Matthias Kühne | Ellerhold AG
2022-Oct-27 06:05 UTC
[Samba] SPNEGO cannot find mechanisms to negotiate
Hello Samba people, we've recently upgraded our debian bullseye AD-DCs from 4.15 (louis repo) to 4.16 (backports). We're using the BIND_DLZ with Bind 9.16.33. Somehow the samba_dnsupdate broke. We're running "/usr/sbin/samba_dnsupdate --all-names" every hour (is this even recommended?). In pre 4.16 this works correctly. Now this error is printed: "tkey query failed: GSSAPI error: Major = Unspecified GSS failure.? Minor code may provide more information, Minor = SPNEGO cannot find mechanisms to negotiate." (28 times to be exact). Just calling samba_dnsupdate without --all-names doesnt print anything. Using --all-names and --use-samba-tool leads to this error message: "ERROR: Record already exists; record could not be added. zone[ad.ellerhold.lan] name[rad-2]" (28 times to be exact). Does this mean everything is already correct and hes still trying to add new records? Is it necessary to call the samba_dnsupdate with --all-names hourly? I've read somewhere to do this to fix some weird problems. Or any other combination of the switches (--all-names and --use-samba-tool) samba_dnsupdate? Any advice would be much appreciated. Have a nice day, Matthias K?hne. -- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
Matthias Kühne | Ellerhold AG
2022-Oct-27 06:43 UTC
[Samba] SPNEGO cannot find mechanisms to negotiate
Hello, we've found the problem right after posting to the mailing list. Weve added some apparmor rules in complain mode to secure samba. aa-logprof did not print out anything. samba_dnsupdate executes python and nsupdate. I've added the "rUx" so that it can execute them unconfined. And I thought in complain mode: nothing actually gets blocked - just reported! The difference between rUx and rux is the scrubbing the env before the execution. Changing the rules to "rux" made the samba_dnsupdate work again. So that part of my question is gone. As we always say in our department "It is ALWAYS apparmor" after a long debugging session ;-) Thanks and best regards, Matthias K?hne. Am 27.10.22 um 08:05 schrieb Matthias K?hne | Ellerhold AG via samba:> Hello Samba people, > > we've recently upgraded our debian bullseye AD-DCs from 4.15 (louis > repo) to 4.16 (backports). We're using the BIND_DLZ with Bind 9.16.33. > Somehow the samba_dnsupdate broke. We're running > "/usr/sbin/samba_dnsupdate --all-names" every hour (is this even > recommended?). In pre 4.16 this works correctly. > > Now this error is printed: > > "tkey query failed: GSSAPI error: Major = Unspecified GSS failure. > Minor code may provide more information, Minor = SPNEGO cannot find > mechanisms to negotiate." (28 times to be exact). > > Just calling samba_dnsupdate without --all-names doesnt print anything. > Using --all-names and --use-samba-tool leads to this error message: > > "ERROR: Record already exists; record could not be added. > zone[ad.ellerhold.lan] name[rad-2]" (28 times to be exact). > > Does this mean everything is already correct and hes still trying to add > new records? > > Is it necessary to call the samba_dnsupdate with --all-names hourly? > I've read somewhere to do this to fix some weird problems. Or any other > combination of the switches (--all-names and --use-samba-tool) > samba_dnsupdate? > > Any advice would be much appreciated. > > Have a nice day, Matthias K?hne. >-- Matthias K?hne Senior Webentwickler Datenschutzbeauftragter Ellerhold Aktiengesellschaft Friedrich-List-Str. 4 01445 Radebeul Telefon: +49 (0) 351 83933-61 Telefax: +49 (0) 351 83933-99 Web www.ellerhold.de Twitter www.twitter.com/Ellerhold_AG Youtube www.youtube.com/user/ellerholdgruppe Amtsgericht Dresden / HRB 23769 Vorstand: Stephan Ellerhold, Maximilian Ellerhold Vorsitzender des Aufsichtsrates: Frank Ellerhold ---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges l?schen dieser E-Mail und der Anlagen. Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/ This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments. You can find our privacy policy here: http://www.ellerhold.de/datenschutz/