thr3ads.net - samba - [Samba] Samba 4.7.2 + bind on Fedora 27: samba

If this information is useful, please help other people find it:
Share via:

Dario Lesca

2017-Dec-04 11:56 UTC

[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha
scritto:> Try changing the 'options' of named.conf to this:
Thanks Rowland

Integrated your suggested changes and restart samba and named

Now my named.conf is this[1], but none is change:
    [    root at server-addc     ~]# samba_dnsupdate  --all-names
--fail-immediately
    update failed: REFUSED

    dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz: spnego
update failed
    dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: client @0x7fc9310a5e80
192.168.41.1#60981/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone
'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)

I have also try this:

    [    root at server-addc     ~]# samba_dnsupdate  --all-names
--use-samba-tool --fail-immediately
    ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
      File
"/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line
176, in _run
        return self.run(*args, **kwargs)
      File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py",
line 940, in run
        raise e

But also fail.

Some other suggest?

Thanks
Dario

[1] /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 192.168.41.1; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.41.0/24; };
        recursion yes;
        //dnssec-enable yes;
        //dnssec-validation yes;
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
            allow-recursion { 192.168.41.0/24;  127.0.0.1/32; };
            notify no;
            empty-zones-enable no;
            forwarders { 8.8.8.8; 8.8.4.4; };
            dnssec-validation no;
            dnssec-enable no;
            allow-transfer { none; };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";


-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

Rowland Penny

2017-Dec-04 12:07 UTC

head link

[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

On Mon, 04 Dec 2017 12:56:19 +0100
Dario Lesca via samba <samba at lists.samba.org> wrote:
> Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha
> scritto:
> > Try changing the 'options' of named.conf to this:
> 
> Thanks Rowland
> 
> Integrated your suggested changes and restart samba and named
> 
> Now my named.conf is this[1], but none is change:
>     [    root at server-addc     ~]# samba_dnsupdate  --all-names
> --fail-immediately update failed: REFUSED
> 
>     dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz:
> spnego update failed dic 04 12:46:43 server-addc.dogma-to.loc
> named[8474]: client @0x7fc9310a5e80 192.168.41.1#60981/key
> SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE':
> update failed: rejected by secure update (REFUSED)
> 
> I have also try this:
> 
>     [    root at server-addc     ~]# samba_dnsupdate  --all-names
> --use-samba-tool --fail-immediately ERROR(runtime): uncaught
> exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS') File
> "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line
> 176, in _run return self.run(*args, **kwargs) File
> "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line
940,
> in run raise e
> 
Is the DHCP server updating the records for you ?
If so, you need to stop the windows clients trying to update their own
records, they don't own them.

Rowland

Dario Lesca

2017-Dec-04 14:34 UTC

head link

[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha
scritto:> Is the DHCP server updating the records for you ?
Yes, but for now the problem is not dhcp (see follow)
> If so, you need to stop the windows clients trying to update their
> own records, they don't own them.
I have the problem when join to domani via samba on another server, or
when I run samba_dnsupdate  --all-name 

Now I have do this test:

I have save the machine status with a snapshot.
Then I have reload a snapshot done before deploy samba AD DC.
Then, On A fresh Fedora 27 server up to date I have
Stop selinux, restart and run this command:

+ dnf install samba-client samba-dc samba-winbind attr acl krb5-
workstation tdb-tools samba-winbind-clients python bind bind-utils
samba-dc-bind-dlz

+ test '!' -e /etc/krb5.conf.orig
+ test -e /etc/krb5.conf
+ test '!' -e /etc/samba/smb.conf.orig
+ test -e /etc/samba/smb.conf

+ samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to
--dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2
--adminpass=P at ssw0rd

Open the all port needed

cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf

Add this to the [global] of new smb.conf
 template shell = /bin/bash
 template homedir = /home/%U

Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf

Edit the /etc/named.conf and add
    listen-on port 53 { 127.0.0.1; 192.168.41.1; };
    allow-query     { localhost; 191.168.41.0/24; };
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

and at the end 
    include "/var/lib/samba/bind-dns/named.conf";

without modify any other

Start and enable named
    systemctl enable named
    systemctl restart named

Point dns to my IP 192.168.41.1 and restart network

# Start samba
    systemctl enable samba
    systemctl restart samba.service

test some resolver ...

    host $(hostname)
    host -t SRV _ldap._tcp.$(hostname -d)

try access to server

    smbclient -L $(hostname)     -Uadministrator%P at aaw0rd

Try add a dns record ...

At this point All work fine

Then I try 

    samba_dnsupdate --verbose  --all-names --fail-immediately

And the problem persist:

    update failed: REFUSED
    Failed update with /tmp/tmpmRYs8r
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: starting
transaction on zone dogma-to.loc
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20
192.168.41.1#26896: update 'dogma-to.loc/IN' denied
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling
transaction on zone dogma-to.loc

The problem is when the tools try execute this command:

    cat /tmp/tmpmRYs8r | nsupdate

    [    root at server-addc     ~]# cat /tmp/tmpmRYs8r
    server server-addc.dogma-to.loc
    update add server-addc.dogma-to.loc. 900 A 192.168.41.1
    show
    send

seem that nsupdate cannot update dns

I have add "debug" and remove "show" directive from this
file

    [    root at server-addc     ~]# cat /tmp/tmpmRYs8r
    debug
    server server-addc.dogma-to.loc
    update add server-addc.dogma-to.loc. 900 A 192.168.41.1
    send

the rerun it:

    [    root at server-addc     ~]# cat /tmp/tmpmRYs8r|nsupdate 
    Reply from SOA query:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16228
    ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;server-addc.dogma-to.loc.      IN      SOA

    ;; AUTHORITY SECTION:
    dogma-to.loc.           3600    IN      SOA     server-addc.dogma-to.loc.
hostmaster.dogma-to.loc. 1 900 600 86400 3600

    Found zone name: dogma-to.loc
    The master is: server-addc.dogma-to.loc
    Sending update to 192.168.41.1#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37799
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
    ;; UPDATE SECTION:
    server-addc.dogma-to.loc. 900   IN      A       192.168.41.1


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  37799
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; ZONE SECTION:
    ;dogma-to.loc.                  IN      SOA

    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: starting
transaction on zone dogma-to.loc
    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20
192.168.41.1#39052: update 'dogma-to.loc/IN' denied
    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling
transaction on zone dogma-to.loc

Some error

Someone have some suggest?

Many thanks


-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

Possibly Parallel Threads

Search for more possibly parallel threads

samba - Dec 2017 - Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Possibly Parallel Threads