.15.2-x86-64( and also  tried with
Mit-krb5-1.15.1-x86-86), everything works fine.

 But when client windows7 joins AD, a new DNS A record should be added into
DNS(Bind), but it fails.

I test via administrator and its ticket.
===================================[root at pdc samba]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at AD.PTHL.HK

Valid starting       Expires              Service principal
09/29/2017 16:05:25  09/30/2017 02:05:25  krbtgt/AD.PTHL.HK at AD.PTHL.HK
        renew until 09/30/2017 16:05:15
09/29/2017 16:05:37  09/30/2017 02:05:25  DNS/pdc.ad.pthl.hk at AD.PTHL.HK
        renew until 09/30/2017 16:05:15
====================================
and run
================================nsupdate -g -d -L 9 -v<< UPDATE
server pdc.ad.pthl.hk
realm AD.PTHL.HK <http://ad.pthl.hk/>
update add test.ad.pthl.hk 3600 A 172.16.232.199
send
UPDATE

=======================
Here is /var/log/message:

Sep 29 16:34:42 pdc named[1332]: samba_dlz: starting transaction on zone
ad.pthl.hk
Sep 29 16:34:42 pdc named[1332]: samba_dlz: GSS server Update(krb5)(1)
Update failed: Unspecified GSS failure.  Minor code may provide more
information: Request is a replay
Sep 29 16:34:42 pdc named[1332]: samba_dlz: spnego update failed
Sep 29 16:34:42 pdc named[1332]: client 172.16.232.204#43318/key
administrator\@AD.PTHL.HK <http://ad.pthl.hk/>: updating zone '
ad.pthl.hk/NONE': update failed: rejected by secure update (REFUSED)
Sep 29 16:34:42 pdc named[1332]: samba_dlz: cancelling transaction on zone
ad.pthl.hk

================================================
The same thing is done without any error by Samba V4.7.0 with build-in
Heimedal-Krb5. So I guess there is something wrong with samba and mit-krb5.

Can someone offer me any suggestion?

I can reproduce this behavior using Samba 4.7.0. This also affects
samba_dnsupdate.
If have filed a bug (https://bugzilla.samba.org/show_bug.cgi?id=13066).


luckydog xf via samba <samba at lists.samba.org> schrieb am Fr., 29. Sep.
2017
um 11:13 Uhr:
> hi,
>   I built samba v4.7.0 with Mit-krb5-1.15.2-x86-64( and also  tried with
> Mit-krb5-1.15.1-x86-86), everything works fine.
>
>  But when client windows7 joins AD, a new DNS A record should be added into
> DNS(Bind), but it fails.
>
> I test via administrator and its ticket.
> ===================================> [root at pdc samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at AD.PTHL.HK
>
> Valid starting       Expires              Service principal
> 09/29/2017 16:05:25  09/30/2017 02:05:25  krbtgt/AD.PTHL.HK at AD.PTHL.HK
>         renew until 09/30/2017 16:05:15
> 09/29/2017 16:05:37  09/30/2017 02:05:25  DNS/pdc.ad.pthl.hk at AD.PTHL.HK
>         renew until 09/30/2017 16:05:15
> ====================================>
> and run
> ================================> nsupdate -g -d -L 9 -v<< UPDATE
> server pdc.ad.pthl.hk
> realm AD.PTHL.HK <http://ad.pthl.hk/>
> update add test.ad.pthl.hk 3600 A 172.16.232.199
> send
> UPDATE
>
> =======================>
> Here is /var/log/message:
>
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: starting transaction on zone
> ad.pthl.hk
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: GSS server Update(krb5)(1)
> Update failed: Unspecified GSS failure.  Minor code may provide more
> information: Request is a replay
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: spnego update failed
> Sep 29 16:34:42 pdc named[1332]: client 172.16.232.204#43318/key
> administrator\@AD.PTHL.HK <http://ad.pthl.hk/>: updating zone '
> ad.pthl.hk/NONE': update failed: rejected by secure update (REFUSED)
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: cancelling transaction on zone
> ad.pthl.hk
>
> ================================================>
> The same thing is done without any error by Samba V4.7.0 with build-in
> Heimedal-Krb5. So I guess there is something wrong with samba and mit-krb5.
>
> Can someone offer me any suggestion?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba