Dario Lesca
2017-Dec-04 11:56 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha scritto:> Try changing the 'options' of named.conf to this:Thanks Rowland Integrated your suggested changes and restart samba and named Now my named.conf is this[1], but none is change: [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately update failed: REFUSED dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz: spnego update failed dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: client @0x7fc9310a5e80 192.168.41.1#60981/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED) I have also try this: [ root at server-addc ~]# samba_dnsupdate --all-names --use-samba-tool --fail-immediately ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run raise e But also fail. Some other suggest? Thanks Dario [1] /etc/named.conf options { listen-on port 53 { 127.0.0.1; 192.168.41.1; }; //listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.41.0/24; }; recursion yes; //dnssec-enable yes; //dnssec-validation yes; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; allow-recursion { 192.168.41.0/24; 127.0.0.1/32; }; notify no; empty-zones-enable no; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; dnssec-enable no; allow-transfer { none; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/var/lib/samba/bind-dns/named.conf"; -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Rowland Penny
2017-Dec-04 12:07 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
On Mon, 04 Dec 2017 12:56:19 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha > scritto: > > Try changing the 'options' of named.conf to this: > > Thanks Rowland > > Integrated your suggested changes and restart samba and named > > Now my named.conf is this[1], but none is change: > [ root at server-addc ~]# samba_dnsupdate --all-names > --fail-immediately update failed: REFUSED > > dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz: > spnego update failed dic 04 12:46:43 server-addc.dogma-to.loc > named[8474]: client @0x7fc9310a5e80 192.168.41.1#60981/key > SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': > update failed: rejected by secure update (REFUSED) > > I have also try this: > > [ root at server-addc ~]# samba_dnsupdate --all-names > --use-samba-tool --fail-immediately ERROR(runtime): uncaught > exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File > "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line > 176, in _run return self.run(*args, **kwargs) File > "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, > in run raise e >Is the DHCP server updating the records for you ? If so, you need to stop the windows clients trying to update their own records, they don't own them. Rowland
Dario Lesca
2017-Dec-04 14:34 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha scritto:> Is the DHCP server updating the records for you ?Yes, but for now the problem is not dhcp (see follow)> If so, you need to stop the windows clients trying to update their > own records, they don't own them.I have the problem when join to domani via samba on another server, or when I run samba_dnsupdate --all-name Now I have do this test: I have save the machine status with a snapshot. Then I have reload a snapshot done before deploy samba AD DC. Then, On A fresh Fedora 27 server up to date I have Stop selinux, restart and run this command: + dnf install samba-client samba-dc samba-winbind attr acl krb5- workstation tdb-tools samba-winbind-clients python bind bind-utils samba-dc-bind-dlz + test '!' -e /etc/krb5.conf.orig + test -e /etc/krb5.conf + test '!' -e /etc/samba/smb.conf.orig + test -e /etc/samba/smb.conf + samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P at ssw0rd Open the all port needed cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf Add this to the [global] of new smb.conf template shell = /bin/bash template homedir = /home/%U Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf Edit the /etc/named.conf and add listen-on port 53 { 127.0.0.1; 192.168.41.1; }; allow-query { localhost; 191.168.41.0/24; }; tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; and at the end include "/var/lib/samba/bind-dns/named.conf"; without modify any other Start and enable named systemctl enable named systemctl restart named Point dns to my IP 192.168.41.1 and restart network # Start samba systemctl enable samba systemctl restart samba.service test some resolver ... host $(hostname) host -t SRV _ldap._tcp.$(hostname -d) try access to server smbclient -L $(hostname) -Uadministrator%P at aaw0rd Try add a dns record ... At this point All work fine Then I try samba_dnsupdate --verbose --all-names --fail-immediately And the problem persist: update failed: REFUSED Failed update with /tmp/tmpmRYs8r dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#26896: update 'dogma-to.loc/IN' denied dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc The problem is when the tools try execute this command: cat /tmp/tmpmRYs8r | nsupdate [ root at server-addc ~]# cat /tmp/tmpmRYs8r server server-addc.dogma-to.loc update add server-addc.dogma-to.loc. 900 A 192.168.41.1 show send seem that nsupdate cannot update dns I have add "debug" and remove "show" directive from this file [ root at server-addc ~]# cat /tmp/tmpmRYs8r debug server server-addc.dogma-to.loc update add server-addc.dogma-to.loc. 900 A 192.168.41.1 send the rerun it: [ root at server-addc ~]# cat /tmp/tmpmRYs8r|nsupdate Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16228 ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;server-addc.dogma-to.loc. IN SOA ;; AUTHORITY SECTION: dogma-to.loc. 3600 IN SOA server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400 3600 Found zone name: dogma-to.loc The master is: server-addc.dogma-to.loc Sending update to 192.168.41.1#53 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 37799 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0 ;; UPDATE SECTION: server-addc.dogma-to.loc. 900 IN A 192.168.41.1 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 37799 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; ZONE SECTION: ;dogma-to.loc. IN SOA dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#39052: update 'dogma-to.loc/IN' denied dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc Some error Someone have some suggest? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Apparently Analagous Threads
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed