Web lists-archives.com

Re: [Samba] Dynamic DNS Update Error GSS failure




On Sun, 7 Jan 2018 23:02:20 +0100
Ronny Preiss via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi @ all,
> 
>  
> 
> I try to update the DNS records from my DHCP Clients to my AD DC but
> there ist an issue with the GSSAPI I don't know how to solve.
> 
>  
> 
> For this I followed this guide.
> 
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_B
> IND9
> 
>  
> 
> GSSAPI Error:
> 
> start_gssrequest
> 
> tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = No credentials found
> with supported encryption types (filename: /tmp/dhcp-dyndns.cc).
> 
>  
> 
> Here is my keytab file:
> 
>  
> 
> ktutil -k /etc/dhcpduser.keytab list
> 
> /etc/dhcpduser.keytab:
> 
>  
> 
> Vno  Type                     Principal                Aliases
> 
>   2  aes256-cts-hmac-sha1-96  dhcpduser@xxxxxxxxxxxxx
> <mailto:dhcpduser@xxxxxxxxxxxxx> 
> 
>   2  aes128-cts-hmac-sha1-96  dhcpduser@xxxxxxxxxxxxx
> <mailto:dhcpduser@xxxxxxxxxxxxx> 
> 
>   2  arcfour-hmac-md5         dhcpduser@xxxxxxxxxxxxx
> <mailto:dhcpduser@xxxxxxxxxxxxx> 
> 
>   2  des-cbc-md5              dhcpduser@xxxxxxxxxxxxx
> <mailto:dhcpduser@xxxxxxxxxxxxx> 
> 
>   2  des-cbc-crc              dhcpduser@xxxxxxxxxxxxx
> <mailto:dhcpduser@xxxxxxxxxxxxx> 
> 
> 

Don't you mean ' klist -e -k /etc/dhcpduser.keytab' ?

If so, it should show something like this:

Keytab name: FILE:/etc/dhcpduser.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 dhcpduser@xxxxxxxxxxxxxxxxxx (aes256-cts-hmac-sha1-96) 
   1 dhcpduser@xxxxxxxxxxxxxxxxxx (aes128-cts-hmac-sha1-96) 
   1 dhcpduser@xxxxxxxxxxxxxxxxxx (arcfour-hmac) 
   1 dhcpduser@xxxxxxxxxxxxxxxxxx (des-cbc-md5) 
   1 dhcpduser@xxxxxxxxxxxxxxxxxx (des-cbc-crc) 

> 
> System Information
> 
>  
> 
> - Raspberry Pi 3 Model B
> 
> - Raspian Stretch
> 
> - Samba Version 4.7.4
> 
> - BIND Version 9.11.2
> 
> - BIND9 built by
> 
> make '--prefix' '/usr/local/bind9' '--enable-shared'
> 
>  
> 
>    '--enable-static' '--with-openssl=/usr'
> 
>    '--with-gssapi=/usr/include/gssapi' '--with-libtool'
> 
>    '--with-dlopen=yes' '--enable-threads' '--enable-largefile'
> 
>    '--with-gnu-ld' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing'
> 
>    'CFLAGS=-DDIG_SIGCHASE' 'CFLAGS=-O2'
> 
>  

There is no need to build Bind on strech, just use the debian package,
also '--with-dlopen' is now built in, the setting no longer exists.

> 
> bind9 named.conf https://pastebin.com/HW88rwbe

Yes, but what is in:

/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/named.conf.default-zones

> 
>  
> 
> samba named.conf https://pastebin.com/zi7Fm27T

nothing wrong there.

> 
>  
> 
> samba smb.conf https://pastebin.com/i1fmj56T

Nothing wrong there either.

> 
>  
> 
> If more information needed, feel free and ask me, I'll do my best to
> provide them.

Post what is in /etc/hostname, etc/hosts, /etc/resolv.conf
and /etc/krb5.conf.

Rowland
 


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba