samba - Nov 2018 - samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2

Hi,

I've some trouble in getting samba internal DNS server in sync with 
others DNS (Windows) of my AD domain.

samba_dnsupdate returns:

update failed: REFUSED
Failed update of 1 entries

I'm running samba Version 4.5.12-Debian

root at mysamba4dc:~# dpkg -l | grep samba
ii  python-samba                   2:4.5.12+dfsg-2+deb9u3 amd64        
Python bindings for Samba
ii  samba                          2:4.5.12+dfsg-2+deb9u3 amd64        
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.5.12+dfsg-2+deb9u3 all          
common files used by both the Samba server and client
ii  samba-common-bin               2:4.5.12+dfsg-2+deb9u3 amd64        
Samba common files used by both the server and the client
ii  samba-dsdb-modules             2:4.5.12+dfsg-2+deb9u3 amd64        
Samba Directory Services Database
ii  samba-libs:amd64               2:4.5.12+dfsg-2+deb9u3 amd64        
Samba core libraries
ii  samba-vfs-modules              2:4.5.12+dfsg-2+deb9u3 amd64        
Samba Virtual FileSystem plugins

This is the Windows DNS log:

29/11/2018 12:03:17 0CCC PACKET  0000000004E5AD10 TCP Rcv 
10.0.16.25      e2a8   U [0028       NOERROR] SOA (7)MYDOMAIN(3)com(0)
29/11/2018 12:03:17 13CC PACKET  0000000004E5AD10 TCP Snd 
10.0.16.25      e2a8 R U [05a8       REFUSED] SOA (7)MYDOMAIN(3)com(0)

This is the output of samba_dnsupdate --verbose:

root at mysamba4dc:~# samba_dnsupdate --verbose
IPs: ['10.0.16.25']
Looking for DNS entry A mysamba4dc.MYDOMAIN.com 10.0.16.25 as 
mysamba4dc.MYDOMAIN.com.
Looking for DNS entry NS MYDOMAIN.com mysamba4dc.MYDOMAIN.com as 
MYDOMAIN.com.
Looking for DNS entry NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com as 
_msdcs.MYDOMAIN.com.
The DNS entry NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com, queried as 
_msdcs.MYDOMAIN.com. does not hold this record type
need update: NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com
Looking for DNS entry A MYDOMAIN.com 10.0.16.25 as MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYDOMAIN.com.
Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV 
_ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.dc._msdcs.MYDOMAIN.com.
Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV 
_ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 ris-dom-contr01.MYDOMAIN.com. against SRV 
_ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com.
Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 ris-dom-contr01.MYDOMAIN.com. against SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV _kerberos._tcp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV _kerberos._udp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._udp.MYDOMAIN.com.
Checking 0 100 88 ris-dom-contr01.MYDOMAIN.com. against SRV 
_kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Checking 0 100 88 ris-dom-contr02.MYDOMAIN.com. against SRV 
_kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.dc._msdcs.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV _kpasswd._tcp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 464 as _kpasswd._tcp.MYDOMAIN.com.
Checking 0 100 464 mysamba4dc.MYDOMAIN.com. against SRV 
_kpasswd._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464
Looking for DNS entry SRV _kpasswd._udp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 464 as _kpasswd._udp.MYDOMAIN.com.
Checking 0 100 464 mysamba4dc.MYDOMAIN.com. against SRV 
_kpasswd._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464
Looking for DNS entry CNAME 
f9757ca5-8424-4016-99d7-1fbbb232e304._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com as 
f9757ca5-8424-4016-99d7-1fbbb232e304._msdcs.MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYSITE._sites.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 
389 as _ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV _kerberos._tcp.MYSITE._sites.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYSITE._sites.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV 
_kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as 
_kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry A gc._msdcs.MYDOMAIN.com 10.0.16.25 as 
gc._msdcs.MYDOMAIN.com.
Looking for DNS entry SRV _gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 
3268 as _gc._tcp.MYDOMAIN.com.
Checking 0 100 3268 mywindc02.MYDOMAIN.com. against SRV 
_gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 3268 as _ldap._tcp.gc._msdcs.MYDOMAIN.com.
Checking 0 100 3268 mywindc02.MYDOMAIN.com. against SRV 
_ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry SRV _gc._tcp.MYSITE._sites.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 3268 as _gc._tcp.MYSITE._sites.MYDOMAIN.com.
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_gc._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 
3268 as _ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com.
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry A DomainDnsZones.MYDOMAIN.com 10.0.16.25 as 
DomainDnsZones.MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.DomainDnsZones.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.DomainDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as 
_ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry A ForestDnsZones.MYDOMAIN.com 10.0.16.25 as 
ForestDnsZones.MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.ForestDnsZones.MYDOMAIN.com.
Checking 0 100 389 mywindc02.MYDOMAIN.com. against SRV 
_ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mywindc01.MYDOMAIN.com. against SRV 
_ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as 
_ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
1 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/mywindc01.MYDOMAIN.com as 
mysamba4dc$
update(nsupdate): NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com
Calling nsupdate for NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.MYDOMAIN.com.     900     IN      NS mysamba4dc.MYDOMAIN.com.

; TSIG error with server: tsig verify failure
update failed: REFUSED
Failed nsupdate: 2
Failed update of 1 entries

Any hints?

Thanks,

Giacomo

On Thu, 29 Nov 2018 12:30:28 +0100
Giacomo Gorgellino via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> I've some trouble in getting samba internal DNS server in sync with 
> others DNS (Windows) of my AD domain.
> 
> samba_dnsupdate returns:
> 
> update failed: REFUSED
> Failed update of 1 entries
> 
> I'm running samba Version 4.5.12-Debian
> 
> This is the output of samba_dnsupdate --verbose:
> 
> ; TSIG error with server: tsig verify failure
> update failed: REFUSED
> Failed nsupdate: 2
> Failed update of 1 entries
> 
> Any hints?
> 
Start by reading this:

https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

Rowland

Il 29/11/2018 13:05, Rowland Penny via samba ha scritto:
> On Thu, 29 Nov 2018 12:30:28 +0100
> Giacomo Gorgellino via samba <samba at lists.samba.org> wrote:
>
>> ; TSIG error with server: tsig verify failure
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 1 entries
>>
>> Any hints?
>>
> Start by reading this:
>
>
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
>
> Rowland
>
Thanks for pointing that. TKEY seems get received by remote DNS:

Here are the related logs on Windows DNS side:

29/11/2018 12:03:17 0CCC PACKET  0000000004E5AD10 TCP Rcv 
10.0.16.25      ccd3   Q [0000       NOERROR] TKEY 
(10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
29/11/2018 12:03:17 1378 PACKET  0000000004E5AD10 TCP Snd 
10.0.16.25      ccd3 R Q [0080       NOERROR] TKEY 
(10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)

I did't find the dns.keytab file:

find / -iname *.keytab
/var/lib/samba/private/secrets.keytab

Because I'm already using SAMBA_INTERNAL as dns backend I've tried to 
switch to BIND9 and back again to INTERNAL.

root at mysamba4dc:~# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-mysamba4dc.MYDOMAIN.com account
Unable to find group id for BIND,
                 set permissions to sam.ldb* files manually
BIND version unknown, please modify /var/lib/samba/private/named.conf 
manually.
See /var/lib/samba/private/named.conf for an example configuration 
include file for BIND
and /var/lib/samba/private/named.txt for further documentation required 
for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have 
the internal dns starting. Please make sure you add '-dns' to your 
server services line in your smb.conf.

root at mysamba4dc:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
root at mysamba4dc:~# find / -iname *.keytab
/var/lib/samba/private/secrets.keytab
/var/lib/samba/private/dns.keytab

Now I can list my dns key:

root at mysamba4dc:~# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
    1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
    1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
    1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
    1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
    1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
    1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
    1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
    1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM

And krb5.conf is world readable

-rw-r--r-- 1 root root 101 Nov  9 11:37 /etc/krb5.conf

but  samba_dnsupdate is again failing:

update failed: REFUSED

G.

||

You dns keytab looks strange, my be due to manual changes.. 

klist -k /var/lib/samba/private/dns.keytab
Should show.

     1 dns-mysamba4dc at REALM
     1 DNS/mysamba4dc.mydomain.com at REALM

So check this again. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Giacomo Gorgellino via samba
> Verzonden: donderdag 29 november 2018 14:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba_dnsupdate REFUSED between Samba4 
> AD DC and Win 2008r2
> 
> 
> Il 29/11/2018 13:05, Rowland Penny via samba ha scritto:
> > On Thu, 29 Nov 2018 12:30:28 +0100
> > Giacomo Gorgellino via samba <samba at lists.samba.org> wrote:
> >
> >> ; TSIG error with server: tsig verify failure
> >> update failed: REFUSED
> >> Failed nsupdate: 2
> >> Failed update of 1 entries
> >>
> >> Any hints?
> >>
> > Start by reading this:
> >
> > 
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_i
s_unacceptable
> >
> > Rowland
> >
> Thanks for pointing that. TKEY seems get received by remote DNS:
> 
> Here are the related logs on Windows DNS side:
> 
> 29/11/2018 12:03:17 0CCC PACKET  0000000004E5AD10 TCP Rcv 
> 10.0.16.25      ccd3   Q [0000       NOERROR] TKEY 
> (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
> 29/11/2018 12:03:17 1378 PACKET  0000000004E5AD10 TCP Snd 
> 10.0.16.25      ccd3 R Q [0080       NOERROR] TKEY 
> (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
> 
> I did't find the dns.keytab file:
> 
> find / -iname *.keytab
> /var/lib/samba/private/secrets.keytab
> 
> Because I'm already using SAMBA_INTERNAL as dns backend I've tried
to
> switch to BIND9 and back again to INTERNAL.
> 
> root at mysamba4dc:~# samba_upgradedns --dns-backend=BIND9_DLZ
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
> DNS records will be automatically created
> DNS partitions already exist
> Adding dns-mysamba4dc.MYDOMAIN.com account
> Unable to find group id for BIND,
>                  set permissions to sam.ldb* files manually
> BIND version unknown, please modify /var/lib/samba/private/named.conf 
> manually.
> See /var/lib/samba/private/named.conf for an example configuration 
> include file for BIND
> and /var/lib/samba/private/named.txt for further 
> documentation required 
> for secure DNS updates
> Finished upgrading DNS
> You have switched to using BIND9_DLZ as your dns backend, but 
> still have 
> the internal dns starting. Please make sure you add '-dns' to your 
> server services line in your smb.conf.
> 
> root at mysamba4dc:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
> DNS records will be automatically created
> DNS partitions already exist
> Finished upgrading DNS
> root at mysamba4dc:~# find / -iname *.keytab
> /var/lib/samba/private/secrets.keytab
> /var/lib/samba/private/dns.keytab
> 
> Now I can list my dns key:
> 
> root at mysamba4dc:~# klist -k /var/lib/samba/private/dns.keytab
> Keytab name: FILE:/var/lib/samba/private/dns.keytab
> KVNO Principal
> ---- 
> --------------------------------------------------------------
> ------------
>     1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
>     1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
>     1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
>     1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
>     1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
>     1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
>     1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
>     1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
>     1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
> 
> And krb5.conf is world readable
> 
> -rw-r--r-- 1 root root 101 Nov  9 11:37 /etc/krb5.conf
> 
> but  samba_dnsupdate is again failing:
> 
> update failed: REFUSED
> 
> G.
> 
> ||
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>