Hi Marc, Thanks for your reply!> Check if your dynamic DNS works. For details and troubleshooting, see: > https://wiki.samba.org/index.php/Testing_Dynamic_DNS_UpdatesI'm not sure about the "--all-names" option, but the regular "samba_dnsupdate --verbose" updated all dns records for all DCs shortly after I joined them. The problematic dns records here are workstations, trying to add a dynamic dns record. I took a look with the Microsoft DNS tool, and noticed that the current workstation dns records are listed with timestamp 'static'. As I come from samba 4.5 with internal dns, perhaps this is the way samba adds them..? So I removed both A/AAAA for the p002507 dns entry, and ran on the windows p002507 workstation: "ipconfig /registerdns" suddenly it worked: A new dns record appeared, now with timestamp "7-11-2017 20:00:00", both A and AAAA records. And they are renewed every hour, I noticed. As I don't think we require dns of our domain clients, I am now thinking to simply delete all regular workstation "static" dns records, to allow them to be be recreated automatically using bind9_dlz. This seems kind of drastic... Would doing this have unforeseen side-effects I should take into consideration? And anyone on my second issue, on> [2017/11/07 18:23:25.114429, 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) > GSS server Update(krb5)(1) Update failed: Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > [2017/11/07 18:23:25.114456, 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILUREThat one worries me a bit more than the DNS thing... Have a nice evening everyone! MJ
On Tue, 7 Nov 2017 21:07:21 +0100 lists via samba <samba at lists.samba.org> wrote:> Hi Marc, > > Thanks for your reply! > > > Check if your dynamic DNS works. For details and troubleshooting, > > see: https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates > > I'm not sure about the "--all-names" option, but the regular > "samba_dnsupdate --verbose" updated all dns records for all DCs > shortly after I joined them. > > The problematic dns records here are workstations, trying to add a > dynamic dns record. > > I took a look with the Microsoft DNS tool, and noticed that the > current workstation dns records are listed with timestamp 'static'. > As I come from samba 4.5 with internal dns, perhaps this is the way > samba adds them..? > > So I removed both A/AAAA for the p002507 dns entry, and ran on the > windows p002507 workstation: "ipconfig /registerdns" > suddenly it worked: A new dns record appeared, now with timestamp > "7-11-2017 20:00:00", both A and AAAA records. And they are renewed > every hour, I noticed. > > As I don't think we require dns of our domain clients, I am now > thinking to simply delete all regular workstation "static" dns > records, to allow them to be be recreated automatically using > bind9_dlz. > > This seems kind of drastic... Would doing this have unforeseen > side-effects I should take into consideration?I think what happened here was that the records had been created by something else and where not owned by the computer, so the update was refused. After deletion, the computer created the records again, and as the computer now 'owns' the records, it can now update them.> > And anyone on my second issue, on > > [2017/11/07 18:23:25.114429, > > 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) > > GSS server Update(krb5)(1) Update failed: Miscellaneous failure > > (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab > > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) > > [2017/11/07 18:23:25.114456, > > 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) > > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE > > That one worries me a bit more than the DNS thing... >It seems that something is looking for 'key version number 1' (kvno 1) but the klist you posted shows kvno 2 Rowland
Hi Rowland, On 7-11-2017 21:51, Rowland Penny wrote:> I think what happened here was that the records had been created by > something else and where not owned by the computer, so the update was > refused. After deletion, the computer created the records again, and as > the computer now 'owns' the records, it can now update them.But, since AD is so picky about dns, etc... Can I simply delete the records, and will the workstations still be able to logon without their dns record present? (and then add and update their own dns record) MJ
Hi, On 11/07/2017 09:51 PM, Rowland Penny wrote:>> And anyone on my second issue, on >>> [2017/11/07 18:23:25.114429, >>> 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal) >>> GSS server Update(krb5)(1) Update failed: Miscellaneous failure >>> (see text): Failed to findDC4$@SAMBA.COMPANY.COM(kvno 1) in keytab >>> FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5) >>> [2017/11/07 18:23:25.114456, >>> 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit) >>> SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE >> That one worries me a bit more than the DNS thing... >> > It seems that something is looking for 'key version number 1' (kvno 1) > but the klist you posted shows kvno 2For the archives: the errors above have disappeared automatically. Perhaps they were caused by the fact that I had replaced all three old 4.5 DCs with three new 4.7 DCs, but using the same dns name and ip. Perhaps some clients noticed the later than others or so. MJ