Web lists-archives.com

Re: [Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed




On Mon, 04 Dec 2017 15:34:37 +0100
Dario Lesca via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha
> scritto:
> > Is the DHCP server updating the records for you ?
> 
> Yes, but for now the problem is not dhcp (see follow)
> 
> > If so, you need to stop the windows clients trying to update their
> > own records, they don't own them.
> 
> I have the problem when join to domani via samba on another server, or
> when I run samba_dnsupdate  --all-name 
> 
> Now I have do this test:
> 
> I have save the machine status with a snapshot.
> Then I have reload a snapshot done before deploy samba AD DC.
> Then, On A fresh Fedora 27 server up to date I have
> Stop selinux, restart and run this command:
> 
> + dnf install samba-client samba-dc samba-winbind attr acl krb5-
> workstation tdb-tools samba-winbind-clients python bind bind-utils
> samba-dc-bind-dlz
> 
> + test '!' -e /etc/krb5.conf.orig
> + test -e /etc/krb5.conf
> + test '!' -e /etc/samba/smb.conf.orig
> + test -e /etc/samba/smb.conf
> 
> + samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to
> --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc
> --function-level=2008_R2 --adminpass=P@ssw0rd
> 
> Open the all port needed
> 
> cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf
> 
> Add this to the [global] of new smb.conf
>  template shell = /bin/bash
>  template homedir = /home/%U
> 
> Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf
> 
> Edit the /etc/named.conf and add
>     listen-on port 53 { 127.0.0.1; 192.168.41.1; };
>     allow-query     { localhost; 191.168.41.0/24; };
>     tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> 
> and at the end 
>     include "/var/lib/samba/bind-dns/named.conf";
> 
> without modify any other
> 
> Start and enable named
>     systemctl enable named
>     systemctl restart named
> 
> Point dns to my IP 192.168.41.1 and restart network
> 
> # Start samba
>     systemctl enable samba
>     systemctl restart samba.service
> 
> test some resolver ...
> 
>     host $(hostname)
>     host -t SRV _ldap._tcp.$(hostname -d)
> 
> try access to server
> 
>     smbclient -L $(hostname)     -Uadministrator%P@aaw0rd
> 
> Try add a dns record ...
> 
> At this point All work fine
> 
> Then I try 
> 
>     samba_dnsupdate --verbose  --all-names --fail-immediately
> 
> And the problem persist:
> 
>     update failed: REFUSED
>     Failed update with /tmp/tmpmRYs8r
>     dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz:
> starting transaction on zone dogma-to.loc dic 04 15:20:21
> server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20
> 192.168.41.1#26896: update 'dogma-to.loc/IN' denied dic 04 15:20:21
> server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling
> transaction on zone dogma-to.loc
> 
> The problem is when the tools try execute this command:
> 
>     cat /tmp/tmpmRYs8r | nsupdate
> 
>     [    root@server-addc     ~]# cat /tmp/tmpmRYs8r
>     server server-addc.dogma-to.loc
>     update add server-addc.dogma-to.loc. 900 A 192.168.41.1
>     show
>     send
> 
> seem that nsupdate cannot update dns
> 
> I have add "debug" and remove "show" directive from this file
> 
>     [    root@server-addc     ~]# cat /tmp/tmpmRYs8r
>     debug
>     server server-addc.dogma-to.loc
>     update add server-addc.dogma-to.loc. 900 A 192.168.41.1
>     send
> 
> the rerun it:
> 
>     [    root@server-addc     ~]# cat /tmp/tmpmRYs8r|nsupdate 
>     Reply from SOA query:
>     ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16228
>     ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1,
> ADDITIONAL: 0 ;; QUESTION SECTION:
>     ;server-addc.dogma-to.loc.      IN      SOA
> 
>     ;; AUTHORITY SECTION:
>     dogma-to.loc.           3600    IN      SOA
> server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400
> 3600
> 
>     Found zone name: dogma-to.loc
>     The master is: server-addc.dogma-to.loc
>     Sending update to 192.168.41.1#53
>     Outgoing update query:
>     ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37799
>     ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
>     ;; UPDATE SECTION:
>     server-addc.dogma-to.loc. 900   IN      A       192.168.41.1
> 
> 
>     Reply from update query:
>     ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  37799
>     ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>     ;; ZONE SECTION:
>     ;dogma-to.loc.                  IN      SOA
> 
>     dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz:
> starting transaction on zone dogma-to.loc dic 04 15:26:14
> server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20
> 192.168.41.1#39052: update 'dogma-to.loc/IN' denied dic 04 15:26:14
> server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling
> transaction on zone dogma-to.loc
> 
> Some error
> 
> Someone have some suggest?
> 
> Many thanks
> 
> 

If you are using the script found here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

Then the records DO NOT belong to the computers, so they cannot update
them. I am also very sure that there are log records that show the
records are being updated by dhcpduser.

The cure is to STOP your windows clients trying to update their own
records.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba