samba - Jul 2018 - client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied

>
> I repeat, Bind 9.12.x is unsupported at this time, just because it
> worked once is no reason to use it. It may have nothing to do with your
> problem, but using a supported Bind version will rule it out.

Ok. :)

I'll reinstall using supported version 9.11.3-2

OK, your server, but I think you should be aware that I have been
using
> Bind9 with Samba since December 2012 and I have never used the rndc.key

Without these entries, the error below always appears in the logs.

Jul  2 12:37:23 dc3 named[20416]: configuring command channel from
'/etc/bind/rndc.key'
Jul  2 12:37:23 dc3 named[20416]: couldn't add command channel ::1#953:
address not available

That is if you are using the MIT kerberos with Samba, instead of
the
> default HEIMDAL.

ok. I remove it. I use HEIMDAL.

Client update denied error still remains in the logs.

Does this error interfere with client updates with ADDC or is this
something with bind?


On Mon, Jul 2, 2018 at 12:31 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 2 Jul 2018 12:12:07 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > >
> > > Hmm, bind 9.12.x isn't supported yet.
> >
> >
> > He works with "dlopen
> > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without
> > problems, at first.
>
> I repeat, Bind 9.12.x is unsupported at this time, just because it
> worked once is no reason to use it. It may have nothing to do with your
> problem, but using a supported Bind version will rule it out.
>
> >
> > include "/etc/bind/rndc.key";
> > > controls {
> > >           inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> > > };
> > > You do not need the four lines above
> >
> >
> > Ok, but if I leave it, does not have problems either, I believe!?
>
> OK, your server, but I think you should be aware that I have been using
> Bind9 with Samba since December 2012 and I have never used the rndc.key
>
> >
> > You mention '#public IP' twice, are they both the same IP and
is it
> > > the DC ipaddress and if so, why are you trying to forward the DC
to
> > > itself ?
> >
> >
> > No, two different networks.
> > xxx.xxx.xxx.0/26
> > xxx.xxx.xxx.128/26
> >
> > Sometimes the "samba_dlz: spnego update failed" appears in
the log. I
> > found this link talks about the problem.
> > https://bugzilla.redhat.com/show_bug.cgi?id=1528867
> >
> > I added the "KRB5RCACHETYPE="none"" on the
/etc/default/bind9, but the
> > error message keeps.
> >
>
> That is if you are using the MIT kerberos with Samba, instead of the
> default HEIMDAL.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira

On Mon, 2 Jul 2018 14:22:36 -0300
Elias Pereira via samba <samba at lists.samba.org> wrote:
> >
> > I repeat, Bind 9.12.x is unsupported at this time, just because it
> > worked once is no reason to use it. It may have nothing to do with
> > your problem, but using a supported Bind version will rule it out.
> 
> 
> Ok. :)
> 
> I'll reinstall using supported version 9.11.3-2
> 
> OK, your server, but I think you should be aware that I have been
> using
> > Bind9 with Samba since December 2012 and I have never used the
> > rndc.key
> 
> 
> Without these entries, the error below always appears in the logs.
> 
> Jul  2 12:37:23 dc3 named[20416]: configuring command channel from
> '/etc/bind/rndc.key'
> Jul  2 12:37:23 dc3 named[20416]: couldn't add command
> channel ::1#953: address not available
> 
okay, perhaps I should have said that I have never had any mention of
rndc.key in the bind conf files. I use Devuan and this splits the named
conf files into separate parts, I only alter two of these:

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";
        version "0.0.7";

        forwarders { 8.8.8.8; 8.8.4.4; };

        dnssec-validation no;

        auth-nxdomain yes;    # conform to RFC1035 =no
        listen-on-v6 { none; };
        listen-on port 53 { 192.168.0.6; 127.0.0.1; };
        notify no;
        empty-zones-enable no;

        //  Add any subnets or hosts you want to allow to use this DNS server
        allow-query { 192.168.0.0/24; 127.0.0.1/32; };
        //  Add any subnets or hosts you want to allow to use recursive queries
        allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };

        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};


/etc/bind/named.conf.local

include "/var/lib/samba/private/named.conf";

When I restart Bind9, I get (amongst the other lines) these lines
in /var/log/syslog

Jul  2 18:32:57 dc4 named[3133]: set up managed keys zone for view _default,
file 'managed-keys.bind'
Jul  2 18:32:57 dc4 named[3133]: configuring command channel from
'/etc/bind/rndc.key'
Jul  2 18:32:57 dc4 named[3133]: command channel listening on 127.0.0.1#953
Jul  2 18:32:57 dc4 named[3133]: configuring command channel from
'/etc/bind/rndc.key'
Jul  2 18:32:57 dc4 named[3133]: command channel listening on ::1#953

So I don't have the lines in the named conf files but it is still used,
you need to find out why it doesn't work for you.
> 
> Client update denied error still remains in the logs.
I don't know what error you are getting, even if you have posted it,
can you post the full error. Can you please post all the lines from
syslog around the error and not just the error.
> 
> Does this error interfere with client updates with ADDC or is this
> something with bind?
No, the rndc error is for the command channel and I am sure this isn't
affecting updates.

