Rowland Penny
2017-Dec-04 16:19 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
On Mon, 04 Dec 2017 16:57:15 +0100 Dario Lesca via samba <samba at lists.samba.org> wrote:> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha > scritto: > > The samba command > > > > samba_dnsupdate --verbose --all-names --fail-immediately > > > > not work > > > Following this howto, > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC > > I have try this: > > [ root at server-addc ~]# > LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch > -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn # Referral > ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc > > # Referral > ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc > > # Referral > ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc > > # returned 3 records > # 0 entries > # 3 referrals > > This is not output what howto say I can see. > > Seem the account dns-DC1 not exist > > [ root at server-addc ~]# samba-tool user list > Administrator > Guest > krbtgt > dns-server-addc > ospite > > Then I run > > [ root at server-addc ~]# samba_upgradedns --verbose > --dns-backend=BIND9_DLZ Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone > DNS records will be automatically created > DNS partitions already exist > dns-server-addc account already exists > Could not remove /var/lib/samba/private/named.conf: No such file > or directory Could not > remove /var/lib/samba/private/named.conf.update: No such file or > directory Could not remove /var/lib/samba/private/named.txt: No such > file or directory Could not delete dir /var/lib/samba/private/dns: No > such file or directory See /var/lib/samba/bind-dns/named.conf for an > example configuration include file for BIND > and /var/lib/samba/bind-dns/named.txt for further documentation > required for secure DNS updates Finished upgrading DNS > > But I cannot see the "Adding dns-DC1 account" message like howto sayFollow what it says in the blue box under the ldbsearch output on the wiki page. Rowland
Achim Gottinger
2017-Dec-04 17:12 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Am 04.12.2017 um 17:19 schrieb Rowland Penny via samba:> On Mon, 04 Dec 2017 16:57:15 +0100 > Dario Lesca via samba <samba at lists.samba.org> wrote: > >> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha >> scritto: >>> The samba command >>> >>> samba_dnsupdate --verbose --all-names --fail-immediately >>> >>> not work >> >> Following this howto, >> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable#Verifying_That_the_BIND_AD_Account_Exists_for_the_DC >> >> I have try this: >> >> [ root at server-addc ~]# >> LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch >> -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-DC1' dn # Referral >> ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc >> >> # Referral >> ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc >> >> # Referral >> ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc >> >> # returned 3 records >> # 0 entries >> # 3 referrals >> >> This is not output what howto say I can see. >> >> Seem the account dns-DC1 not exist >> >> [ root at server-addc ~]# samba-tool user list >> Administrator >> Guest >> krbtgt >> dns-server-addc >> ospite >> >> Then I run >> >> [ root at server-addc ~]# samba_upgradedns --verbose >> --dns-backend=BIND9_DLZ Reading domain information >> DNS accounts already exist >> No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone >> DNS records will be automatically created >> DNS partitions already exist >> dns-server-addc account already exists >> Could not remove /var/lib/samba/private/named.conf: No such file >> or directory Could not >> remove /var/lib/samba/private/named.conf.update: No such file or >> directory Could not remove /var/lib/samba/private/named.txt: No such >> file or directory Could not delete dir /var/lib/samba/private/dns: No >> such file or directory See /var/lib/samba/bind-dns/named.conf for an >> example configuration include file for BIND >> and /var/lib/samba/bind-dns/named.txt for further documentation >> required for secure DNS updates Finished upgrading DNS >> >> But I cannot see the "Adding dns-DC1 account" message like howto say > Follow what it says in the blue box under the ldbsearch output on the > wiki page. > > Rowland >On a sidenote, your server has the name server-addc so your dns account name is dns-server-addc which exists on your server.
Dario Lesca
2017-Dec-04 20:14 UTC
[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Il giorno lun, 04/12/2017 alle 18.12 +0100, Achim Gottinger via samba ha scritto:> > > But I cannot see the "Adding dns-DC1 account" message like howto > > > say > > > > Follow what it says in the blue box under the ldbsearch output on > > the wiki page. > > > > Rowland > > > > On a sidenote, your server has the name server-addc so your dns > account name is dns-server-addc which exists on your server.Ok, thanks Achim, now I have understood Then the DNS account exist. Now I execute the dns backend swap, like the blue box says, and when I switch to BIND9_DLZ the account is recreated: [ root at server-addc ~]# samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone DNS records will be automatically created DNS partitions already exist Adding dns-server-addc account See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS Then restart samba and bind [ root at server-addc ~]# systemctl restart named samba But If I run the ldbsearch the account it still does not exist: [ root at server-addc ~]# LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-server-addc' dn # Referral ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc # Referral ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc # Referral ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc # returned 3 records # 0 entries # 3 referrals and the initial problem persist [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately update failed: REFUSED dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: starting transaction on zone dogma-to.loc dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: Starting GENSEC mechanism spnego dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: Starting GENSEC submechanism gssapi_krb5 dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: GSS server Update(krb5)(1) Update failed: Unspecified GSS failure. Minor code may provide more information: Request is a replay dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: spnego update failed dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: client @0x7fb32d0c1320 192.168.41.1#36717/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED) dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: cancelling transaction on zone dogma-to.loc -- Dario Lesca (inviato dal mio Linux Fedora 27 Workstation)
Possibly Parallel Threads
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
- Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed