Dario Lesca
2017-Dec-04 10:35 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp. All seem work fine: I can join to domain, add/remove dns records with samba-tools, access to shared folder, use MS Management Console on Win7, ecc But when I join a new machine Samba winbind Member server to domain [ root at server-dati ~]# net ads join DOGMA-TO -U administrator Using short domain name -- DOGMA-TO Joined 'SERVER-DATI' to dns domain 'dogma-to.loc' DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED DNS update failed: NT_STATUS_UNSUCCESSFUL or run this command on Samba AD-DC: [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately update failed: REFUSED Into system log I get: dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED) dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc What kind of problem it's? These are my config files and SElinux is Off ### Samba: [global] passdb backend = samba_dsdb realm = DOGMA-TO.LOC server role = active directory domain controller server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate template homedir = /home/%U tem plate shell = /bin/bash workgroup = DOGMA-TO rpc_server:t cpip = no rpc_daemon:spoolssd = embedded rpc_server:spool ss = embedded rpc_server:winreg = embedded rpc_server:nts vcs = embedded rpc_server:eventlog = embedded rpc_server: srvsvc = embedded rpc_server:svcctl = embedded rpc_server :default = external winbindd:use external pipes = true id map_ldb:use rfc2307 = yes idmap config * : backend = tdb map archive = No map readonly = no store dos attributes Yes vfs objects = dfs_samba4 acl_xattr [netlogon] path = /var/lib/samba/sysvol/dogma-to.loc/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No Kerberos [ root at server-addc ~]# cat /etc/krb5.conf [libdefaults] default_realm = DOGMA-TO.LOC dns_lookup_realm = false dns_lookup_kdc = true ### Bind options { listen-on port 53 { 127.0.0.1; 192.168.41.1; }; //listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.41.0/24; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/var/lib/samba/bind-dns/named.conf"; Someone can help me? -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Rowland Penny
2017-Dec-04 11:29 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
On Mon, 04 Dec 2017 11:35:29 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp. >Try changing the 'options' of named.conf to this: options { directory "/var/named"; notify no; empty-zones-enable no; allow-query { localhost; 192.168.41.0/24; }; allow-recursion { 192.168.41.0/24; 127.0.0.1/32; }; forwarders { 8.8.8.8; 8.8.4.4; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; listen-on port 53 { 127.0.0.1; 192.168.41.1; }; //listen-on-v6 port 53 { ::1; }; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; }; Rowland
Dario Lesca
2017-Dec-04 11:56 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha scritto:> Try changing the 'options' of named.conf to this:Thanks Rowland Integrated your suggested changes and restart samba and named Now my named.conf is this[1], but none is change: [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately update failed: REFUSED dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz: spnego update failed dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: client @0x7fc9310a5e80 192.168.41.1#60981/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED) I have also try this: [ root at server-addc ~]# samba_dnsupdate --all-names --use-samba-tool --fail-immediately ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e But also fail. Some other suggest? Thanks Dario [1] /etc/named.conf options { listen-on port 53 { 127.0.0.1; 192.168.41.1; }; //listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.41.0/24; }; recursion yes; //dnssec-enable yes; //dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; allow-recursion { 192.168.41.0/24; 127.0.0.1/32; }; notify no; empty-zones-enable no; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; dnssec-enable no; allow-transfer { none; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/var/lib/samba/bind-dns/named.conf"; -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Christian Naumer
