Web lists-archives.com

[Samba] Samba AD DNS problem




Hello there.

I have a setup with Samba AD and a Named backend.
Everything has been working fine, until a few days ago, I cannot start the DNS snap-in from windows.  I get a dialog box saying
"Access was denied. Would you like to add it anyway?"

If I enable level 3 debugging in the samba.conf, I get the following:

[2017/05/11 07:25:30.413481,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ kristjan@xxxxxx from ipv4:192.168.253.109:57310 for DnsServerApp@xxxxxx [canonicalize, renewable, forwardable]
[2017/05/11 07:25:30.414016,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Searching referral for DnsServerApp
[2017/05/11 07:25:30.414141,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database: DnsServerApp@xxxxxx: No such entry in the database
[2017/05/11 07:25:30.414215,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:192.168.253.109:57310
[2017/05/11 07:25:30.415231,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)


I googled a lot for this, particularly "DnsServerApp" and found no solution.  In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp".
This didn't resolve the issue, but changed it.  Now I get in the log:

[2017/05/11 12:23:29.195608,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/05/11 12:23:29.199719,  1] ../source4/auth/gensec/gensec_gssapi.c:622(gensec_gssapi_update)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC01$@RVX.IS(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
[2017/05/11 12:23:29.199832,  1] ../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit)
  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2017/05/11 12:23:29.199925,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)
  SPNEGO login failed: NT_STATUS_LOGON_FAILURE

The DC is called dc01.rvx.is.
Curiously, even after I removed the AD "computer" entry DnsServerApp, I still get the above, second, error in the log.

I'm relatively new to both Samba and AD configuration, but having failed to find any reference to the above problems on the net, I think they may be due to some internal database corruption or other such things.  Any thoughts?

Kv,
Kristján Valur Jónsson |CTA | RVX

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba