Web lists-archives.com

Re: [Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2





Il 29/11/2018 13:05, Rowland Penny via samba ha scritto:
On Thu, 29 Nov 2018 12:30:28 +0100
Giacomo Gorgellino via samba <samba@xxxxxxxxxxxxxxx> wrote:

; TSIG error with server: tsig verify failure
update failed: REFUSED
Failed nsupdate: 2
Failed update of 1 entries

Any hints?

Start by reading this:

https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable

Rowland

Thanks for pointing that. TKEY seems get received by remote DNS:

Here are the related logs on Windows DNS side:

29/11/2018 12:03:17 0CCC PACKET  0000000004E5AD10 TCP Rcv 10.0.16.25      ccd3   Q [0000       NOERROR] TKEY (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0) 29/11/2018 12:03:17 1378 PACKET  0000000004E5AD10 TCP Snd 10.0.16.25      ccd3 R Q [0080       NOERROR] TKEY (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)

I did't find the dns.keytab file:

find / -iname *.keytab
/var/lib/samba/private/secrets.keytab

Because I'm already using SAMBA_INTERNAL as dns backend I've tried to switch to BIND9 and back again to INTERNAL.

root@mysamba4dc:~# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-mysamba4dc.MYDOMAIN.com account
Unable to find group id for BIND,
                set permissions to sam.ldb* files manually
BIND version unknown, please modify /var/lib/samba/private/named.conf manually. See /var/lib/samba/private/named.conf for an example configuration include file for BIND and /var/lib/samba/private/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.

root@mysamba4dc:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
root@mysamba4dc:~# find / -iname *.keytab
/var/lib/samba/private/secrets.keytab
/var/lib/samba/private/dns.keytab

Now I can list my dns key:

root@mysamba4dc:~# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 dns-mysamba4dc.MYDOMAIN.com@xxxxxxxxxxxx
   1 DNS/mysamba4dc.mydomain.com@xxxxxxxxxxxx
   1 dns-mysamba4dc.MYDOMAIN.com@xxxxxxxxxxxx
   1 DNS/mysamba4dc.mydomain.com@xxxxxxxxxxxx
   1 dns-mysamba4dc.MYDOMAIN.com@xxxxxxxxxxxx
   1 DNS/mysamba4dc.mydomain.com@xxxxxxxxxxxx
   1 dns-mysamba4dc.MYDOMAIN.com@xxxxxxxxxxxx
   1 DNS/mysamba4dc.mydomain.com@xxxxxxxxxxxx
   1 dns-mysamba4dc.MYDOMAIN.com@xxxxxxxxxxxx

And krb5.conf is world readable

-rw-r--r-- 1 root root 101 Nov  9 11:37 /etc/krb5.conf

but  samba_dnsupdate is again failing:

update failed: REFUSED

G.

||


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba