Web lists-archives.com

[Samba] after DCs migration to 4.7, two things




Hi,

I migrated our DCs from 4.5/internal dns to 4.7.1/bind9_dlz. Short summary of the steps taken:

- added a new temp dc,
- removed the old DCs
- cleaned sam database
- installed new DCs, with their old dns/ip
- removed the temp dc again
- synced sysvol

and all is looking well: no db errors, no replication issues, ldapcmp matches across DCs, etc.

So, I took things to production today, and now I see two things that I would like some feedback on:

Bind complains:
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA error=insufficient access rights
Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#57335/key p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE': update failed: rejected by secure update (REFUSED)
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone samba.domain.com
Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#51536: update 'samba.domain.com/IN' denied
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone samba.domain.com
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA error=insufficient access rights
Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#59032/key p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE': update failed: rejected by secure update (REFUSED)
Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com

Since this seems to be only about AAAA records... should I do something to disable ipv6 perhaps..? It happens for many of our workstations.

A second (and perhaps more serious?) issue:

On all four DCs, we're seeing in log.smbd:
[2017/11/07 18:23:25.114429,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
[2017/11/07 18:23:25.114456,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
[2017/11/07 18:30:02.741596,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
[2017/11/07 18:30:02.741629,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
  SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

The message is always about the local DC account, so DC4$ on dc4, DC3$ on dc3, DC2$ on dc2. Permissions on /var/lib/samba/private/secrets.keytab are 600, root:root.

I guess this is relevant:
root@dc3:/var/log/samba# klist -ek /var/lib/samba/private/secrets.keytab
Keytab name: FILE:/var/lib/samba/private/secrets.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 HOST/dc3@xxxxxxxxxxxxxxxxx (des-cbc-crc) 2 HOST/dc3.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx (des-cbc-crc) 2 DC3$@SAMBA.COMPANY.COM (des-cbc-crc) 2 HOST/dc3@xxxxxxxxxxxxxxxxx (des-cbc-md5) 2 HOST/dc3.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx (des-cbc-md5) 2 DC3$@SAMBA.COMPANY.COM (des-cbc-md5) 2 HOST/dc3@xxxxxxxxxxxxxxxxx (arcfour-hmac) 2 HOST/dc3.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx (arcfour-hmac) 2 DC3$@SAMBA.COMPANY.COM (arcfour-hmac) 2 HOST/dc3@xxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 HOST/dc3.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 2 DC3$@SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96) 2 HOST/dc3@xxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 HOST/dc3.SAMBA.COMPANY.COM@xxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 2 DC3$@SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96)

The smb.conf on the DCs are basically as generated by the samba-tool domain join, with only some minor additions:

root@dc4:/var/lib/samba/private# cat /etc/samba/smb.conf # Global parameters
[global]
	netbios name = DC4
	realm = SAMBA.COMPANY.COM
	server role = active directory domain controller
#	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	server services = -dns
	workgroup = WRKGRP

	idmap_ldb:use rfc2307 = yes
	ldap server require strong auth = no
	ntlm auth = mschapv2-and-ntlmv2-only
	log level = 1 auth_audit:3

[netlogon]
	path = /var/lib/samba/sysvol/samba.company.com/scripts
	read only = No

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

Suggestions would be appreciated!

MJ

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba