Zuzanna K. Filutowska
2018-Oct-16 16:47 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
Dear All, I have a setup with samba acting as active directory domain controller, DNS updates are done via bind DLZ. I have recompiled it to allow spnego. DHCP server is external, no changes in it are possible. Domain members try to register in the DNS, KDC is aware of them, however no DNS entries for them are created and BIND returns errors. Any hints are welcome since I really need it working. Thank you in advance. samba log: samba version 4.8.5 started. Copyright Andrew Tridgell and the Samba Team 1992-2018 [2018/10/16 18:29:56.934115, 0] ../source4/smbd/server.c:638(binary_smbd_main) binary_smbd_main: samba: using 'standard' process model [2018/10/16 18:29:57.251109, 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/krb5kdc: krb5kdc: starting... named log: 16-Oct-2018 18:29:53.526 general: info: managed-keys-zone: loaded serial 0 16-Oct-2018 18:29:53.538 general: info: zone localhost/IN: loaded serial 0 16-Oct-2018 18:29:53.539 general: info: zone virtual/IN: loaded serial 0 16-Oct-2018 18:29:53.539 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1 16-Oct-2018 18:29:53.540 general: notice: all zones loaded 16-Oct-2018 18:29:53.540 general: notice: running 16-Oct-2018 18:30:03.684 resolver: info: resolver priming query complete 16-Oct-2018 18:30:08.719 database: info: samba_dlz: starting transaction on zone XXXX 16-Oct-2018 18:30:08.724 update-security: error: client @0x7fe2b4418390 10.8.0.6#50122: update 'XXXX/IN' denied 16-Oct-2018 18:30:08.724 database: info: samba_dlz: cancelling transaction on zone XXXX 16-Oct-2018 18:30:09.240 database: info: samba_dlz: starting transaction on zone XXXX 16-Oct-2018 18:30:09.248 database: error: samba_dlz: spnego update failed 16-Oct-2018 18:30:09.248 update: info: client @0x7fe2b4418390 10.8.0.6#44955/key ZKF-VM01\$\@XXXX: updating zone 'XXXX/NONE': update failed: rejected by secure update (REFUSED) 16-Oct-2018 18:30:09.248 database: info: samba_dlz: cancelling transaction on zone XXXX 16-Oct-2018 18:30:24.880 resolver: info: resolver priming query complete 16-Oct-2018 18:30:25.041 resolver: info: resolver priming query complete kdc log: paź 16 18:29:57 dc01.XXXX krb5kdc[41865](Error): preauth spake failed to initialize: No SPAKE preauth groups configured paź 16 18:29:57 dc01.XXXX krb5kdc[41865](info): setting up network... krb5kdc: setsockopt(17,IPV6_V6ONLY,1) worked krb5kdc: setsockopt(19,IPV6_V6ONLY,1) worked paź 16 18:29:57 dc01.XXXX krb5kdc[41865](info): set up 4 sockets paź 16 18:29:57 dc01.XXXX krb5kdc[41865](info): commencing operation paź 16 18:30:06 dc01.XXXX krb5kdc[41865](info): TGS_REQ (5 etypes {18 17 23 24 -135}) 10.8.0.6: ISSUE: authtime 1539706701, etypes {rep=18 tkt=23 ses=23}, ZKF-VM01$@XXXX for DNS/dc01.XXXX at XXXX paź 16 18:30:06 dc01.XXXX krb5kdc[41865](info): closing down fd 20 samba-kdc: samba_kdc_fetch: message2entry failed -- -- Pozdrawiam, -- Zuzanna K. Filutowska www: platyna.info Trzeba mieć wytrwałość i wiarę w siebie, że jest się do czegoś zdolnym. -- Maria Curie-Skłodowska
Rowland Penny
2018-Oct-16 17:25 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
On Tue, 16 Oct 2018 18:47:30 +0200 "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote:> Dear All, > > I have a setup with samba acting as active directory domain > controller, DNS updates are done via bind DLZ. I have recompiled it > to allow spnego. DHCP server is external, no changes in it are > possible. Domain members try to register in the DNS, KDC is aware of > them, however no DNS entries for them are created and BIND returns > errors. Any hints are welcome since I really need it working. Thank > you in advance. > > samba log: > samba version 4.8.5 started. > Copyright Andrew Tridgell and the Samba Team 1992-2018 > [2018/10/16 18:29:56.934115, > 0] ../source4/smbd/server.c:638(binary_smbd_main) binary_smbd_main: > samba: using 'standard' process model [2018/10/16 18:29:57.251109, 0] > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > /usr/sbin/krb5kdc: krb5kdc: starting... >Is this on a red-hat OS using MIT for Samba ? If so, I suggest you recompile Samba to use Heimdal instead. There are numerous limitations with using MIT, because of these, using MIT is still considered experimental. Rowland
Zuzanna K. Filutowska
2018-Oct-16 17:37 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
W dniu wto, 16.10.2018 o godzinie 18∶25 +0100, użytkownik Rowland Penny via samba napisał:> On Tue, 16 Oct 2018 18:47:30 +0200 > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > Dear All, > > > > I have a setup with samba acting as active directory domain > > controller, DNS updates are done via bind DLZ. I have recompiled it > > to allow spnego. DHCP server is external, no changes in it are > > possible. Domain members try to register in the DNS, KDC is aware of > > them, however no DNS entries for them are created and BIND returns > > errors. Any hints are welcome since I really need it working. Thank > > you in advance. > > > > samba log: > > samba version 4.8.5 started. > > Copyright Andrew Tridgell and the Samba Team 1992-2018 > > [2018/10/16 18:29:56.934115, > > 0] ../source4/smbd/server.c:638(binary_smbd_main) binary_smbd_main: > > samba: using 'standard' process model [2018/10/16 18:29:57.251109, 0] > > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > > /usr/sbin/krb5kdc: krb5kdc: starting... > > > > Is this on a red-hat OS using MIT for Samba ? > If so, I suggest you recompile Samba to use Heimdal instead. There are > numerous limitations with using MIT, because of these, using MIT is > still considered experimental.It is Fedora Server and it uses MIT, these are default packages that come with the system. -- -- Pozdrawiam, -- Zuzanna K. Filutowska www: platyna.info Trzeba mieć wytrwałość i wiarę w siebie, że jest się do czegoś zdolnym. -- Maria Curie-Skłodowska
Reasonably Related Threads
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- AD bind DNS broken after 4.7.3 -> 4.9.2 upgrade