L.P.H. van Belle
2018-Nov-29 14:03 UTC
[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2
You dns keytab looks strange, my be due to manual changes.. klist -k /var/lib/samba/private/dns.keytab Should show. 1 dns-mysamba4dc at REALM 1 DNS/mysamba4dc.mydomain.com at REALM So check this again. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Giacomo Gorgellino via samba > Verzonden: donderdag 29 november 2018 14:37 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] samba_dnsupdate REFUSED between Samba4 > AD DC and Win 2008r2 > > > Il 29/11/2018 13:05, Rowland Penny via samba ha scritto: > > On Thu, 29 Nov 2018 12:30:28 +0100 > > Giacomo Gorgellino via samba <samba at lists.samba.org> wrote: > > > >> ; TSIG error with server: tsig verify failure > >> update failed: REFUSED > >> Failed nsupdate: 2 > >> Failed update of 1 entries > >> > >> Any hints? > >> > > Start by reading this: > > > > > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable> > > > Rowland > > > Thanks for pointing that. TKEY seems get received by remote DNS: > > Here are the related logs on Windows DNS side: > > 29/11/2018 12:03:17 0CCC PACKET 0000000004E5AD10 TCP Rcv > 10.0.16.25 ccd3 Q [0000 NOERROR] TKEY > (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0) > 29/11/2018 12:03:17 1378 PACKET 0000000004E5AD10 TCP Snd > 10.0.16.25 ccd3 R Q [0080 NOERROR] TKEY > (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0) > > I did't find the dns.keytab file: > > find / -iname *.keytab > /var/lib/samba/private/secrets.keytab > > Because I'm already using SAMBA_INTERNAL as dns backend I've tried to > switch to BIND9 and back again to INTERNAL. > > root at mysamba4dc:~# samba_upgradedns --dns-backend=BIND9_DLZ > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone > DNS records will be automatically created > DNS partitions already exist > Adding dns-mysamba4dc.MYDOMAIN.com account > Unable to find group id for BIND, > set permissions to sam.ldb* files manually > BIND version unknown, please modify /var/lib/samba/private/named.conf > manually. > See /var/lib/samba/private/named.conf for an example configuration > include file for BIND > and /var/lib/samba/private/named.txt for further > documentation required > for secure DNS updates > Finished upgrading DNS > You have switched to using BIND9_DLZ as your dns backend, but > still have > the internal dns starting. Please make sure you add '-dns' to your > server services line in your smb.conf. > > root at mysamba4dc:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL > Reading domain information > DNS accounts already exist > No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone > DNS records will be automatically created > DNS partitions already exist > Finished upgrading DNS > root at mysamba4dc:~# find / -iname *.keytab > /var/lib/samba/private/secrets.keytab > /var/lib/samba/private/dns.keytab > > Now I can list my dns key: > > root at mysamba4dc:~# klist -k /var/lib/samba/private/dns.keytab > Keytab name: FILE:/var/lib/samba/private/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------- > ------------ > 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM > 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM > 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM > 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM > 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM > 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM > 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM > 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM > 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM > > And krb5.conf is world readable > > -rw-r--r-- 1 root root 101 Nov 9 11:37 /etc/krb5.conf > > but samba_dnsupdate is again failing: > > update failed: REFUSED > > G. > > || > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Rowland Penny
2018-Nov-29 14:22 UTC
[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2
On Thu, 29 Nov 2018 15:03:03 +0100 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> You dns keytab looks strange, my be due to manual changes..It looks strange because there is one of these missing: 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM Could be cut & paste error.> > klist -k /var/lib/samba/private/dns.keytab > Should show. > > 1 dns-mysamba4dc at REALMBut only if you are using Bind9 Rowland
Giacomo Gorgellino
2018-Nov-29 15:26 UTC
[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2
Il 29/11/2018 15:22, Rowland Penny via samba ha scritto:> On Thu, 29 Nov 2018 15:03:03 +0100 > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > >> You dns keytab looks strange, my be due to manual changes.. > It looks strange because there is one of these missing: > > 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM > > Could be cut & paste error.Double checked again. There are 9 entries. Keytab has been created after switching to BIND9_DLZ with 10 entries. Switching back to INTERNAL is deleting 1 entry. I've pasted here a dump from the Win DNS refusing the update: https://pastebin.com/s1bmcbQK G.