Problems (possibly bug) with dlz for bind 9.9 in 4.0.0beta3-GIT-763f9e8

Andrew Bartlett abartlet at
Mon Jul 2 00:45:00 MDT 2012

On Mon, 2012-07-02 at 00:41 -0600, Trever L. Adams wrote:
> On 07/01/2012 05:12 PM, Andrew Bartlett wrote:
> > On Mon, 2012-06-25 at 00:32 -0600, Trever L. Adams wrote:
> >> Hello Everyone,
> >>
> >> This is a clean domain, provisioned post beta1 (I think beta2). I have not been able to get Windows PCs to do DNS updates. A bit about my network. Every machine has at least one private IPv4 address, one private IPv6 address (fdXX below), and one publicly route-able IPv6 address. When I first mentioned this problem in another bug there was a screw up in my delegation of reverse zones and a few other left overs from some other setups. These are completely cleared out. There are no strange forwards or messed up delegations now and everything is showing up as coming from the client machine (such as the one below, a full log would show this repeated exactly with a 2001 address as it seems to be trying to update from both). 
> >>
> >> The only log that seems to have anything to do with this is from (on a Fedora 17 box). This is with -d 9 or -d 10 on the command line starting Samba 4. If there is something I can do to get DLZ debug info out of Samba or more info out of bind, I am willing to try.
> >> failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. 
> >> Minor code may provide more information, Minor = Success.
> >> gss-api source name (accept) is somepc$@EXAMPLE.ORG
> > This is very interesting.  The fact that we get as far as
> > gss_inquire_cred() means that bind was able to access the keytab and it
> > had the correct key.  Something else is failing in the krb5 libs or
> > BIND. 
> >
> > Sadly I don't have any particular clues as to what is wrong, or how to
> > fix it. 
> >
> > Sorry,
> >
> > Andrew Bartlett
> >
> Are there any debugging/logging steps you can recommend? somepc$ was the
> client so did it get a ticket properly or did it fail?

To get that message, it seems to have got the ticket, and we decoded it.

> Will a -d10 log.samba show anything? I should have one captured (I am
> willing to send it to you off list if it would).

Unlikely (because the ticket was correctly produced). 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list