[Samba] Custom SAMBA4/OpenChage ZEG applicance

John Russell jb.fresh at gmail.com
Sat Oct 6 20:22:24 MDT 2012 

Finally got DNS partially working, the following tests were successful:
host -t SRV _ldap._tcp.example.com.
host -t SRV _kerberos._udp.example.com.
host -t A sogo.example.com.

Still can not join any windows clients (XP or 7) to the EXAMPLE.COM domain.
Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then
--dns-backend=SAMBA_INTERNAL but both return "update failed: REFUSED"

So DNS now seems to be having permission problems?

Attached are outputs from "samba_dnsupdate --verbose --all-names" and the
subsequent "tail /var/log/syslog". Any ideas?

On Fri, Sep 21, 2012 at 4:30 AM, John Russell <jb.fresh at gmail.com> wrote:

> Thought for sure this was a real bug, but you are correct Mr. Bartlett,
> thats just how the SMB protocol works. I verified this with another
> wireshark capture from the same XP machine and a working SAMBA4 appliance
> from Sernet. This second capture also reveals that bind9 is still having
> issues on the SOGo appliance. The host machine registers itself into the
> DNS zone, but will not add client machines when they try to join the
> domain. How do I use the internal DNS service with SAMBA4?
>
>
> On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett <abartlet at samba.org>wrote:
>
>> On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote:
>> > Ran wireshark on the XP client while joining the domain and saw SAM
>> LOGON
>> > request from client and SAM Active Directory Response - user unknown.
>> >
>> > I noticed on the request and the response packets the user name field in
>> > the packet is blank (yes, I am typing the user name and password into
>> the
>> > prompt from the XP machine!).
>> >
>> > Any ideas on what causes this?
>>
>> While an odd feature of the protocol, this is actually a normal
>> successful response to the expected packet.  (Essentially, this is a
>> historical oddity from a time when asking if a server knew about a user
>> over an un-authenticated UDP packet wasn't considered a
>> security/confidentially issue).
>>
>> --
>> Andrew Bartlett
>> http://samba.org/~abartlet/
>> Authentication Developer, Samba Team           http://samba.org
>>
>>
>>
>
>
> --
> "It's better to be boldly decisive and risk being wrong than to agonize at
> length and be right too late."
> Marilyn Moats Kennedy
>



-- 
"It's better to be boldly decisive and risk being wrong than to agonize at
length and be right too late."
Marilyn Moats Kennedy
-------------- next part --------------
root at sogo:~# samba_dnsupdate --verbose --all-names
IPs: ['fe80::a00:27ff:fef2:b592%eth0', '172.16.1.7']
Calling nsupdate for A example.com 172.16.1.7
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
example.com.            900     IN      A       172.16.1.7

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A sogo.example.com 172.16.1.7
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
sogo.example.com.       900     IN      A       172.16.1.7

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.example.com 172.16.1.7
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.example.com.  900     IN      A       172.16.1.7

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for CNAME a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com sogo.example.com
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com. 900 IN CNAME sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.example.com sogo.example.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.example.com. 900  IN      SRV     0 100 464 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.example.com sogo.example.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.example.com. 900  IN      SRV     0 100 464 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.example.com sogo.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.example.com. 900 IN      SRV     0 100 88 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com sogo.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.example.com. 900 IN SRV 0 100 88 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.example.com sogo.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 88 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com sogo.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com. 900 IN SRV0 100 88 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._udp.example.com sogo.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.example.com. 900 IN      SRV     0 100 88 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.example.com sogo.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.example.com. 900     IN      SRV     0 100 389 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.example.com sogo.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.example.com. 900 IN SRV    0 100 389 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.example.com sogo.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.example.com. 900 IN SRV    0 100 3268 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.example.com sogo.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.example.com. 900 IN SRV   0 100 389 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.example.com sogo.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 389 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com sogo.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com. 900 IN SRV 0 100 389 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com sogo.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com. 900 IN SRV 0 100 3268 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.8ec1f6ca-d95f-412a-8bab-662edeaa8095.domains._msdcs.example.com sogo.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.8ec1f6ca-d95f-412a-8bab-662edeaa8095.domains._msdcs.example.com. 900IN SRV 0 100 389 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.example.com sogo.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.example.com.   900     IN      SRV     0 100 3268 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.example.com sogo.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 3268 sogo.example.com.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
-------------- next part --------------
root at sogo:~# tail /var/log/syslog
Oct  6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone _msdcs.example.com
Oct  6 22:16:43 sogo named[3402]: samba_dlz: starting transaction on zone _msdcs.example.com
Oct  6 22:16:43 sogo named[3402]: client 172.16.1.7#64208: update '_msdcs.example.com/IN' denied
Oct  6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone _msdcs.example.com
Oct  6 22:16:43 sogo named[3402]: samba_dlz: starting transaction on zone example.com
Oct  6 22:16:43 sogo named[3402]: client 172.16.1.7#37057: update 'example.com/IN' denied
Oct  6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone example.com
Oct  6 22:16:43 sogo named[3402]: samba_dlz: starting transaction on zone example.com
Oct  6 22:16:43 sogo named[3402]: client 172.16.1.7#62264: update 'example.com/IN' denied
Oct  6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone example.com

More information about the samba mailing list