Norbert Hanke
2016-Jul-18 21:31 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
On 18.07.2016 22:48, Achim Gottinger wrote:> > > Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >> On 18.07.2016 01:52, Achim Gottinger wrote: >>> >>> >>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>> Hello, >>>> >>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >>>> 9.10.4-P1, all brand new. >>>> >>>> The existing DC runs fine, but the added DC refuses to update its >>>> local bind database: every attempt to update the local DNS results >>>> in "update failed: NOTAUTH". AD replication works perfectly. >>>> >>>> Both systems are set up identically except for the >>>> provisioning/joining command. On the first I did >>>> samba-tool domain provision --use-rfc2307 --domain=$domain >>>> --server-role=dc --dns-backend=BIND9_DLZ \ >>>> --realm=$realm --adminpass=Wonttell >>>> and on the second I do >>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm >>>> --dns-backend=BIND9_DLZ >>>> >>>> Versions are the same, bind config is the same, I tried follow >>>> every rule I could find. >>>> >>>> # samba_dnsupdate --verbose -d 9 >>>> INFO: Current debug levels: >>>> all: 9 >>>> (... more such levels ...) >>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >>>> Processing section "[global]" >>>> Processing section "[netlogon]" >>>> Processing section "[sysvol]" >>>> pm_process() returned Yes >>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >>>> netmask=255.255.255.0 >>>> IPs: ['192.168.1.9'] >>>> Module 'tombstone_reanimate' is disabled. Skip >>>> registration.lpcfg_servicenumber: couldn't find ldb >>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >>>> dc2.ad.domain.ch. >>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >>>> need update: A ad.domain.ch 192.168.1.9 >>>> (... many more such Looking...need update blocks) >>>> 24 DNS updates and 0 DNS deletes needed >>>> ldb_wrap open of secrets.ldb >>>> Received smb_krb5 packet of length 298 >>>> Received smb_krb5 packet of length 1311 >>>> update(nsupdate): A ad.domain.tld 192.168.1.9 >>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >>>> Outgoing update query: >>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>>> ;; UPDATE SECTION: >>>> ad.domain.tld. 900 IN A 192.168.1.9 >>>> >>>> update failed: NOTAUTH >>>> Failed nsupdate: 2 >>>> (... many more such failed updates ...) >>>> Failed update of 24 entries >>>> # 22:37:30 root at dc2:/root/ >>>> >>>> >>>> In /var/log/syslog there are these equivalent 24 error message >>>> every 10 minutes: >>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >>>> Jul 17 22:52:06 dc2 samba[3960]: >>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >>>> and the last of the 24 entries is always followed by >>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >>>> Jul 17 22:52:06 dc2 samba[3960]: >>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >>>> NT_STATUS_TOO_MANY_OPENED_FILES >>>> >>>> smb.conf is minimalistic: >>>> >>>> # Global parameters >>>> [global] >>>> netbios name = DC2 >>>> realm = AD.DOMAIN.TLD >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> workgroup = DOMAIN >>>> server role = active directory domain controller >>>> >>>> [netlogon] >>>> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> Maybe somebody has an idea what I did wrong? >>>> >>>> >>>> >>> resolv.conf on dc2 should point to dc1 during join. Is that the case? >>> Does kinit work on dc2? >>> >>> >> Yes, I did >> cat <<EOF >/etc/resolv.conf >> domain $domain >> nameserver $otherip >> nameserver $ip >> EOF >> >> ($ip is the local system, $otherip is the existing DC) >> >> resulting in >> >> # cat /etc/resolv.conf >> domain ad.domain.ch >> nameserver 192.168.1.8 >> nameserver 192.168.1.9 >> >> >> Before joining I did >> >> klist -e | grep administrator@$realm || kinit administrator >> >> and looking at it right now half a day later I get >> >> # klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at AD.DOMAIN.CH >> >> Valid starting Expires Service principal >> 17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >> renew until 18/07/16 21:56:55, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> >> So it is expired right now, another kinit gets me a new tgt: >> # kinit -R >> kinit: Ticket expired while renewing credentials >> # kinit >> Password for administrator at AD.DOMAIN.CH: >> Warning: Your password will expire in 32 days on Sat 20 Aug 2016 >> 08:27:10 UTC >> # klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at AD.DOMAIN.CH >> >> Valid starting Expires Service principal >> 18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >> renew until 19/07/16 09:34:58, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> samba_dnsupdate still fails. >> > You can try to run > > root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ > > and verify that bind has read rights on the dns.keytab > > root at dc2:~# ls -l /var/lib/samba/private/dns.keytab > -rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab > > Also check that the keytab contains such keys. > > root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab > Keytab name: FILE:/var/lib/samba/private/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...) > 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...) > 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...) > 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (... > 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) > 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) > >dns.keytab already exists: # ls -l /usr/local/samba/private/dns.keytab -rw-r----- 1 root bind 777 Jul 17 21:59 /usr/local/samba/private/dns.keytab running the upgrade does not do too much: # samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone DNS records will be automatically created DNS partitions already exist dns-dc2 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS and the keytab file is unchanged. Contents looks fine: # klist -Kek /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...) 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...) 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...) 1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) 1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) 1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) The missing zone file is also not present on the working dc1 system.
Rowland penny
2016-Jul-18 21:42 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
On 18/07/16 22:31, Norbert Hanke wrote:> On 18.07.2016 22:48, Achim Gottinger wrote: >> >> >> Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >>> On 18.07.2016 01:52, Achim Gottinger wrote: >>>> >>>> >>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>>> Hello, >>>>> >>>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >>>>> 9.10.4-P1, all brand new. >>>>> >>>>> The existing DC runs fine, but the added DC refuses to update its >>>>> local bind database: every attempt to update the local DNS results >>>>> in "update failed: NOTAUTH". AD replication works perfectly. >>>>> >>>>> Both systems are set up identically except for the >>>>> provisioning/joining command. On the first I did >>>>> samba-tool domain provision --use-rfc2307 --domain=$domain >>>>> --server-role=dc --dns-backend=BIND9_DLZ \ >>>>> --realm=$realm --adminpass=Wonttell >>>>> and on the second I do >>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm >>>>> --dns-backend=BIND9_DLZ >>>>> >>>>> Versions are the same, bind config is the same, I tried follow >>>>> every rule I could find. >>>>> >>>>> # samba_dnsupdate --verbose -d 9 >>>>> INFO: Current debug levels: >>>>> all: 9 >>>>> (... more such levels ...) >>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >>>>> Processing section "[global]" >>>>> Processing section "[netlogon]" >>>>> Processing section "[sysvol]" >>>>> pm_process() returned Yes >>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >>>>> netmask=255.255.255.0 >>>>> IPs: ['192.168.1.9'] >>>>> Module 'tombstone_reanimate' is disabled. Skip >>>>> registration.lpcfg_servicenumber: couldn't find ldb >>>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >>>>> dc2.ad.domain.ch. >>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >>>>> need update: A ad.domain.ch 192.168.1.9 >>>>> (... many more such Looking...need update blocks) >>>>> 24 DNS updates and 0 DNS deletes needed >>>>> ldb_wrap open of secrets.ldb >>>>> Received smb_krb5 packet of length 298 >>>>> Received smb_krb5 