Web lists-archives.com

Re: [Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update

Hi Johannes,

Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
> as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
> logs show a kerberos error "Request is a replay". Logs attached here:
> https://bugzilla.samba.org/show_bug.cgi?id=13066.
> Since I have not received any feedback on the bug report, I am trying
> this channel if someone has any idea how to fix this.  Thanks a lot in
> advance.

A while ago I tested a git branch from Andreas' about moving some
BIND-related files from the private to a separate directory. During
testing I discovered some DNS update problems if the system used MIT
Kerberos. He fixed everything in his branch, and updates worked.

@Andreas: Do you remember if these fixes are all in master/4.7? I can
confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
and latest master (both with MIT).

# smbd -b | grep HAVE_LIBKADM5SRV_MIT

# samba_dnsupdate --verbose --all-names
update failed: REFUSED
Failed nsupdate: 2
update(nsupdate): SRV
DC3.samdom.example.com 389
Calling nsupdate for SRV
DC3.samdom.example.com 389 (add)
Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
900 IN SRV	0 100 389 DC3.samdom.example.com.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 29 entries


To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba