Web lists-archives.com

Re: [Samba] Samba with Mit-krb5, update ddns fails




I can reproduce this behavior using Samba 4.7.0. This also affects
samba_dnsupdate.
If have filed a bug (https://bugzilla.samba.org/show_bug.cgi?id=13066).


luckydog xf via samba <samba@xxxxxxxxxxxxxxx> schrieb am Fr., 29. Sep. 2017
um 11:13 Uhr:

> hi,
>   I built samba v4.7.0 with Mit-krb5-1.15.2-x86-64( and also  tried with
> Mit-krb5-1.15.1-x86-86), everything works fine.
>
>  But when client windows7 joins AD, a new DNS A record should be added into
> DNS(Bind), but it fails.
>
> I test via administrator and its ticket.
> ====================================
> [root@pdc samba]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator@xxxxxxxxxx
>
> Valid starting       Expires              Service principal
> 09/29/2017 16:05:25  09/30/2017 02:05:25  krbtgt/AD.PTHL.HK@xxxxxxxxxx
>         renew until 09/30/2017 16:05:15
> 09/29/2017 16:05:37  09/30/2017 02:05:25  DNS/pdc.ad.pthl.hk@xxxxxxxxxx
>         renew until 09/30/2017 16:05:15
> =====================================
>
> and run
> =================================
> nsupdate -g -d -L 9 -v<< UPDATE
> server pdc.ad.pthl.hk
> realm AD.PTHL.HK <http://ad.pthl.hk/>
> update add test.ad.pthl.hk 3600 A 172.16.232.199
> send
> UPDATE
>
> ========================
>
> Here is /var/log/message:
>
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: starting transaction on zone
> ad.pthl.hk
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: GSS server Update(krb5)(1)
> Update failed: Unspecified GSS failure.  Minor code may provide more
> information: Request is a replay
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: spnego update failed
> Sep 29 16:34:42 pdc named[1332]: client 172.16.232.204#43318/key
> administrator\@AD.PTHL.HK <http://ad.pthl.hk/>: updating zone '
> ad.pthl.hk/NONE': update failed: rejected by secure update (REFUSED)
> Sep 29 16:34:42 pdc named[1332]: samba_dlz: cancelling transaction on zone
> ad.pthl.hk
>
> =================================================
>
> The same thing is done without any error by Samba V4.7.0 with build-in
> Heimedal-Krb5. So I guess there is something wrong with samba and mit-krb5.
>
> Can someone offer me any suggestion?
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba