samba - Jul 2018 - client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied

>
> Hmm, bind 9.12.x isn't supported yet.

He works with "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without problems, at
first.

include "/etc/bind/rndc.key";
> controls {
>           inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> };
> You do not need the four lines above

Ok, but if I leave it, does not have problems either, I believe!?

You mention '#public IP' twice, are they both the same IP and is
it
> the DC ipaddress and if so, why are you trying to forward the DC to
> itself ?

No, two different networks.
xxx.xxx.xxx.0/26
xxx.xxx.xxx.128/26

Sometimes the "samba_dlz: spnego update failed" appears in the log. I
found
this link talks about the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=1528867

I added the "KRB5RCACHETYPE="none"" on the
/etc/default/bind9, but the
error message keeps.

Any other idea? :)


On Mon, Jul 2, 2018 at 10:49 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 2 Jul 2018 10:27:58 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > The error described in the email title happens in version 9.10 of the
> > bind that I have installed in our main DC. In face of that, I found
> > the samba wiki article that talks about this problem.
> >
>
https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates
> >
> > I made a new installation via source with the suggested options:
> >
> > root at dc3:~# fakeroot ./configure --prefix=/usr
--mandir=/usr/share/man
> > --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var
> > --enable-threads --enable-largefile --with-libtool --enable-shared
> > --enable-static --with-openssl=/usr --with-gssapi=/usr --with-gnu-ld
> > --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes
> > --with-dlz-filesystem=yes --with-dlz-ldap=yes --with-dlz-stub=yes
> > --with-dlopen=yes --with-geoip=/usr --enable-ipv6
> > CFLAGS=-fno-strict-aliasing
> >
> > root at dc3:~# named -v
> > BIND 9.12.1-P2 <id:14b0e01>
>
> Hmm, bind 9.12.x isn't supported yet.
>
> >
> > named.conf.options
> > options {
> >         directory "/var/cache/bind";
> >         version "non3";
> >         forwarders { xxx.xxx.xxx.xxx; }; #public IP
> >         allow-query { internal; };
> >         dnssec-validation no;
> >         tkey-gssapi-keytab
"/var/lib/samba/private/dns.keytab";
> >         auth-nxdomain no;    # conform to RFC1035
> >         listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; }; #public IP
> >         zone-statistics yes;
> >         statistics-file
"/var/log/named/stats/named_stats.log";
> > };
> >
> > include "/etc/bind/rndc.key";
> > controls {
> >         inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> > };
>
> You do not need the four lines above
>
> >
> > acl "internal" {
> >         172.16.0.0/16;
> >         10.10.4.0/24;
> >         10.10.5.0/26;
> >         xxx.xxx.xxx.xxx/26;
> >         10.59.0.0/16;
> >         10.41.0.0/22;
> >         10.42.2.0/24;
> >         10.50.0.0/22;
> >         10.51.0.0/23;
> >         10.52.0.0/24;
> >         10.40.0.0/16;
> >         10.10.1.0/26;
> >         xxx.xxx.xxx.xxx/26;
> >         10.10.10.0/26;
> > };
> >
> > For example, if the 172.16.5.86 client is offline, can it cause the
> > error?
>
> I wouldn't think so.
>
> You mention '#public IP' twice, are they both the same IP and is it
> the DC ipaddress and if so, why are you trying to forward the DC to
> itself ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira

On Mon, 2 Jul 2018 12:12:07 -0300
Elias Pereira via samba <samba at lists.samba.org> wrote:
> >
> > Hmm, bind 9.12.x isn't supported yet.
> 
> 
> He works with "dlopen
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without
> problems, at first.
I repeat, Bind 9.12.x is unsupported at this time, just because it
worked once is no reason to use it. It may have nothing to do with your
problem, but using a supported Bind version will rule it out.
> 
> include "/etc/bind/rndc.key";
> > controls {
> >           inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> > };
> > You do not need the four lines above
> 
> 
> Ok, but if I leave it, does not have problems either, I believe!?
OK, your server, but I think you should be aware that I have been using
Bind9 with Samba since December 2012 and I have never used the rndc.key
> 
> You mention '#public IP' twice, are they both the same IP and is it
> > the DC ipaddress and if so, why are you trying to forward the DC to
> > itself ?
> 
> 
> No, two different networks.
> xxx.xxx.xxx.0/26
> xxx.xxx.xxx.128/26
> 
> Sometimes the "samba_dlz: spnego update failed" appears in the
log. I
> found this link talks about the problem.
> https://bugzilla.redhat.com/show_bug.cgi?id=1528867
> 
> I added the "KRB5RCACHETYPE="none"" on the
/etc/default/bind9, but the
> error message keeps.
> 
That is if you are using the MIT kerberos with Samba, instead of the
default HEIMDAL.

Rowland

>
> I repeat, Bind 9.12.x is unsupported at this time, just because it
> worked once is no reason to use it. It may have nothing to do with your
> problem, but using a supported Bind version will rule it out.

Ok. :)

I'll reinstall using supported version 9.11.3-2

OK, your server, but I think you should be aware that I have been
using
> Bind9 with Samba since December 2012 and I have never used the rndc.key

Without these entries, the error below always appears in the logs.

Jul  2 12:37:23 dc3 named[20416]: configuring command channel from
'/etc/bind/rndc.key'
Jul  2 12:37:23 dc3 named[20416]: couldn't add command channel ::1#953:
address not available

That is if you are using the MIT kerberos with Samba, instead of
the
> default HEIMDAL.

ok. I remove it. I use HEIMDAL.

Client update denied error still remains in the logs.

Does this error interfere with client updates with ADDC or is this
something with bind?


On Mon, Jul 2, 2018 at 12:31 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 2 Jul 2018 12:12:07 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > >
> > > Hmm, bind 9.12.x isn't supported yet.
> >
> >
> > He works with "dlopen
> > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without
> > problems, at first.
>
> I repeat, Bind 9.12.x is unsupported at this time, just because it
> worked once is no reason to use it. It may have nothing to do with your
> problem, but using a supported Bind version will rule it out.
>
> >
> > include "/etc/bind/rndc.key";
> > > controls {
> > >           inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> > > };
> > > You do not need the four lines above
> >
> >
> > Ok, but if I leave it, does not have problems either, I believe!?
>
> OK, your server, but I think you should be aware that I have been using
> Bind9 with Samba since December 2012 and I have never used the rndc.key
>
> >
> > You mention '#public IP' twice, are they both the same IP and
is it
> > > the DC ipaddress and if so, why are you trying to forward the DC
to
> > > itself ?
> >
> >
> > No, two different networks.
> > xxx.xxx.xxx.0/26
> > xxx.xxx.xxx.128/26
> >
> > Sometimes the "samba_dlz: spnego update failed" appears in
the log. I
> > found this link talks about the problem.
> > https://bugzilla.redhat.com/show_bug.cgi?id=1528867
> >
> > I added the "KRB5RCACHETYPE="none"" on the
/etc/default/bind9, but the
> > error message keeps.
> >
>
> That is if you are using the MIT kerberos with Samba, instead of the
> default HEIMDAL.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira