Web lists-archives.com

Re: [Samba] after DCs migration to 4.7, two things




On Tue, 7 Nov 2017 21:07:21 +0100
lists via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi Marc,
> 
> Thanks for your reply!
> 
> > Check if your dynamic DNS works. For details and troubleshooting,
> > see: https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
> 
> I'm not sure about the "--all-names" option, but the regular 
> "samba_dnsupdate --verbose" updated all dns records for all DCs
> shortly after I joined them.
> 
> The problematic dns records here are workstations, trying to add a 
> dynamic dns record.
> 
> I took a look with the Microsoft DNS tool, and noticed that the
> current workstation dns records are listed with timestamp 'static'.
> As I come from samba 4.5 with internal dns, perhaps this is the way
> samba adds them..?
> 
> So I removed both A/AAAA for the p002507 dns entry, and ran on the 
> windows p002507 workstation: "ipconfig /registerdns"
> suddenly it worked: A new dns record appeared, now with timestamp 
> "7-11-2017 20:00:00", both A and AAAA records. And they are renewed 
> every hour, I noticed.
> 
> As I don't think we require dns of our domain clients, I am now
> thinking to simply delete all regular workstation "static" dns
> records, to allow them to be be recreated automatically using
> bind9_dlz.
> 
> This seems kind of drastic... Would doing this have unforeseen 
> side-effects I should take into consideration?

I think what happened here was that the records had been created by
something else and where not owned by the computer, so the update was
refused. After deletion, the computer created the records again, and as
the computer now 'owns' the records, it can now update them.

> 
> And anyone on my second issue, on
> > [2017/11/07 18:23:25.114429,
> > 1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
> > GSS server Update(krb5)(1) Update failed:  Miscellaneous failure
> > (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab
> > FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> > [2017/11/07 18:23:25.114456,
> > 1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
> > SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE 
> 
> That one worries me a bit more than the DNS thing...
> 

It seems that something is looking for 'key version number 1' (kvno 1)
but the klist you posted shows kvno 2

Rowland



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba