Dear all, I set up a test os , fedora 34 with bind 9.16. I installed the packages from fedora repo: samba-dc abd samba-bind-dlz. I provisioned with bind9_dlz. All with no errors. samba-tool domain provision --dns-backend=BIND9_DLZ --realm=EXAMPLE.COM --domain=EXAMPLE --server-role=dc --adminpass=Password I Set in my /etc/named.conf : tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; include "/var/lib/samba/bind-dns/named.conf"; my /etc/krb5.conf is named readable A normal lookup was working on the fly, but if tried to join a new windows client to my domain bind keeps me telling client @0x7f44ec000cc8 XXX.XXX.XXX.XXX#62786: update 'plk.loc/IN' denied samba_dlz: cancelling transaction on zone plk.loc What i recognised is, file named.conf.update was not created on provisioning!? Do I need the file anymore!? Greetings Daniel
On 5/12/21 9:49 AM, Mueller via samba wrote:> Dear all, > > I set up a test os , fedora 34 with bind 9.16. > I installed the packages from fedora repo: samba-dc abd samba-bind-dlz. > I provisioned with bind9_dlz. All with no errors. > > samba-tool domain provision --dns-backend=BIND9_DLZ --realm=EXAMPLE.COM > --domain=EXAMPLE --server-role=dc --adminpass=Password > I Set in my /etc/named.conf : > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > include "/var/lib/samba/bind-dns/named.conf"; > my /etc/krb5.conf is named readable > > A normal lookup was working on the fly, but if tried to join a new windows > client to my domain bind keeps me telling > > client @0x7f44ec000cc8 XXX.XXX.XXX.XXX#62786: update 'plk.loc/IN' denied > samba_dlz: cancelling transaction on zone plk.loc > > What i recognised is, file named.conf.update was not created on > provisioning!? > Do I need the file anymore!?Fedora build Samba AD with the experimental MIT backend. IIRC Windows clients use GSS for DNS updates. Fedora provided packages have many issues still, because of the experimental nature. If you can try with a package build with the embedded Heimdal Kerberos for Fedora, see if the problem persist, and report the issue so the people that works on the experimental backend know about the issue.> > Greetings > Daniel > > > > >
On 12/05/2021 14:49, Mueller via samba wrote:> Dear all, > > I set up a test os , fedora 34 with bind 9.16. > I installed the packages from fedora repo: samba-dc abd samba-bind-dlz.Sorry, but that was a mistake from the start, the Fedora Samba DC packages use the system kerberos 'MIT' and as such, they are marked as experimental, there are numerous things that do not work.> I provisioned with bind9_dlz. All with no errors. > > samba-tool domain provision --dns-backend=BIND9_DLZ --realm=EXAMPLE.COM > --domain=EXAMPLE --server-role=dc --adminpass=Password > I Set in my /etc/named.conf : > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > include "/var/lib/samba/bind-dns/named.conf"; > my /etc/krb5.conf is named readable > > A normal lookup was working on the fly, but if tried to join a new windows > client to my domain bind keeps me telling > > client @0x7f44ec000cc8 XXX.XXX.XXX.XXX#62786: update 'plk.loc/IN' denied > samba_dlz: cancelling transaction on zone plk.loc > > What i recognised is, file named.conf.update was not created on > provisioning!? > Do I need the file anymore!?Yes, you do, but that is, in my opinion, the least of your worries. I think you need to find Samba packages for Fedora that have been built to use Heimdal kerberos (standard for Samba), or you need to build Samba yourself, or use another distro based on Debian. Rowland