packet of length 1311 >>>>> update(nsupdate): A ad.domain.tld 192.168.1.9 >>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >>>>> Outgoing update query: >>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>>>> ;; UPDATE SECTION: >>>>> ad.domain.tld. 900 IN A 192.168.1.9 >>>>> >>>>> update failed: NOTAUTH >>>>> Failed nsupdate: 2 >>>>> (... many more such failed updates ...) >>>>> Failed update of 24 entries >>>>> # 22:37:30 root at dc2:/root/ >>>>> >>>>> >>>>> In /var/log/syslog there are these equivalent 24 error message >>>>> every 10 minutes: >>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >>>>> Jul 17 22:52:06 dc2 samba[3960]: >>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >>>>> and the last of the 24 entries is always followed by >>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >>>>> Jul 17 22:52:06 dc2 samba[3960]: >>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >>>>> NT_STATUS_TOO_MANY_OPENED_FILES >>>>> >>>>> smb.conf is minimalistic: >>>>> >>>>> # Global parameters >>>>> [global] >>>>> netbios name = DC2 >>>>> realm = AD.DOMAIN.TLD >>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>>> workgroup = DOMAIN >>>>> server role = active directory domain controller >>>>> >>>>> [netlogon] >>>>> path = >>>>> /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >>>>> read only = No >>>>> >>>>> [sysvol] >>>>> path = /usr/local/samba/var/locks/sysvol >>>>> read only = No >>>>> >>>>> Maybe somebody has an idea what I did wrong? >>>>> >>>>> >>>>> >>>> resolv.conf on dc2 should point to dc1 during join. Is that the case? >>>> Does kinit work on dc2? >>>> >>>> >>> Yes, I did >>> cat <<EOF >/etc/resolv.conf >>> domain $domain >>> nameserver $otherip >>> nameserver $ip >>> EOF >>> >>> ($ip is the local system, $otherip is the existing DC) >>> >>> resulting in >>> >>> # cat /etc/resolv.conf >>> domain ad.domain.ch >>> nameserver 192.168.1.8 >>> nameserver 192.168.1.9 >>> >>> >>> Before joining I did >>> >>> klist -e | grep administrator@$realm || kinit administrator >>> >>> and looking at it right now half a day later I get >>> >>> # klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: administrator at AD.DOMAIN.CH >>> >>> Valid starting Expires Service principal >>> 17/07/16 21:56:59 18/07/16 07:56:59 >>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >>> renew until 18/07/16 21:56:55, Etype (skey, tkt): >>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>> >>> So it is expired right now, another kinit gets me a new tgt: >>> # kinit -R >>> kinit: Ticket expired while renewing credentials >>> # kinit >>> Password for administrator at AD.DOMAIN.CH: >>> Warning: Your password will expire in 32 days on Sat 20 Aug 2016 >>> 08:27:10 UTC >>> # klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: administrator at AD.DOMAIN.CH >>> >>> Valid starting Expires Service principal >>> 18/07/16 09:35:01 18/07/16 19:35:01 >>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >>> renew until 19/07/16 09:34:58, Etype (skey, tkt): >>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>> samba_dnsupdate still fails. >>> >> You can try to run >> >> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ >> >> and verify that bind has read rights on the dns.keytab >> >> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab >> -rw-r----- 1 root bind 732 Jun 28 16:08 >> /var/lib/samba/private/dns.keytab >> >> Also check that the keytab contains such keys. >> >> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab >> Keytab name: FILE:/var/lib/samba/private/dns.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (... >> 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) >> >> > dns.keytab already exists: > # ls -l /usr/local/samba/private/dns.keytab > -rw-r----- 1 root bind 777 Jul 17 21:59 > /usr/local/samba/private/dns.keytab > > running the upgrade does not do too much: > # samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone > DNS records will be automatically created > DNS partitions already exist > dns-dc2 account already exists > See /usr/local/samba/private/named.conf for an example > configuration include file for BIND > and /usr/local/samba/private/named.txt for further documentation > required for secure DNS updates > Finished upgrading DNS > > and the keytab file is unchanged. Contents looks fine: > # klist -Kek /usr/local/samba/private/dns.keytab > Keytab name: FILE:/usr/local/samba/private/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...) > 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...) > 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...) > 1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) > (...) > 1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) > (...) > 1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) > > The missing zone file is also not present on the working dc1 system. > >Upgrading to bind9 doesn't work at the moment, you need to upgrade to the internal DNS server, then upgrade again to Bind9. When it says 'DNS accounts already exists', it isn't actually referring to the <DCname>-dns user, it is referring to the dnsadmins group. Must prod Samba-technical about my patch. What zone file is missing ? Rowland
Achim Gottinger
2016-Jul-18 21:44 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Am 18.07.2016 um 23:31 schrieb Norbert Hanke:> On 18.07.2016 22:48, Achim Gottinger wrote: >> >> >> Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >>> On 18.07.2016 01:52, Achim Gottinger wrote: >>>> >>>> >>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>>> Hello, >>>>> >>>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >>>>> 9.10.4-P1, all brand new. >>>>> >>>>> The existing DC runs fine, but the added DC refuses to update its >>>>> local bind database: every attempt to update the local DNS results >>>>> in "update failed: NOTAUTH". AD replication works perfectly. >>>>> >>>>> Both systems are set up identically except for the >>>>> provisioning/joining command. On the first I did >>>>> samba-tool domain provision --use-rfc2307 --domain=$domain >>>>> --server-role=dc --dns-backend=BIND9_DLZ \ >>>>> --realm=$realm --adminpass=Wonttell >>>>> and on the second I do >>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm >>>>> --dns-backend=BIND9_DLZ >>>>> >>>>> Versions are the same, bind config is the same, I tried follow >>>>> every rule I could find. >>>>> >>>>> # samba_dnsupdate --verbose -d 9 >>>>> INFO: Current debug levels: >>>>> all: 9 >>>>> (... more such levels ...) >>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >>>>> Processing section "[global]" >>>>> Processing section "[netlogon]" >>>>> Processing section "[sysvol]" >>>>> pm_process() returned Yes >>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >>>>> netmask=255.255.255.0 >>>>> IPs: ['192.168.1.9'] >>>>> Module 'tombstone_reanimate' is disabled. Skip >>>>> registration.lpcfg_servicenumber: couldn't find ldb >>>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >>>>> dc2.ad.domain.ch. >>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >>>>> need update: A ad.domain.ch 192.168.1.9 >>>>> (... many more such Looking...need update blocks) >>>>> 24 DNS updates and 0 DNS deletes needed >>>>> ldb_wrap open of secrets.ldb >>>>> Received smb_krb5 packet of length 298 >>>>> Received smb_krb5 packet of length 1311 >>>>> update(nsupdate): A ad.domain.tld 192.168.1.9 >>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >>>>> Outgoing update query: >>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>>>> ;; UPDATE SECTION: >>>>> ad.domain.tld. 900 IN A 192.168.1.9 >>>>> >>>>> update failed: NOTAUTH >>>>> Failed nsupdate: 2 >>>>> (... many more such failed updates ...) >>>>> Failed update of 24 entries >>>>> # 22:37:30 root at dc2:/root/ >>>>> >>>>> >>>>> In /var/log/syslog there are these equivalent 24 error message >>>>> every 10 minutes: >>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >>>>> Jul 17 22:52:06 dc2 samba[3960]: >>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >>>>> and the last of the 24 entries is always followed by >>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >>>>> Jul 17 22:52:06 dc2 samba[3960]: >>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >>>>> NT_STATUS_TOO_MANY_OPENED_FILES >>>>> >>>>> smb.conf is minimalistic: >>>>> >>>>> # Global parameters >>>>> [global] >>>>> netbios name = DC2 >>>>> realm = AD.DOMAIN.TLD >>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>>> workgroup = DOMAIN >>>>> server role = active directory domain controller >>>>> >>>>> [netlogon] >>>>> path = >>>>> /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >>>>> read only = No >>>>> >>>>> [sysvol] >>>>> path = /usr/local/samba/var/locks/sysvol >>>>> read only = No >>>>> >>>>> Maybe somebody has an idea what I did wrong? >>>>> >>>>> >>>>> >>>> resolv.conf on dc2 should point to dc1 during join. Is that the case? >>>> Does kinit work on dc2? >>>> >>>> >>> Yes, I did >>> cat <<EOF >/etc/resolv.conf >>> domain $domain >>> nameserver $otherip >>> nameserver $ip >>> EOF >>> >>> ($ip is the local system, $otherip is the existing DC) >>> >>> resulting in >>> >>> # cat /etc/resolv.conf >>> domain ad.domain.ch >>> nameserver 192.168.1.8 >>> nameserver 192.168.1.9 >>> >>> >>> Before joining I did >>> >>> klist -e | grep administrator@$realm || kinit administrator >>> >>> and looking at it right now half a day later I get >>> >>> # klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: administrator at AD.DOMAIN.CH >>> >>> Valid starting Expires Service principal >>> 17/07/16 21:56:59 18/07/16 07:56:59 >>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >>> renew until 18/07/16 21:56:55, Etype (skey, tkt): >>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>> >>> So it is expired right now, another kinit gets me a new tgt: >>> # kinit -R >>> kinit: Ticket expired while renewing credentials >>> # kinit >>> Password for administrator at AD.DOMAIN.CH: >>> Warning: Your password will expire in 32 days on Sat 20 Aug 2016 >>> 08:27:10 UTC >>> # klist -e >>> Ticket cache: FILE:/tmp/krb5cc_0 >>> Default principal: administrator at AD.DOMAIN.CH >>> >>> Valid starting Expires Service principal >>> 18/07/16 09:35:01 18/07/16 19:35:01 >>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >>> renew until 19/07/16 09:34:58, Etype (skey, tkt): >>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>> samba_dnsupdate still fails. >>> >> You can try to run >> >> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ >> >> and verify that bind has read rights on the dns.keytab >> >> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab >> -rw-r----- 1 root bind 732 Jun 28 16:08 >> /var/lib/samba/private/dns.keytab >> >> Also check that the keytab contains such keys. >> >> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab >> Keytab name: FILE:/var/lib/samba/private/dns.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (... >> 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...) >> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) >> 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) >> >> > dns.keytab already exists: > # ls -l /usr/local/samba/private/dns.keytab > -rw-r----- 1 root bind 777 Jul 17 21:59 > /usr/local/samba/private/dns.keytab > > running the upgrade does not do too much: > # samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone > DNS records will be automatically created > DNS partitions already exist > dns-dc2 account already exists > See /usr/local/samba/private/named.conf for an example > configuration include file for BIND > and /usr/local/samba/private/named.txt for further documentation > required for secure DNS updates > Finished upgrading DNS > > and the keytab file is unchanged. Contents looks fine: > # klist -Kek /usr/local/samba/private/dns.keytab > Keytab name: FILE:/usr/local/samba/private/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...) > 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...) > 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...) > 1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) > (...) > 1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) > 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) > (...) > 1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) > > The missing zone file is also not present on the working dc1 system. >samba_dnsupdate uses nsupdate to modify dns records the NOAUTH response is comming from such an nsupdate call. The samba wiki recommends these settings kerberos method = system keytab client ldap sasl wrapping = sign allow dns updates = nonsecure and secure nsupdate command = /usr/bin/nsupdate -g server services = -dns You can keep your server services line i think.
Achim Gottinger
2016-Jul-18 22:06 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Am 18.07.2016 um 23:42 schrieb Rowland penny:> On 18/07/16 22:31, Norbert Hanke wrote: >> On 18.07.2016 22:48, Achim Gottinger wrote: >>> >>> >>> Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >>>> On 18.07.2016 01:52, Achim Gottinger wrote: >>>>> >>>>> >>>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>>>> Hello, >>>>>> >>>>>> I'm trying to join a samba 4 DC to an already existing samba 4 >>>>>> DC, both with BIND9_DLZ. Samba is at version 4.4.5, bind is >>>>>> version 9.10.4-P1, all brand new. >>>>>> >>>>>> The existing DC runs fine, but the added DC refuses to update its >>>>>> local bind database: every attempt to update the local DNS >>>>>> results in "update failed: NOTAUTH". AD replication works perfectly. >>>>>> >>>>>> Both systems are set up identically except for the >>>>>> provisioning/joining command. On the first I did >>>>>> samba-tool domain provision --use-rfc2307 --domain=$domain >>>>>> --server-role=dc --dns-backend=BIND9_DLZ \ >>>>>> --realm=$realm --adminpass=Wonttell >>>>>> and on the second I do >>>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm >>>>>> --dns-backend=BIND9_DLZ >>>>>> >>>>>> Versions are the same, bind config is the same, I tried follow >>>>>> every rule I could find. >>>>>> >>>>>> # samba_dnsupdate --verbose -d 9 >>>>>> INFO: Current debug levels: >>>>>> all: 9 >>>>>> (... more such levels ...) >>>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >>>>>> Processing section "[global]" >>>>>> Processing section "[netlogon]" >>>>>> Processing section "[sysvol]" >>>>>> pm_process() returned Yes >>>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >>>>>> netmask=255.255.255.0 >>>>>> IPs: ['192.168.1.9'] >>>>>> Module 'tombstone_reanimate' is disabled. Skip >>>>>> registration.lpcfg_servicenumber: couldn't find ldb >>>>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >>>>>> dc2.ad.domain.ch. >>>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >>>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >>>>>> need update: A ad.domain.ch 192.168.1.9 >>>>>> (... many more such Looking...need update blocks) >>>>>> 24 DNS updates and 0 DNS deletes needed >>>>>> ldb_wrap open of secrets.ldb >>>>>> Received smb_krb5 packet of length 298 >>>>>> Received smb_krb5 packet of length 1311 >>>>>> update(nsupdate): A ad.domain.tld 192.168.1.9 >>>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >>>>>> Outgoing update query: >>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>>>>> ;; UPDATE SECTION: >>>>>> ad.domain.tld. 900 IN A 192.168.1.9 >>>>>> >>>>>> update failed: NOTAUTH >>>>>> Failed nsupdate: 2 >>>>>> (... many more such failed updates ...) >>>>>> Failed update of 24 entries >>>>>> # 22:37:30 root at dc2:/root/ >>>>>> >>>>>> >>>>>> In /var/log/syslog there are these equivalent 24 error message >>>>>> every 10 minutes: >>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >>>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >>>>>> Jul 17 22:52:06 dc2 samba[3960]: >>>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >>>>>> and the last of the 24 entries is always followed by >>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >>>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >>>>>> Jul 17 22:52:06 dc2 samba[3960]: >>>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >>>>>> NT_STATUS_TOO_MANY_OPENED_FILES >>>>>> >>>>>> smb.conf is minimalistic: >>>>>> >>>>>> # Global parameters >>>>>> [global] >>>>>> netbios name = DC2 >>>>>> realm = AD.DOMAIN.TLD >>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, >>>>>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >>>>>> workgroup = DOMAIN >>>>>> server role = active directory domain controller >>>>>> >>>>>> [netlogon] >>>>>> path = >>>>>> /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >>>>>> read only = No >>>>>> >>>>>> [sysvol] >>>>>> path = /usr/local/samba/var/locks/sysvol >>>>>> read only = No >>>>>> >>>>>> Maybe somebody has an idea what I did wrong? >>>>>> >>>>>> >>>>>> >>>>> resolv.conf on dc2 should point to dc1 during join. Is that the case? >>>>> Does kinit work on dc2? >>>>> >>>>> >>>> Yes, I did >>>> cat <<EOF >/etc/resolv.conf >>>> domain $domain >>>> nameserver $otherip >>>> nameserver $ip >>>> EOF >>>> >>>> ($ip is the local system, $otherip is the existing DC) >>>> >>>> resulting in >>>> >>>> # cat /etc/resolv.conf >>>> domain ad.domain.ch >>>> nameserver 192.168.1.8 >>>> nameserver 192.168.1.9 >>>> >>>> >>>> Before joining I did >>>> >>>> klist -e | grep administrator@$realm || kinit administrator >>>> >>>> and looking at it right now half a day later I get >>>> >>>> # klist -e >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: administrator at AD.DOMAIN.CH >>>> >>>> Valid starting Expires Service principal >>>> 17/07/16 21:56:59 18/07/16 07:56:59 >>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >>>> renew until 18/07/16 21:56:55, Etype (skey, tkt): >>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>>> >>>> So it is expired right now, another kinit gets me a new tgt: >>>> # kinit -R >>>> kinit: Ticket expired while renewing credentials >>>> # kinit >>>> Password for administrator at AD.DOMAIN.CH: >>>> Warning: Your password will expire in 32 days on Sat 20 Aug 2016 >>>> 08:27:10 UTC >>>> # klist -e >>>> Ticket cache: FILE:/tmp/krb5cc_0 >>>> Default principal: administrator at AD.DOMAIN.CH >>>> >>>> Valid starting Expires Service principal >>>> 18/07/16 09:35:01 18/07/16 19:35:01 >>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >>>> renew until 19/07/16 09:34:58, Etype (skey, tkt): >>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >>>> samba_dnsupdate still fails. >>>> >>> You can try to run >>> >>> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ >>> >>> and verify that bind has read rights on the dns.keytab >>> >>> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab >>> -rw-r----- 1 root bind 732 Jun 28 16:08 >>> /var/lib/samba/private/dns.keytab >>> >>> Also check that the keytab contains such keys. >>> >>> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab >>> Keytab name: FILE:/var/lib/samba/private/dns.keytab >>> KVNO Principal >>> ---- >>> -------------------------------------------------------------------------- >>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...) >>> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...) >>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...) >>> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...) >>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...) >>> 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...) >>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (... >>> 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...) >>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) >>> 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) >>> >>> >> dns.keytab already exists: >> # ls -l /usr/local/samba/private/dns.keytab >> -rw-r----- 1 root bind 777 Jul 17 21:59 >> /usr/local/samba/private/dns.keytab >> >> running the upgrade does not do too much: >> # samba_upgradedns --dns-backend=BIND9_DLZ >> Reading domain information >> DNS accounts already exist >> No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone >> DNS records will be automatically created >> DNS partitions already exist >> dns-dc2 account already exists >> See /usr/local/samba/private/named.conf for an example >> configuration include file for BIND >> and /usr/local/samba/private/named.txt for further documentation >> required for secure DNS updates >> Finished upgrading DNS >> >> and the keytab file is unchanged. Contents looks fine: >> # klist -Kek /usr/local/samba/private/dns.keytab >> Keytab name: FILE:/usr/local/samba/private/dns.keytab >> KVNO Principal >> ---- >> -------------------------------------------------------------------------- >> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...) >> 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...) >> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...) >> 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...) >> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...) >> 1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...) >> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) >> (...) >> 1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) >> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) >> (...) >> 1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) >> >> The missing zone file is also not present on the working dc1 system. >> >> > > Upgrading to bind9 doesn't work at the moment, you need to upgrade to > the internal DNS server, then upgrade again to Bind9. > When it says 'DNS accounts already exists', it isn't actually > referring to the <DCname>-dns user, it is referring to the dnsadmins > group. >Thank you for clarification, was wondering because in my test setup dns-dc2 is missing and did not be created even with switching between backends like you described. So i did it similar to the dovecot kerberos steps. samba-tool user create dns-dc2 --random-password samba-tool spn add DNS/dc2.domain.local dns-dc2 mv /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old samba-tool domain exportkeytab --principal dns-dc2 /var/lib/samba/private/dns.keytab samba-tool domain exportkeytab --principal DNS/dc2.domain.local /var/lib/samba/private/dns.keytab I restarted bind9 and this works kinit Administrator nsupdate -g >update add test.domain.local. 0 A 192.168.100.123 >send Without the dns-dc2 account that fails.> Must prod Samba-technical about my patch. > > What zone file is missing ? > > Rowland > >
Possibly Parallel Threads
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH