Dario Lesca
2017-Dec-04 13:10 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 13.17 +0100, Christian Naumer via samba ha scritto:> Is > > /var/lib/samba/bind-dns/ > > accessible by bind?Yes, and selinux is disable [ root at server-addc ~]# find /var/lib/samba/bind-dns/ -ls 3149158 0 drwxrwx--- 3 root named 95 dic 4 14:03 /var/lib/samba/bind-dns/ 111 0 drwxrwx--- 3 root named 38 dic 4 13:57 /var/lib/samba/bind-dns/dns 1049422 4 drwxrwx--- 2 root named 4096 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d 1049423 1256 -rw-rw---- 1 root named 1286144 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOGMA-TO,DC%3DLOC.ldb 2118093 812 -rw-rw---- 2 root named 831488 dic 4 14:02 /var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb 2118098 4148 -rw-rw---- 2 root named 4247552 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb 2118099 4148 -rw-rw---- 2 root named 4247552 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DFORESTDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb 2118101 6992 -rw-rw---- 1 root named 7159808 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb 2118102 8300 -rw-rw---- 1 root named 8499200 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb 1049424 2944 -rw-rw---- 1 root named 3014656 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb 3149184 4 -rw-r--r-- 1 root root 721 dic 4 13:57 /var/lib/samba/bind-dns/named.conf 3149185 4 -rw-r--r-- 1 root root 2092 dic 4 13:57 /var/lib/samba/bind-dns/named.txt 1049430 4 -rw-r----- 2 root named 772 dic 4 13:57 /var/lib/samba/bind-dns/dns.keytab 3149744 4 -r--r--r-- 1 root root 230 dic 4 14:01 /var/lib/samba/bind-dns/named.conf.update> > Regards > > > Christian > > > > > > > Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba: > > I have setup on Fedora 27 server a AD-DC samba server + bind + > > dhcp. > > > > All seem work fine: I can join to domain, add/remove dns records > > with > > samba-tools, access to shared folder, use MS Management Console on > > Win7, ecc > > > > But when I join a new machine Samba winbind Member server to > > domain > > > > [ root at server-dati ~]# net ads join DOGMA-TO -U > > administrator > > Using short domain name -- DOGMA-TO > > Joined 'SERVER-DATI' to dns domain 'dogma-to.loc' > > DNS Update for server-dati.dogma-to.loc failed: > > ERROR_DNS_UPDATE_FAILED > > DNS update failed: NT_STATUS_UNSUCCESSFUL > > > > or run this command on Samba AD-DC: > > > > [ root at server-addc ~]# samba_dnsupdate --all-names -- > > fail-immediately > > update failed: REFUSED > > > > Into system log I get: > > > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: > > samba_dlz: starting transaction on zone dogma-to.loc > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: > > samba_dlz: spnego update failed > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client > > @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: > > updating zone 'dogma-to.loc/NONE': update failed: rejected by > > secure update (REFUSED) > > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: > > samba_dlz: cancelling transaction on zone dogma-to.loc > > > > What kind of problem it's? > > > > These are my config files and SElinux is Off > > > > ### Samba: > > [global] > > passdb backend = samba_dsdb > > realm = DOGMA-TO.LOC > > server role = active directory domain controller > > server > > services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, > > ntp_signd, kcc, dnsupdate > > template homedir = /home/%U > > tem > > plate shell = /bin/bash > > workgroup = DOGMA-TO > > rpc_server:t > > cpip = no > > rpc_daemon:spoolssd = embedded > > rpc_server:spool > > ss = embedded > > rpc_server:winreg = embedded > > rpc_server:nts > > vcs = embedded > > rpc_server:eventlog = embedded > > rpc_server: > > srvsvc = embedded > > rpc_server:svcctl = embedded > > rpc_server > > :default = external > > winbindd:use external pipes = true > > id > > map_ldb:use rfc2307 = yes > > idmap config * : backend = tdb > > > > map archive = No > > map readonly = no > > store dos attributes > > Yes > > vfs objects = dfs_samba4 acl_xattr > > > > [netlogon] > > path = /var/lib/samba/sysvol/dogma-to.loc/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > Kerberos > > > > [ root at server-addc ~]# cat /etc/krb5.conf > > [libdefaults] > > default_realm = DOGMA-TO.LOC > > dns_lookup_realm = false > > dns_lookup_kdc = true > > > > > > ### Bind > > > > options { > > listen-on port 53 { 127.0.0.1; 192.168.41.1; }; > > //listen-on-v6 port 53 { ::1; }; > > directory "/var/named"; > > dump-file "/var/named/data/cache_dump.db"; > > statistics-file "/var/named/data/named_stats.txt"; > > memstatistics-file > > "/var/named/data/named_mem_stats.txt"; > > allow-query { localhost; 192.168.41.0/24; }; > > > > /* > > - If you are building an AUTHORITATIVE DNS server, do > > NOT enable recursion. > > - If you are building a RECURSIVE (caching) DNS > > server, you need to enable > > recursion. > > - If your recursive DNS server has a public IP > > address, you MUST enable access > > control to limit queries to your legitimate users. > > Failing to do so will > > cause your server to become part of large scale DNS > > amplification > > attacks. Implementing BCP38 within your network > > would greatly > > reduce such attack surface > > */ > > recursion yes; > > > > dnssec-enable yes; > > dnssec-validation yes; > > > > managed-keys-directory "/var/named/dynamic"; > > > > pid-file "/run/named/named.pid"; > > session-keyfile "/run/named/session.key"; > > > > /* https://fedoraproject.org/wiki/Changes/CryptoPol > > icy */ > > include "/etc/crypto-policies/back-ends/bind.config"; > > > > tkey-gssapi-keytab "/var/lib/samba/bind- > > dns/dns.keytab"; > > > > }; > > > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > zone "." IN { > > type hint; > > file "named.ca"; > > }; > > > > include "/etc/named.rfc1912.zones"; > > include "/etc/named.root.key"; > > > > include "/var/lib/samba/bind-dns/named.conf"; > > > > > > Someone can help me? > > > > -- > Dr. Christian Naumer > Research Scientist > Plattform-Koordinator Bioprozesstechnik > > B.R.A.I.N Aktiengesellschaft > Darmstaedter Str. 34-36, D-64673 Zwingenberg > e-mail cn at brain-biotech.de, homepage www.brain-biotech.de > fon +49-6251-9331-30 / fax +49-6251-9331-11 > > Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech > > Sitz der Gesellschaft: Zwingenberg/Bergstrasse > Registergericht AG Darmstadt, HRB 24758 > Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel > Aufsichtsratsvorsitzender: Dr. Ludger Mueller >-- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Christian Naumer
2017-Dec-04 14:31 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Am 04.12.2017 um 14:10 schrieb Dario Lesca via samba:> 3149744 4 -r--r--r-- 1 root root 230 dic 4 14:01 /var/lib/samba/bind-dns/named.conf.updatewhat is in this file? Regards Christian -- Dr. Christian Naumer Research Scientist Plattform-Koordinator Bioprozesstechnik B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.de, homepage www.brain-biotech.de fon +49-6251-9331-30 / fax +49-6251-9331-11 Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel Aufsichtsratsvorsitzender: Dr. Ludger Mueller
Dario Lesca
2017-Dec-04 15:03 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 15.31 +0100, Christian Naumer via samba ha scritto:> Am 04.12.2017 um 14:10 schrieb Dario Lesca via samba: > > > 3149744 4 -r--r--r-- 1 root root 230 > > dic 4 14:01 /var/lib/samba/bind-dns/named.conf.update > > what is in this file?this file readable for all contain this: [ root at server-addc ~]# cat /var/lib/samba/bind-dns/named.conf.update /* this file is auto-generated - do not edit */ update-policy { grant DOGMA-TO.LOC ms-self * A AAAA; grant Administrator at DOGMA-TO.LOC wildcard * A AAAA SRV CNAME; grant SERVER-ADDC$@dogma-to.loc wildcard * A AAAA SRV CNAME; }; It's auto generate. Is the content correct? I believe the access si right ... or not? -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)