Rowland

>
> I don't know what error you are getting, even if you have posted it,
> can you post the full error. Can you please post all the lines from
> syslog around the error and not just the error.

The only logs that show is below.

./daemon.log.1:33430:Jul  2 06:16:28 dc3 named[9754]: client
10.10.4.3#52074: update 'campus.company.intra/IN' denied
./daemon.log.1:33432:Jul  2 06:17:03 dc3 named[9754]: client
10.10.1.2#58780: update 'campus. company.intra /IN' denied
./daemon.log.1:33433:Jul  2 06:17:03 dc3 named[9754]: client
10.10.1.2#56611: update 'campus. company.intra /IN' denied
./daemon.log.1:33436:Jul  2 06:18:53 dc3 named[9754]: client
10.10.5.12#60664: update 'campus. company.intra /IN' denied
./daemon.log.1:33442:Jul  2 06:24:43 dc3 named[9754]: client
10.10.5.12#55716: update 'campus. company.intra /IN' denied

Maybe execute dlz_bind9_11.so in *debug*
<https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module>mode
for more information?

On Mon, Jul 2, 2018 at 2:50 PM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 2 Jul 2018 14:22:36 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > >
> > > I repeat, Bind 9.12.x is unsupported at this time, just because
it
> > > worked once is no reason to use it. It may have nothing to do
with
> > > your problem, but using a supported Bind version will rule it
out.
> >
> >
> > Ok. :)
> >
> > I'll reinstall using supported version 9.11.3-2
> >
> > OK, your server, but I think you should be aware that I have been
> > using
> > > Bind9 with Samba since December 2012 and I have never used the
> > > rndc.key
> >
> >
> > Without these entries, the error below always appears in the logs.
> >
> > Jul  2 12:37:23 dc3 named[20416]: configuring command channel from
> > '/etc/bind/rndc.key'
> > Jul  2 12:37:23 dc3 named[20416]: couldn't add command
> > channel ::1#953: address not available
> >
>
> okay, perhaps I should have said that I have never had any mention of
> rndc.key in the bind conf files. I use Devuan and this splits the named
> conf files into separate parts, I only alter two of these:
>
> /etc/bind/named.conf.options
>
> options {
>         directory "/var/cache/bind";
>         version "0.0.7";
>
>         forwarders { 8.8.8.8; 8.8.4.4; };
>
>         dnssec-validation no;
>
>         auth-nxdomain yes;    # conform to RFC1035 =no
>         listen-on-v6 { none; };
>         listen-on port 53 { 192.168.0.6; 127.0.0.1; };
>         notify no;
>         empty-zones-enable no;
>
>         //  Add any subnets or hosts you want to allow to use this DNS
> server
>         allow-query { 192.168.0.0/24; 127.0.0.1/32; };
>         //  Add any subnets or hosts you want to allow to use recursive
> queries
>         allow-recursion {  192.168.0.0/24; 127.0.0.1/32; };
>
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
>
> /etc/bind/named.conf.local
>
> include "/var/lib/samba/private/named.conf";
>
> When I restart Bind9, I get (amongst the other lines) these lines
> in /var/log/syslog
>
> Jul  2 18:32:57 dc4 named[3133]: set up managed keys zone for view
> _default, file 'managed-keys.bind'
> Jul  2 18:32:57 dc4 named[3133]: configuring command channel from
> '/etc/bind/rndc.key'
> Jul  2 18:32:57 dc4 named[3133]: command channel listening on 127.0.0.1#953
> Jul  2 18:32:57 dc4 named[3133]: configuring command channel from
> '/etc/bind/rndc.key'
> Jul  2 18:32:57 dc4 named[3133]: command channel listening on ::1#953
>
> So I don't have the lines in the named conf files but it is still used,
> you need to find out why it doesn't work for you.
>
> >
> > Client update denied error still remains in the logs.
>
> I don't know what error you are getting, even if you have posted it,
> can you post the full error. Can you please post all the lines from
> syslog around the error and not just the error.
>
> >
> > Does this error interfere with client updates with ADDC or is this
> > something with bind?
>
> No, the rndc error is for the command channel and I am sure this isn't
> affecting updates.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira