thr3ads.net - samba - [Samba] after DCs migration to 4.7, two things [Nov 2017]

If this information is useful, please help other people find it:
Share via:

2017-Nov-07 18:16 UTC

[Samba] after DCs migration to 4.7, two things

Hi,

I migrated our DCs from 4.5/internal dns to 4.7.1/bind9_dlz. Short 
summary of the steps taken:

- added a new temp dc,
- removed the old DCs
- cleaned sam database
- installed new DCs, with their old dns/ip
- removed the temp dc again
- synced sysvol

and all is looking well: no db errors, no replication issues, ldapcmp 
matches across DCs, etc.

So, I took things to production today, and now I see two things that I 
would like some feedback on:

Bind complains:> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of
signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA
error=insufficient access rights
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#57335/key
p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE':
update failed: rejected by secure update (REFUSED)
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone
samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone
samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#51536: update
'samba.domain.com/IN' denied
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone
samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone
samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of
signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA
error=insufficient access rights
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#59032/key
p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE':
update failed: rejected by secure update (REFUSED)
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone
samba.domain.com
Since this seems to be only about AAAA records... should I do something 
to disable ipv6 perhaps..? It happens for many of our workstations.

A second (and perhaps more serious?) issue:

On all four DCs, we're seeing in log.smbd:> [2017/11/07 18:23:25.114429,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:23:25.114456,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2017/11/07 18:30:02.741596,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:30:02.741629,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
The message is always about the local DC account, so DC4$ on dc4, DC3$ 
on dc3, DC2$ on dc2. Permissions on 
/var/lib/samba/private/secrets.keytab are 600, root:root.

I guess this is relevant:> root at dc3:/var/log/samba# klist -ek /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ----
--------------------------------------------------------------------------
>    2 HOST/dc3 at SAMBA.COMPANY.COM (des-cbc-crc) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (des-cbc-crc) 
>    2 DC3$@SAMBA.COMPANY.COM (des-cbc-crc) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (des-cbc-md5) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (des-cbc-md5) 
>    2 DC3$@SAMBA.COMPANY.COM (des-cbc-md5) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (arcfour-hmac) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (arcfour-hmac) 
>    2 DC3$@SAMBA.COMPANY.COM (arcfour-hmac) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
(aes128-cts-hmac-sha1-96)
>    2 DC3$@SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM
(aes256-cts-hmac-sha1-96)
>    2 DC3$@SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96) 
The smb.conf on the DCs are basically as generated by the samba-tool 
domain join, with only some minor additions:
> root at dc4:/var/lib/samba/private# cat /etc/samba/smb.conf 
> # Global parameters
> [global]
> 	netbios name = DC4
> 	realm = SAMBA.COMPANY.COM
> 	server role = active directory domain controller
> #	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
> 	server services = -dns
> 	workgroup = WRKGRP
> 
> 	idmap_ldb:use rfc2307 = yes
> 	ldap server require strong auth = no
> 	ntlm auth = mschapv2-and-ntlmv2-only
> 	log level = 1 auth_audit:3
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/samba.company.com/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No
Suggestions would be appreciated!

MJ

Marc Muehlfeld

2017-Nov-07 19:02 UTC

head link

[Samba] after DCs migration to 4.7, two things

Hi,

Am 07.11.2017 um 19:16 schrieb mj via samba:> Bind complains:
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of
>> signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com
>> type=AAAA error=insufficient access rights
>> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#57335/key
>> p002507\$\@SAMBA.DOMAIN.COM: updating zone
'samba.domain.com/NONE':
>> update failed: rejected by secure update (REFUSED)
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#51536: update
>> 'samba.domain.com/IN' denied
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on
>> zone samba.domain.com
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of
>> signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com
>> type=AAAA error=insufficient access rights
>> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#59032/key
>> p002507\$\@SAMBA.DOMAIN.COM: updating zone
'samba.domain.com/NONE':
>> update failed: rejected by secure update (REFUSED)
>> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on
>> zone samba.domain.com

Check if your dynamic DNS works. For details and troubleshooting, see:
https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates


Regards,
Marc

lists

2017-Nov-07 20:07 UTC

head link

[Samba] after DCs migration to 4.7, two things

Hi Marc,

Thanks for your reply!
> Check if your dynamic DNS works. For details and troubleshooting, see:
> https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
I'm not sure about the "--all-names" option, but the regular 
"samba_dnsupdate --verbose" updated all dns records for all DCs
shortly
after I joined them.

The problematic dns records here are workstations, trying to add a 
dynamic dns record.

I took a look with the Microsoft DNS tool, and noticed that the current 
workstation dns records are listed with timestamp 'static'. As I come 
from samba 4.5 with internal dns, perhaps this is the way samba adds them..?

So I removed both A/AAAA for the p002507 dns entry, and ran on the 
windows p002507 workstation: "ipconfig /registerdns"
suddenly it worked: A new dns record appeared, now with timestamp 
"7-11-2017 20:00:00", both A and AAAA records. And they are renewed 
every hour, I noticed.

As I don't think we require dns of our domain clients, I am now thinking 
to simply delete all regular workstation "static" dns records, to
allow
them to be be recreated automatically using bind9_dlz.

This seems kind of drastic... Would doing this have unforeseen 
side-effects I should take into consideration?

And anyone on my second issue, on> [2017/11/07 18:23:25.114429,  1]
../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see
text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab
FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:23:25.114456,  1]
../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE 
That one worries me a bit more than the DNS thing...

Have a nice evening everyone!

MJ

Seemingly Similar Threads

Search for more possibly parallel threads

samba - Nov 2017 - after DCs migration to 4.7, two things

[Samba] after DCs migration to 4.7, two things

[Samba] after DCs migration to 4.7, two things

[Samba] after DCs migration to 4.7, two things

Seemingly Similar Threads