2017-Dec-04 12:17 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Is /var/lib/samba/bind-dns/ accessible by bind? Regards Christian Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba:> I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp. > > All seem work fine: I can join to domain, add/remove dns records with > samba-tools, access to shared folder, use MS Management Console on > Win7, ecc > > But when I join a new machine Samba winbind Member server to domain > > [ root at server-dati ~]# net ads join DOGMA-TO -U administrator > Using short domain name -- DOGMA-TO > Joined 'SERVER-DATI' to dns domain 'dogma-to.loc' > DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED > DNS update failed: NT_STATUS_UNSUCCESSFUL > > or run this command on Samba AD-DC: > > [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately > update failed: REFUSED > > Into system log I get: > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED) > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc > > What kind of problem it's? > > These are my config files and SElinux is Off > > ### Samba: > [global] > passdb backend = samba_dsdb > realm = DOGMA-TO.LOC > server role = active directory domain controller > server > services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, > ntp_signd, kcc, dnsupdate > template homedir = /home/%U > tem > plate shell = /bin/bash > workgroup = DOGMA-TO > rpc_server:t > cpip = no > rpc_daemon:spoolssd = embedded > rpc_server:spool > ss = embedded > rpc_server:winreg = embedded > rpc_server:nts > vcs = embedded > rpc_server:eventlog = embedded > rpc_server: > srvsvc = embedded > rpc_server:svcctl = embedded > rpc_server > :default = external > winbindd:use external pipes = true > id > map_ldb:use rfc2307 = yes > idmap config * : backend = tdb > > map archive = No > map readonly = no > store dos attributes > Yes > vfs objects = dfs_samba4 acl_xattr > > [netlogon] > path = /var/lib/samba/sysvol/dogma-to.loc/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > Kerberos > > [ root at server-addc ~]# cat /etc/krb5.conf > [libdefaults] > default_realm = DOGMA-TO.LOC > dns_lookup_realm = false > dns_lookup_kdc = true > > > ### Bind > > options { > listen-on port 53 { 127.0.0.1; 192.168.41.1; }; > //listen-on-v6 port 53 { ::1; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > allow-query { localhost; 192.168.41.0/24; }; > > /* > - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. > - If you are building a RECURSIVE (caching) DNS server, you need to enable > recursion. > - If your recursive DNS server has a public IP address, you MUST enable access > control to limit queries to your legitimate users. Failing to do so will > cause your server to become part of large scale DNS amplification > attacks. Implementing BCP38 within your network would greatly > reduce such attack surface > */ > recursion yes; > > dnssec-enable yes; > dnssec-validation yes; > > managed-keys-directory "/var/named/dynamic"; > > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > > /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ > include "/etc/crypto-policies/back-ends/bind.config"; > > tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; > > }; > > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > zone "." IN { > type hint; > file "named.ca"; > }; > > include "/etc/named.rfc1912.zones"; > include "/etc/named.root.key"; > > include "/var/lib/samba/bind-dns/named.conf"; > > > Someone can help me? >-- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
Dario Lesca
2017-Dec-04 13:10 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 13.17 +0100, Christian Naumer via samba ha scritto:> Is > > /var/lib/samba/bind-dns/ > > accessible by bind?Yes, and selinux is disable [ root at server-addc ~]# find /var/lib/samba/bind-dns/ -ls 3149158 0 drwxrwx--- 3 root named 95 dic 4 14:03 /var/lib/samba/bind-dns/ 111 0 drwxrwx--- 3 root named 38 dic 4 13:57 /var/lib/samba/bind-dns/dns 1049422 4 drwxrwx--- 2 root named 4096 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d 1049423 1256 -rw-rw---- 1 root named 1286144 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOGMA-TO,DC%3DLOC.ldb 2118093 812 -rw-rw---- 2 root named 831488 dic 4 14:02 /var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb 2118098 4148 -rw-rw---- 2 root named 4247552 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb 2118099 4148 -rw-rw---- 2 root named 4247552 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DFORESTDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb 2118101 6992 -rw-rw---- 1 root named 7159808 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb 2118102 8300 -rw-rw---- 1 root named 8499200 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb 1049424 2944 -rw-rw---- 1 root named 3014656 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb 3149184 4 -rw-r--r-- 1 root root 721 dic 4 13:57 /var/lib/samba/bind-dns/named.conf 3149185 4 -rw-r--r-- 1 root root 2092 dic 4 13:57 /var/lib/samba/bind-dns/named.txt 1049430 4 -rw-r----- 2 root named 772 dic 4 13:57 /var/lib/samba/bind-dns/dns.keytab 3149744 4 -r--r--r-- 1 root root 230 dic 4 14:01 /var/lib/samba/bind-dns/named.conf.update> > Regards > > > Christian > > > > > > > Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba: > > I have setup on Fedora 27 server a AD-DC samba server + bind + > > dhcp. > > > > All seem work fine: I can join to domain, add/remove dns records > > with > > samba-tools, access to shared folder, use MS Management Console on > > Win7, ecc > > > > But when I join a new machine Samba winbind Member server to > > domain > > > > [ root at server-dati ~]# net ads join DOGMA-TO -U > > administrator > > Using short domain name -- DOGMA-TO > > Joined 'SERVER-DATI' to dns domain 'dogma-to.loc' > > DNS Update for server-dati.dogma-to.loc failed: > > ERROR_DNS_UPDATE_FAILED > > DNS update failed: NT_STATUS_UNSUCCESSFUL > > > > or run this command on Samba AD-DC: > > > > [ root at server-addc ~]# samba_dnsupdate --all-names -- > > fail-immediately > > update failed: REFUSED > > > > Into system log I get: > > > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: > > samba_dlz: starting transaction on zone dogma-to.loc > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: > > samba_dlz: spnego update failed > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client > > @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: > > updating zone 'dogma-to.loc/NONE': update failed: rejected by > > secure update (REFUSED) > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: > > samba_dlz: cancelling transaction on zone dogma-to.loc > > > > What kind of problem it's? > > > > These are my config files and SElinux is Off > > > > ### Samba: > > [global] > > passdb backend = samba_dsdb > > realm = DOGMA-TO.LOC > > server role = active directory domain controller > > server > > services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, > > ntp_signd, kcc, dnsupdate > > template homedir = /home/%U > > tem > > plate shell = /bin/bash > > workgroup = DOGMA-TO > > rpc_server:t > > cpip = no > > rpc_daemon:spoolssd = embedded > > rpc_server:spool > > ss = embedded > > rpc_server:winreg = embedded > > rpc_server:nts > > vcs = embedded > > rpc_server:eventlog = embedded > > rpc_server: > > srvsvc = embedded > > rpc_server:svcctl = embedded > > rpc_server > > :default = external > > winbindd:use external pipes = true > > id > > map_ldb:use rfc2307 = yes > > idmap config * : backend = tdb > > > > map archive = No > > map readonly = no > > store dos attributes > > Yes > > vfs objects = dfs_samba4 acl_xattr > > > > [netlogon] > > path = /var/lib/samba/sysvol/dogma-to.loc/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > Kerberos > > > > [ root at server-addc ~]# cat /etc/krb5.conf > > [libdefaults] > > default_realm = DOGMA-TO.LOC > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > > > ### Bind > > > > options { > > listen-on port 53 { 127.0.0.1; 192.168.41.1; }; > > //listen-on-v6 port 53 { ::1; }; > > directory "/var/named"; > > dump-file "/var/named/data/cache_dump.db"; > > statistics-file "/var/named/data/named_stats.txt"; > > memstatistics-file > > "/var/named/data/named_mem_stats.txt"; > > allow-query { localhost; 192.168.41.0/24; }; > > > > /* > > - If you are building an AUTHORITATIVE DNS server, do > > NOT enable recursion. > > - If you are building a RECURSIVE (caching) DNS > > server, you need to enable > > recursion. > > - If your recursive DNS server has a public IP > > address, you MUST enable access > > control to limit queries to your legitimate users. > > Failing to do so will > > cause your server to become part of large scale DNS > > amplification > > attacks. Implementing BCP38 within your network > > would greatly > > reduce such attack surface > > */ > > recursion yes; > > > > dnssec-enable yes; > > dnssec-validation yes; > > > > managed-keys-directory "/var/named/dynamic"; > > > > pid-file "/run/named/named.pid"; > > session-keyfile "/run/named/session.key"; > > > > /* https://fedoraproject.org/wiki/Changes/CryptoPol > > icy */ > > include "/etc/crypto-policies/back-ends/bind.config"; > > > > tkey-gssapi-keytab "/var/lib/samba/bind- > > dns/dns.keytab"; > > > > }; > > > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > > > include "/etc/named.rfc1912.zones"; > > include "/etc/named.root.key"; > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > Someone can help me? > > > > -- > Dr. Christian Naumer > Research Scientist > Plattform-Koordinator Bioprozesstechnik > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.de, homepage www.brain-biotech.de > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel > Aufsichtsratsvorsitzender: Dr. Ludger Mueller >-- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Possibly Parallel Threads
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed