Samba4 DNS Updates - Linux Clients - Is it possible?

Daniele Dario d.dario76 at gmail.com
Thu Jan 19 09:03:05 MST 2012 

On Thu, 2012-01-19 at 11:36 +1100, Amitay Isaacs wrote:
> Hi Daniele,
> 
> 
> On Thu, Jan 19, 2012 at 1:13 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> > Hi,
> >
> >
> > I'm running samba Version 4.0.0alpha18-GIT-90f06d6 with bind 9.9.0b1
> > from PPA on an ubuntu server 11.04 x86 (on XenServer 5.6 fp1).
> >
> > Looking on named logs I found something similar
> > 18-Jan-2012 14:41:35.027 database: info: samba_dlz: starting transaction
> > on zone saitelitalia.local
> > 18-Jan-2012 14:41:35.029 database: error: samba_dlz: failed to create
> > session info
> > 18-Jan-2012 14:41:35.030 update: info: client 192.168.12.12#53508/key
> > activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
> > update failed: rejected by secure update (REFUSED)
> > 18-Jan-2012 14:41:35.030 database: info: samba_dlz: cancelling
> > transaction on zone saitelitalia.local
> >
> > from /usr/local/samba/var/log.samba at same time I have
> > [2012/01/18 14:41:34,
> > 3] ../lib/ldb-samba/ldb_wrap.c:316(ldb_wrap_connect)
> >  ldb_wrap open of secrets.ldb
> > [2012/01/18 14:41:34,
> > 3] ../source4/smb_server/smb/negprot.c:390(reply_nt1)
> >  using SPNEGO
> > [2012/01/18 14:41:34,
> > 3] ../source4/smb_server/smb/negprot.c:519(smbsrv_reply_negprot)
> >  Selected protocol [5][NT LM 0.12]
> > [2012/01/18 14:41:35,
> > 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
> >  Terminating connection - 'ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> > [2012/01/18 14:41:35,
> > 3] ../source4/smbd/process_single.c:104(single_terminate)
> >  single_terminate: reason[ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> >
> > where activity is a WinXP SP3 x86 machine
> >
> > Running samba-tool dns query kdc01 saitelitalia.local @ A -U
> > administrator I read that activity has no records and no children
> > ...
> > Name=activity, Records=0, Children=0
> > ...
> >
> > could this be the cause of the failure to update?
> >
> > BTW, if I try samba-tool dns delete kdc01 saitelitalia.local activity A
> > '' -U administrator I get ERROR: Record does not exist
> > but trying to add the record it fails saying
> > ERROR(runtime): uncaught exception - (9711,
> > 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 167, in _run
> >    return self.run(*args, **kwargs)
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> > 863, in run
> >    None)
> >
> > nslookup seems to work correctly
> > [root at kdc01:~]# nslookup activity
> > Server:         192.168.12.5
> > Address:        192.168.12.5#53
> >
> > Name:   activity.saitelitalia.local
> > Address: 192.168.12.12
> >
> > [root at kdc01:~]# nslookup 192.168.12.12
> > Server:         192.168.12.5
> > Address:        192.168.12.5#53
> >
> > 12.12.168.192.in-addr.arpa      name = activity.saitelitalia.local.
> >
> > The same happens for another host which is an ubuntu server 10.04
> > running samba 3.4.7 and joined to the domain.
> >
> > How can I remove the dummy records?
> >
> > Thanks, Daniele.
> >
> 
> Since version 4.0.0alpha18-GIT-90f06d6 there has been a patch
> (6a1201a67b36bc1bb3214ee911b130c4affb8dec) that
> fixes the problem in creating session info after changes in the
> authentication layer in samba.
> 
> Can you check if the problem persists with the latest git master?
> 
> Amitay.

Hi Amitay,
as said in my previous mail I joined another DC to the samba4 AD domain
but drs showrepl says that there's replication errors and looking in the
BDC samba log I see:

[2012/01/19 16:49:11,
3] ../source4/dsdb/dns/dns_update.c:340(dnsupdate_check_names)
  Calling DNS name update script
[2012/01/19 16:49:11,
3] ../source4/dsdb/dns/dns_update.c:355(dnsupdate_check_names)
  Calling SPN name update script
[2012/01/19 16:49:11,
3] ../source4/dsdb/dns/dns_update.c:325(dnsupdate_spnupdate_done)
  Completed SPN update check OK
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ KDC02$@SAITELITALIA.LOCAL from
ipv4:192.168.12.2:55484 for krbtgt/SAITELITALIA.LOCAL at SAITELITALIA.LOCAL
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- KDC02$@SAITELITALIA.LOCAL
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- KDC02$@SAITELITALIA.LOCAL
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- KDC02
$@SAITELITALIA.LOCAL using arcfour-hmac-md5
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2012-01-19T16:49:12 starttime: unset
endtime: 2012-01-20T02:49:12 renew till: unset
[2012/01/19 16:49:12,
3] ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
[2012/01/19 16:49:12,
0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
[2012/01/19 16:49:12,
3] ../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
  Completed DNS update check OK
[2012/01/19 16:49:26,
2] ../source4/dsdb/repl/replicated_objects.c:637(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for
DC=saitelitalia,DC=local
[2012/01/19 16:49:27,
2] ../source4/dsdb/repl/replicated_objects.c:637(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for
CN=Schema,CN=Configuration,DC=saitelitalia,DC=local
[2012/01/19 16:49:27,
2] ../source4/dsdb/repl/replicated_objects.c:637(dsdb_replicated_objects_commit)
  Replicated 0 objects (0 linked attributes) for
CN=Configuration,DC=saitelitalia,DC=local
[2012/01/19 16:49:30,
1] ../source4/dsdb/kcc/kcc_topology.c:1402(kcctpl_color_vertices)
  ../source4/dsdb/kcc/kcc_topology.c:1402: failed to find nCName
attribute of object
CN=196a98d9-8dd3-40e3-8109-ed7cb6146b0c,CN=Partitions,CN=Configuration,DC=saitelitalia,DC=local
[2012/01/19 16:49:30,
1] ../source4/dsdb/kcc/kcc_topology.c:3158(kcctpl_create_connections)
  ../source4/dsdb/kcc/kcc_topology.c:3158: failed to color vertices:
NT_STATUS_INTERNAL_DB_CORRUPTION
[2012/01/19 16:49:30,
1] ../source4/dsdb/kcc/kcc_topology.c:3415(kcctpl_create_intersite_connections)
  ../source4/dsdb/kcc/kcc_topology.c:3415: failed to create connections:
NT_STATUS_INTERNAL_DB_CORRUPTION


after a samba4 restart I see
[2012/01/19 16:58:59,
0] ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
  /usr/local/samba/sbin/samba_dnsupdate: update failed: REFUSED
[2012/01/19 16:58:59,
3] ../source4/dsdb/dns/dns_update.c:296(dnsupdate_nameupdate_done)
  Completed DNS update check OK

When I created the new BDC I used the same name (kdc02) I used for a VM
when I was trying to have 2 DCs with bind_dlz. Could it be the problem?
How can I fix it?

Daniele.

More information about the samba-technical mailing list