Hello there. I have a setup with Samba AD and a Named backend. Everything has been working fine, until a few days ago, I cannot start the DNS snap-in from windows. I get a dialog box saying "Access was denied. Would you like to add it anyway?" If I enable level 3 debugging in the samba.conf, I get the following: [2017/05/11 07:25:30.413481, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ kristjan at RVX.IS from ipv4:192.168.253.109:57310 for DnsServerApp at RVX.IS [canonicalize, renewable, forwardable] [2017/05/11 07:25:30.414016, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Searching referral for DnsServerApp [2017/05/11 07:25:30.414141, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: DnsServerApp at RVX.IS: No such entry in the database [2017/05/11 07:25:30.414215, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:192.168.253.109:57310 [2017/05/11 07:25:30.415231, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) I googled a lot for this, particularly "DnsServerApp" and found no solution. In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp". This didn't resolve the issue, but changed it. Now I get in the log: [2017/05/11 12:23:29.195608, 3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect) ldb_wrap open of secrets.ldb [2017/05/11 12:23:29.199719, 1] ../source4/auth/gensec/gensec_gssapi.c:622(gensec_gssapi_update) GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC01$@RVX.IS(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5) [2017/05/11 12:23:29.199832, 1] ../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit) SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE [2017/05/11 12:23:29.199925, 2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_LOGON_FAILURE The DC is called dc01.rvx.is. Curiously, even after I removed the AD "computer" entry DnsServerApp, I still get the above, second, error in the log. I'm relatively new to both Samba and AD configuration, but having failed to find any reference to the above problems on the net, I think they may be due to some internal database corruption or other such things. Any thoughts? Kv, Kristján Valur Jónsson |CTA | RVX
Hi Kristján, Am 17.05.2017 um 17:40 schrieb Kristján V. Jónsson via samba:> Everything has been working fine, until a few days ago, I> cannot start the DNS snap-in from windows. I get a dialog> box saying "Access was denied. Would you like to add it anyway?" The important question is: What has been changed in the meantime? Maybe an updated BIND package messed up your configuration? Use the docs to verify that everything is still correct: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End> If I enable level 3 debugging in the samba.conf, I get the following: > > [2017/05/11 07:25:30.414141, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Server not found in database: DnsServerApp at RVX.IS: No such entry in the database > I googled a lot for this, particularly "DnsServerApp" and found no solution. In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp". > This didn't resolve the issue, but changed it.The dns-* accounts aren't computer accounts. Delete it again to avoid problems. "samba_upgradedns" can recreates the account correctly. Please try: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End Regards, Marc
On Wed, 17 May 2017 15:40:03 +0000 (GMT) Kristján V. Jónsson via samba <samba at lists.samba.org> wrote:> I googled a lot for this, particularly "DnsServerApp" and found no > solution. In desperation, using the ActiveDirectory, I added a > "Computer" entry called "DnsServerApp". This didn't resolve the > issue, but changed it. Now I get in the log:As Marc has pointed out 'DnsServerApp' isn't a computer name> > text): Failed to find DC01$@RVX.IS(kvno 2) in keytabIf it was, it would be in the form shown above: DNSERVERAPP$@RVX.IS My googlefu must be a bit better than yours ;-) I found this: https://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=21&ved=0ahUKEwjVvIT1rPfTAhXKJMAKHcCZBqk4FBAWCCcwAA&url=https%3A%2F%2Friunet.upv.es%2Fbitstream%2Fhandle%2F10251%2F31637%2Ftesis_bmolina_v3.pdf%3Fsequence%3D1&usg=AFQjCNE_5tt3ySoIobXc3VXJ0pVlQQLfQw Only problem, I don't speak Spanish LOL But, Google translate seems to suggest that 'DnsServerApp' is a Class of some sort, so the question seems to be, what have you installed on the windows machine ? Another question would be, what is the windows machine ? Rowland
I hadn't been able to check this out for a while, but when I started to look at it today, all was ok again. I definitely didn't do anything to the server. Well, I rebooted my client machine, maybe somehow my credentials had gone weird? Strange. If something like this happens again, I'll have another look. p.s. I'm running samba-4.5 locally compiled. Should I consider upgrading? Kv, Kristján Valur Jónsson | CTA | RVX ----- Original Message ----- From: "Marc Muehlfeld" <mmuehlfeld at samba.org> To: "Kristján V. Jónsson" <kristjan at rvx.is>, samba at lists.samba.org Sent: Wednesday, 17 May, 2017 16:17:56 Subject: Re: [Samba] Samba AD DNS problem Hi Kristján, Am 17.05.2017 um 17:40 schrieb Kristján V. Jónsson via samba:> Everything has been working fine, until a few days ago, I> cannot start the DNS snap-in from windows. I get a dialog> box saying "Access was denied. Would you like to add it anyway?" The important question is: What has been changed in the meantime? Maybe an updated BIND package messed up your configuration? Use the docs to verify that everything is still correct: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End> If I enable level 3 debugging in the samba.conf, I get the following: > > [2017/05/11 07:25:30.414141, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) > Kerberos: Server not found in database: DnsServerApp at RVX.IS: No such entry in the database > I googled a lot for this, particularly "DnsServerApp" and found no solution. In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp". > This didn't resolve the issue, but changed it.The dns-* accounts aren't computer accounts. Delete it again to avoid problems. "samba_upgradedns" can recreates the account correctly. Please try: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Reconfiguring_the_BIND9_DLZ_Back_End Regards, Marc