samba - Dec 2017 - Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

On Mon, 04 Dec 2017 16:31:16 +0100
Dario Lesca via samba <samba at lists.samba.org> wrote:
> Il giorno lun, 04/12/2017 alle 16.00 +0100, Dario Lesca via samba ha
> scritto:
> > The samba command
> > 
> >     samba_dnsupdate --verbose  --all-names --fail-immediately
> > 
> > not work
> 
> I have add '-d 9' to dlz section
> 
>     dlz "AD DNS Zone" {
>         # For BIND 9.11.x
>          database "dlopen /usr/lib64/samba/bind9/dlz_bind9_11.so -d
> 9"; };
> 
> And this is the debug message:
> 
>     [    root at server-addc     ~]# samba_dnsupdate --all-names
> --fail-immediately update failed: REFUSED
> 
>     dic 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz:
> starting transaction on zone dogma-to.loc dic 04 16:25:21
> server-addc.dogma-to.loc named[1121]: samba_dlz: Starting GENSEC
> mechanism spnego dic 04 16:25:21 server-addc.dogma-to.loc
> named[1121]: samba_dlz: Starting GENSEC submechanism gssapi_krb5 dic
> 04 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: GSS
> server Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor
> code may provide more information: Request is a replay dic 04
> 16:25:21 server-addc.dogma-to.loc named[1121]: samba_dlz: spnego
> update failed dic 04 16:25:21 server-addc.dogma-to.loc named[1121]:
> client @0x7fafe90c3400 192.168.41.1#57335/key
> SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE':
> update failed: rejected by secure update (REFUSED) dic 04 16:25:21
> server-addc.dogma-to.loc named[1121]: samba_dlz: cancelling
> transaction on zone dogma-to.loc
> 
> Can this help us?
> 
> Thanks
> 
The significant word there is 'replay'.

see here:

https://lists.samba.org/archive/samba/2017-November/211990.html

Rowland

Il giorno lun, 04/12/2017 alle 16.02 +0000, Rowland Penny via samba ha
scritto:
> The significant word there is 'replay'.
> 
> see here:
> 
> https://lists.samba.org/archive/samba/2017-November/211990.html
> 
> 
Thank Rowland, this tread 
https://lists.samba.org/archive/samba/2017-November/thread.html#212035
is very usefull.

Then my problem is a bug already filled:
https://bugzilla.samba.org/show_bug.cgi?id=13066

I must only ignore this error, wait for a patch and follow the Andreas
suggest:
> > But what would be the right way to test DNS updates in this
> scenario?
> 
> Use a joined workstation and run 'net ads dns register'? Or you
> disable the replay cache on the server side ...
Question: howto I can "disable the replay cache" ?

Thanks

-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

On Mon, 04 Dec 2017 21:42:21 +0100
Dario Lesca via samba <samba at lists.samba.org> wrote:
> Il giorno lun, 04/12/2017 alle 16.02 +0000, Rowland Penny via samba ha
> scritto:
> > The significant word there is 'replay'.
> > 
> > see here:
> > 
> > https://lists.samba.org/archive/samba/2017-November/211990.html
> > 
> > 
> 
> Thank Rowland, this tread 
> https://lists.samba.org/archive/samba/2017-November/thread.html#212035
> is very usefull.
> 
> Then my problem is a bug already filled:
> https://bugzilla.samba.org/show_bug.cgi?id=13066
> 
> I must only ignore this error, wait for a patch and follow the Andreas
> suggest:
> 
> > > But what would be the right way to test DNS updates in this
> > scenario?
> > 
> > Use a joined workstation and run 'net ads dns register'? Or
you
> > disable the replay cache on the server side ...
> 
> Question: howto I can "disable the replay cache" ?
> 
> Thanks
> 
First and foremost, I do not use MIT kerberos, so I am not sure if this
will work, but I found this webpage:

https://web.mit.edu/kerberos/krb5-1.12/doc/basic/rcache_def.html

Where it says that if you set the enviromental variable KRB5RCACHETYPE
to 'none' it will not be used i.e. 'export KRB5RCACHETYPE=none'

Rowland