Dmitry Khromov
2012-Sep-29 00:10 UTC
[Samba] Samba4 LDAP returns wrong responses in some cases, BIND-DLZ refuses to update
Hello.
We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running on
Gentoo GNU/Linux
1) Is MS 1.2.840.113556.1.4.1941 operator support implemented (planned to be
implemented) in Samba 4 internal LDAP server? Please compare:
$ ldapsearch -h 192.168.1.32 -x -D
'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b
'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W
'(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))'
| tail -n2 # Windows 2003 R2 DC
Enter LDAP Password:
# numResponses: 2
# numEntries: 1
$ ldapsearch -h 192.168.1.31 -x -D
'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b
'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W
'(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))'
| tail -n2 # Samba DC
Enter LDAP Password:
# numResponses: 1
First command returns the correct mebership check result. Second - just silenty
returns nothing. Although not that widely used, this operator is quite useful in
some cases, when you just can't implement any loop-based logic. For example,
for us it breaks IEEE 802.1X VLAN assignment with FreeRADIUS.
Replication is working and this account's membership is correct on both DCs.
2) We have a problem with Samba refusing to update DNS records with Gentoo's
BIND 9.9.1_p3 (GSSAPI, DLZ)
BIND log says:
...
named[12365]: samba_dlz: configured writeable zone 'klin.kifato-mk.com'
named[12365]: samba_dlz: configured writeable zone '172.in-addr.arpa'
...
named[12365]: samba b9_putrr: unhandled record type 65281
named[12365]: samba_dlz: starting transaction on zone klin.kifato-mk.com
named[12365]: client 192.168.1.32#1039: view realdns: update
'klin.kifato-mk.com/IN' denied
named[12365]: samba_dlz: cancelling transaction on zone klin.kifato-mk.com
log.samba says:
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is
unacceptable
Related parts of named.conf:
options {
...
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
...
};
view realdns {
...
dlz "AD DNS Zones" {
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};
...
};
Keytab is accessible by named process effective UID. Use of BIND's views
doesn't affect behaviour.
Maybe this is totally wrong, but we had to delete ..trustanchors zone, since
BIND refuses to start with it. By the way, this renders DNS unmanageable:
# bin/samba-tool dns zonelist dc0
Password for [someadminuser at KLIN.KIFATO-MK.COM]:
ERROR(runtime): uncaught exception - (9717,
'WERR_DNS_ERROR_DS_UNAVAILABLE')
Any suggestions on getting updates to work?
--
Best regards,
Dmitry Khromov
On Sat, 2012-09-29 at 04:10 +0400, Dmitry Khromov wrote:> Hello. > > We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running on Gentoo GNU/Linux> 2) We have a problem with Samba refusing to update DNS records with Gentoo's BIND 9.9.1_p3 (GSSAPI, DLZ) > BIND log says: > ... > named[12365]: samba_dlz: configured writeable zone 'klin.kifato-mk.com' > named[12365]: samba_dlz: configured writeable zone '172.in-addr.arpa' > ... > named[12365]: samba b9_putrr: unhandled record type 65281 > named[12365]: samba_dlz: starting transaction on zone klin.kifato-mk.com > named[12365]: client 192.168.1.32#1039: view realdns: update 'klin.kifato-mk.com/IN' denied > named[12365]: samba_dlz: cancelling transaction on zone klin.kifato-mk.com > log.samba says: > ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler) > /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable > > Related parts of named.conf: > options { > ... > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; > ... > }; > view realdns { > ... > dlz "AD DNS Zones" { > database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so"; > }; > ... > }; >The only suggestion I have here is to try turning up the debug level in the smb.conf, in the dope that we can get more detail on: named[12365]: client 192.168.1.32#1039: view realdns: update 'klin.kifato-mk.com/IN' denied Sorry, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org