thr3ads.net - samba - [Samba] Dynamic DNS Update Error GSS failure [Jan 2018]

If this information is useful, please help other people find it:
Share via:

Ronny Preiss

2018-Jan-07 22:02 UTC

[Samba] Dynamic DNS Update Error GSS failure

Hi @ all,

 

I try to update the DNS records from my DHCP Clients to my AD DC but there
ist an issue with the GSSAPI I don't know how to solve.

 

For this I followed this guide.

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_B
IND9

 

GSSAPI Error:

start_gssrequest

tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
code may provide more information, Minor = No credentials found with
supported encryption types (filename: /tmp/dhcp-dyndns.cc).

 

Here is my keytab file:

 

ktutil -k /etc/dhcpduser.keytab list

/etc/dhcpduser.keytab:

 

Vno  Type                     Principal                Aliases

  2  aes256-cts-hmac-sha1-96  dhcpduser at PROD.CORP.INT
<mailto:dhcpduser at PROD.CORP.INT> 

  2  aes128-cts-hmac-sha1-96  dhcpduser at PROD.CORP.INT
<mailto:dhcpduser at PROD.CORP.INT> 

  2  arcfour-hmac-md5         dhcpduser at PROD.CORP.INT
<mailto:dhcpduser at PROD.CORP.INT> 

  2  des-cbc-md5              dhcpduser at PROD.CORP.INT
<mailto:dhcpduser at PROD.CORP.INT> 

  2  des-cbc-crc              dhcpduser at PROD.CORP.INT
<mailto:dhcpduser at PROD.CORP.INT> 

 

System Information

 

- Raspberry Pi 3 Model B

- Raspian Stretch

- Samba Version 4.7.4

- BIND Version 9.11.2

- BIND9 built by

make '--prefix' '/usr/local/bind9' '--enable-shared'

 

   '--enable-static' '--with-openssl=/usr'

   '--with-gssapi=/usr/include/gssapi' '--with-libtool'

   '--with-dlopen=yes' '--enable-threads'
'--enable-largefile'

   '--with-gnu-ld' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing'

   'CFLAGS=-DDIG_SIGCHASE' 'CFLAGS=-O2'

 

bind9 named.conf https://pastebin.com/HW88rwbe

 

samba named.conf https://pastebin.com/zi7Fm27T

 

samba smb.conf https://pastebin.com/i1fmj56T

 

If more information needed, feel free and ask me, I'll do my best to provide
them.

 

Greetings Ronny

Rowland Penny

2018-Jan-07 22:24 UTC

head link

[Samba] Dynamic DNS Update Error GSS failure

On Sun, 7 Jan 2018 23:02:20 +0100
Ronny Preiss via samba <samba at lists.samba.org> wrote:
> Hi @ all,
> 
>  
> 
> I try to update the DNS records from my DHCP Clients to my AD DC but
> there ist an issue with the GSSAPI I don't know how to solve.
> 
>  
> 
> For this I followed this guide.
> 
>
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_B
> IND9
> 
>  
> 
> GSSAPI Error:
> 
> start_gssrequest
> 
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = No credentials found
> with supported encryption types (filename: /tmp/dhcp-dyndns.cc).
> 
>  
> 
> Here is my keytab file:
> 
>  
> 
> ktutil -k /etc/dhcpduser.keytab list
> 
> /etc/dhcpduser.keytab:
> 
>  
> 
> Vno  Type                     Principal                Aliases
> 
>   2  aes256-cts-hmac-sha1-96  dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT> 
> 
>   2  aes128-cts-hmac-sha1-96  dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT> 
> 
>   2  arcfour-hmac-md5         dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT> 
> 
>   2  des-cbc-md5              dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT> 
> 
>   2  des-cbc-crc              dhcpduser at PROD.CORP.INT
> <mailto:dhcpduser at PROD.CORP.INT> 
> 
> 
Don't you mean ' klist -e -k /etc/dhcpduser.keytab' ?

If so, it should show something like this:

Keytab name: FILE:/etc/dhcpduser.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 dhcpduser at SAMDOM.EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   1 dhcpduser at SAMDOM.EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   1 dhcpduser at SAMDOM.EXAMPLE.COM (arcfour-hmac) 
   1 dhcpduser at SAMDOM.EXAMPLE.COM (des-cbc-md5) 
   1 dhcpduser at SAMDOM.EXAMPLE.COM (des-cbc-crc) 
> 
> System Information
> 
>  
> 
> - Raspberry Pi 3 Model B
> 
> - Raspian Stretch
> 
> - Samba Version 4.7.4
> 
> - BIND Version 9.11.2
> 
> - BIND9 built by
> 
> make '--prefix' '/usr/local/bind9'
'--enable-shared'
> 
>  
> 
>    '--enable-static' '--with-openssl=/usr'
> 
>    '--with-gssapi=/usr/include/gssapi' '--with-libtool'
> 
>    '--with-dlopen=yes' '--enable-threads'
'--enable-largefile'
> 
>    '--with-gnu-ld' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing'
> 
>    'CFLAGS=-DDIG_SIGCHASE' 'CFLAGS=-O2'
> 
>  
There is no need to build Bind on strech, just use the debian package,
also '--with-dlopen' is now built in, the setting no longer exists.
> 
> bind9 named.conf https://pastebin.com/HW88rwbe
Yes, but what is in:

/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones
> 
>  
> 
> samba named.conf https://pastebin.com/zi7Fm27T
nothing wrong there.
> 
>  
> 
> samba smb.conf https://pastebin.com/i1fmj56T
Nothing wrong there either.
> 
>  
> 
> If more information needed, feel free and ask me, I'll do my best to
> provide them.
Post what is in /etc/hostname, etc/hosts, /etc/resolv.conf
and /etc/krb5.conf.

Rowland

Maybe Matching Threads

Search for more maybe matching threads

samba - Jan 2018 - Dynamic DNS Update Error GSS failure

[Samba] Dynamic DNS Update Error GSS failure

[Samba] Dynamic DNS Update Error GSS failure

Maybe Matching Threads