Dario Lesca
2017-Dec-04 15:00 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 14.48 +0000, Rowland Penny via samba ha scritto:> > > The cure is to STOP your windows clients trying to update their own > records.Yes, this is true, on windows I will stop this service. But my problem now is another The samba command samba_dnsupdate --verbose --all-names --fail-immediately not work It's possible to resolve this problem? Or I have to ignore it ? Thanks Dario> > Rowland-- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Dario Lesca
2017-Dec-04 15:31 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha scritto:> The samba command > > samba_dnsupdate --verbose --all-names --fail-immediately > > not workI have add '-d 9' to dlz section dlz "AD DNS Zone" { # For BIND 9.11.x database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so -d 9"; }; And this is the debug message: [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately update failed: REFUSED dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC mechanism spnego dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC submechanism gssapi_krb5 dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: GSS server Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Request is a replay dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: spnego update failed dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: client @0x7fafe90c3400 192.168.41.1#57335/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED) dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: cancelling transaction on zone dogma-to.loc Can this help us? Thanks -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Dario Lesca
2017-Dec-04 15:57 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha scritto:> The samba command > > samba_dnsupdate --verbose --all-names --fail-immediately > > not workFollowing this howto, https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC I have try this: [ root at server-addc ~]# LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn # Referral ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc # Referral ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc # Referral ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc # returned 3 records # 0 entries # 3 referrals This is not output what howto say I can see. Seem the account dns-DC1 not exist [ root at server-addc ~]# samba-tool user list Administrator Guest krbtgt dns-server-addc ospite Then I run [ root at server-addc ~]# samba_upgradedns --verbose --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone DNS records will be automatically created DNS partitions already exist dns-server-addc account already exists Could not remove /var/lib/samba/private/named.conf: No such file or directory Could not remove /var/lib/samba/private/named.conf.update: No such file or directory Could not remove /var/lib/samba/private/named.txt: No such file or directory Could not delete dir /var/lib/samba/private/dns: No such file or directory See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS But I cannot see the "Adding dns-DC1 account" message like howto say I also run: [ root at server-addc ~]# klist -k /var/lib/samba/bind-dns/dns.keytab Keytab name: FILE:/var/lib/samba/bind-dns/dns.keytab KVNO Principal ---- ------------------------------------------------------------- ------------- 1 DNS/server-addc.dogma-to.loc at DOGMA-TO.LOC 1 dns-server-addc at DOGMA-TO.LOC 1 DNS/server-addc.dogma-to.loc at DOGMA-TO.LOC 1 dns-server-addc at DOGMA-TO.LOC 1 DNS/server-addc.dogma-to.loc at DOGMA-TO.LOC 1 dns-server-addc at DOGMA-TO.LOC 1 DNS/server-addc.dogma-to.loc at DOGMA-TO.LOC 1 dns-server-addc at DOGMA-TO.LOC 1 DNS/server-addc.dogma-to.loc at DOGMA-TO.LOC 1 dns-server-addc at DOGMA-TO.LOC Can help this? Thanks -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Rowland Penny
2017-Dec-04 16:02 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
On Mon, 04 Dec 2017 16:31:16 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha > scritto: > > The samba command > > > > samba_dnsupdate --verbose --all-names --fail-immediately > > > > not work > > I have add '-d 9' to dlz section > > dlz "AD DNS Zone" { > # For BIND 9.11.x > database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so -d > 9"; }; > > And this is the debug message: > > [ root at server-addc ~]# samba_dnsupdate --all-names > --fail-immediately update failed: REFUSED > > dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: > starting transaction on zone dogma-to.loc dic 04 16:25:21 > server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC > mechanism spnego dic 04 16:25:21 server-addc.dogma-to.loc > named[1121]: samba_dlz: Starting GENSEC submechanism gssapi_krb5 dic > 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: GSS > server Update(krb5)(1) Update failed: Unspecified GSS failure. Minor > code may provide more information: Request is a replay dic 04 > 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: spnego > update failed dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: > client @0x7fafe90c3400 192.168.41.1#57335/key > SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': > update failed: rejected by secure update (REFUSED) dic 04 16:25:21 > server-addc.dogma-to.loc named[1121]: samba_dlz: cancelling > transaction on zone dogma-to.loc > > Can this help us? > > Thanks >The significant word there is 'replay'. see here: https://lists.samba.org/archive/samba/2017-November/211990.html Rowland
Rowland Penny
2017-Dec-04 16:19 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
On Mon, 04 Dec 2017 16:57:15 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha > scritto: > > The samba command > > > > samba_dnsupdate --verbose --all-names --fail-immediately > > > > not work > > > Following this howto, > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC > > I have try this: > > [ root at server-addc ~]# > LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch > -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn # Referral > ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc > > # Referral > ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc > > # Referral > ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc > > # returned 3 records > # 0 entries > # 3 referrals > > This is not output what howto say I can see. > > Seem the account dns-DC1 not exist > > [ root at server-addc ~]# samba-tool user list > Administrator > Guest > krbtgt > dns-server-addc > ospite > > Then I run > > [ root at server-addc ~]# samba_upgradedns --verbose > --dns-backend=BIND9_DLZ Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone > DNS records will be automatically created > DNS partitions already exist > dns-server-addc account already exists > Could not remove /var/lib/samba/private/named.conf: No such file > or directory Could not > remove /var/lib/samba/private/named.conf.update: No such file or > directory Could not remove /var/lib/samba/private/named.txt: No such > file or directory Could not delete dir /var/lib/samba/private/dns: No > such file or directory See /var/lib/samba/bind-dns/named.conf for an > example configuration include file for BIND > and /var/lib/samba/bind-dns/named.txt for further documentation > required for secure DNS updates Finished upgrading DNS > > But I cannot see the "Adding dns-DC1 account" message like howto sayFollow what it says in the blue box under the ldbsearch output on the wiki page. Rowland
Maybe Matching Threads
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed