Zuzanna K. Filutowska
2018-Oct-16 17:37 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
W dniu wto, 16.10.2018 o godzinie 18∶25 +0100, użytkownik Rowland Penny via samba napisał:> On Tue, 16 Oct 2018 18:47:30 +0200 > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > Dear All, > > > > I have a setup with samba acting as active directory domain > > controller, DNS updates are done via bind DLZ. I have recompiled it > > to allow spnego. DHCP server is external, no changes in it are > > possible. Domain members try to register in the DNS, KDC is aware of > > them, however no DNS entries for them are created and BIND returns > > errors. Any hints are welcome since I really need it working. Thank > > you in advance. > > > > samba log: > > samba version 4.8.5 started. > > Copyright Andrew Tridgell and the Samba Team 1992-2018 > > [2018/10/16 18:29:56.934115, > > 0] ../source4/smbd/server.c:638(binary_smbd_main) binary_smbd_main: > > samba: using 'standard' process model [2018/10/16 18:29:57.251109, 0] > > ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > > /usr/sbin/krb5kdc: krb5kdc: starting... > > > > Is this on a red-hat OS using MIT for Samba ? > If so, I suggest you recompile Samba to use Heimdal instead. There are > numerous limitations with using MIT, because of these, using MIT is > still considered experimental.It is Fedora Server and it uses MIT, these are default packages that come with the system. -- -- Pozdrawiam, -- Zuzanna K. Filutowska www: http://platyna.info Trzeba mieć wytrwałość i wiarę w siebie, że jest się do czegoś zdolnym. -- Maria Curie-Skłodowska
Rowland Penny
2018-Oct-16 17:52 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
On Tue, 16 Oct 2018 19:37:21 +0200 "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote:> W dniu wto, 16.10.2018 o godzinie 18∶25 +0100, użytkownik Rowland > Penny via samba napisał: > > On Tue, 16 Oct 2018 18:47:30 +0200 > > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > > > Dear All, > > > > > > I have a setup with samba acting as active directory domain > > > controller, DNS updates are done via bind DLZ. I have recompiled > > > it to allow spnego. DHCP server is external, no changes in it are > > > possible. Domain members try to register in the DNS, KDC is aware > > > of them, however no DNS entries for them are created and BIND > > > returns errors. Any hints are welcome since I really need it > > > working. Thank you in advance. > > > > > > samba log: > > > samba version 4.8.5 started. > > > Copyright Andrew Tridgell and the Samba Team 1992-2018 > > > [2018/10/16 18:29:56.934115, > > > 0] ../source4/smbd/server.c:638(binary_smbd_main) > > > binary_smbd_main: samba: using 'standard' process model > > > [2018/10/16 18:29:57.251109, > > > 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/krb5kdc: > > > krb5kdc: starting... > > > > > > > Is this on a red-hat OS using MIT for Samba ? > > If so, I suggest you recompile Samba to use Heimdal instead. There > > are numerous limitations with using MIT, because of these, using > > MIT is still considered experimental. > > It is Fedora Server and it uses MIT, these are default packages that > come with the system. >I would suggest you file a bug on Fedora, whilst you can provision an AD DC with the Fedora packages, there are several problems that make them unsuitable in production (Computer GPO's not applying, for instance) and it looks like you may possibly have found another problem. Rowland
Andrew Bartlett
2018-Oct-16 18:10 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
On Tue, 2018-10-16 at 18:52 +0100, Rowland Penny via samba wrote:> On Tue, 16 Oct 2018 19:37:21 +0200 > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > W dniu wto, 16.10.2018 o godzinie 18∶25 +0100, użytkownik Rowland > > Penny via samba napisał: > > > On Tue, 16 Oct 2018 18:47:30 +0200 > > > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > > > > > Dear All, > > > > > > > > I have a setup with samba acting as active directory domain > > > > controller, DNS updates are done via bind DLZ. I have recompiled > > > > it to allow spnego. DHCP server is external, no changes in it are > > > > possible. Domain members try to register in the DNS, KDC is aware > > > > of them, however no DNS entries for them are created and BIND > > > > returns errors. Any hints are welcome since I really need it > > > > working. Thank you in advance. > > > > > > > > samba log: > > > > samba version 4.8.5 started. > > > > Copyright Andrew Tridgell and the Samba Team 1992-2018 > > > > [2018/10/16 18:29:56.934115, > > > > 0] ../source4/smbd/server.c:638(binary_smbd_main) > > > > binary_smbd_main: samba: using 'standard' process model > > > > [2018/10/16 18:29:57.251109, > > > > 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/krb5kdc: > > > > krb5kdc: starting... > > > > > > > > > > Is this on a red-hat OS using MIT for Samba ? > > > If so, I suggest you recompile Samba to use Heimdal instead. There > > > are numerous limitations with using MIT, because of these, using > > > MIT is still considered experimental. > > > > It is Fedora Server and it uses MIT, these are default packages that > > come with the system. > > > > I would suggest you file a bug on Fedora, whilst you can provision an > AD DC with the Fedora packages, there are several problems that make > them unsuitable in production (Computer GPO's not applying, for > instance) and it looks like you may possibly have found another problem.Specifically, the MIT Kerberos client libraries enforce replay prevention via a replay cache. Samba's DLZ processes the kerberos ticket for a second time to get the PAC and so has a deliberate replay. This is what fails. Patches would need to be written that would ensure this replay is permitted, in this situation. Not hard, but also not 'production ready' I'm sorry to say. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Zuzanna K. Filutowska
2018-Oct-16 18:45 UTC
[Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
W dniu wto, 16.10.2018 o godzinie 18∶52 +0100, użytkownik Rowland Penny via samba napisał:> On Tue, 16 Oct 2018 19:37:21 +0200 > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > W dniu wto, 16.10.2018 o godzinie 18∶25 +0100, użytkownik Rowland > > Penny via samba napisał: > > > On Tue, 16 Oct 2018 18:47:30 +0200 > > > "Zuzanna K. Filutowska via samba" <samba at lists.samba.org> wrote: > > > > > > > Dear All, > > > > > > > > I have a setup with samba acting as active directory domain > > > > controller, DNS updates are done via bind DLZ. I have recompiled > > > > it to allow spnego. DHCP server is external, no changes in it are > > > > possible. Domain members try to register in the DNS, KDC is aware > > > > of them, however no DNS entries for them are created and BIND > > > > returns errors. Any hints are welcome since I really need it > > > > working. Thank you in advance. > > > > > > > > samba log: > > > > samba version 4.8.5 started. > > > > Copyright Andrew Tridgell and the Samba Team 1992-2018 > > > > [2018/10/16 18:29:56.934115, > > > > 0] ../source4/smbd/server.c:638(binary_smbd_main) > > > > binary_smbd_main: samba: using 'standard' process model > > > > [2018/10/16 18:29:57.251109, > > > > 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) > > > > /usr/sbin/krb5kdc: > > > > krb5kdc: starting... > > > > > > > > > > Is this on a red-hat OS using MIT for Samba ? > > > If so, I suggest you recompile Samba to use Heimdal instead. There > > > are numerous limitations with using MIT, because of these, using > > > MIT is still considered experimental. > > > > It is Fedora Server and it uses MIT, these are default packages that > > come with the system. > > > > I would suggest you file a bug on Fedora, whilst you can provision an > AD DC with the Fedora packages, there are several problems that make > them unsuitable in production (Computer GPO's not applying, for > instance) and it looks like you may possibly have found another problem.I am now trying to use SAMBA INTERNAL but dns dynamic updates doesn't work either. No errors in logs. It was annoying, now is depressing. :-> Do you have any good howto at hand to migrate to heimdal kerberos? -- -- Pozdrawiam, -- Zuzanna K. Filutowska www: http://platyna.info Trzeba mieć wytrwałość i wiarę w siebie, że jest się do czegoś zdolnym. -- Maria Curie-Skłodowska
Possibly Parallel Threads
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- [5.0.0 Release] Release Candidate 4 tagged