Re: [Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
- Date: Wed, 17 Oct 2018 07:10:15 +1300
- From: Andrew Bartlett via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] Samba AD DC + external DHCP + BIND9_DLZ dynamic dns updates doesn't work for domain members.
On Tue, 2018-10-16 at 18:52 +0100, Rowland Penny via samba wrote:
> On Tue, 16 Oct 2018 19:37:21 +0200
> "Zuzanna K. Filutowska via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > W dniu wto, 16.10.2018 o godzinie 18∶25 +0100, użytkownik Rowland
> > Penny via samba napisał:
> > > On Tue, 16 Oct 2018 18:47:30 +0200
> > > "Zuzanna K. Filutowska via samba" <samba@xxxxxxxxxxxxxxx> wrote:
> > >
> > > > Dear All,
> > > >
> > > > I have a setup with samba acting as active directory domain
> > > > controller, DNS updates are done via bind DLZ. I have recompiled
> > > > it to allow spnego. DHCP server is external, no changes in it are
> > > > possible. Domain members try to register in the DNS, KDC is aware
> > > > of them, however no DNS entries for them are created and BIND
> > > > returns errors. Any hints are welcome since I really need it
> > > > working. Thank you in advance.
> > > >
> > > > samba log:
> > > > samba version 4.8.5 started.
> > > > Copyright Andrew Tridgell and the Samba Team 1992-2018
> > > > [2018/10/16 18:29:56.934115,
> > > > 0] ../source4/smbd/server.c:638(binary_smbd_main)
> > > > binary_smbd_main: samba: using 'standard' process model
> > > > [2018/10/16 18:29:57.251109,
> > > > 0] ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler) /usr/sbin/krb5kdc:
> > > > krb5kdc: starting...
> > > >
> > >
> > > Is this on a red-hat OS using MIT for Samba ?
> > > If so, I suggest you recompile Samba to use Heimdal instead. There
> > > are numerous limitations with using MIT, because of these, using
> > > MIT is still considered experimental.
> > It is Fedora Server and it uses MIT, these are default packages that
> > come with the system.
> I would suggest you file a bug on Fedora, whilst you can provision an
> AD DC with the Fedora packages, there are several problems that make
> them unsuitable in production (Computer GPO's not applying, for
> instance) and it looks like you may possibly have found another problem.
Specifically, the MIT Kerberos client libraries enforce replay
prevention via a replay cache. Samba's DLZ processes the kerberos
ticket for a second time to get the PAC and so has a deliberate replay.
This is what fails.
Patches would need to be written that would ensure this replay is
permitted, in this situation. Not hard, but also not 'production
ready' I'm sorry to say.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
To unsubscribe from this list go to the following URL and read the