[Samba] Removing a domain controller help needed
Daniele Dario
d.dario76 at gmail.com
Tue Nov 5 09:35:02 MST 2013
On ven, 2013-10-11 at 17:05 +0100, Rowland Penny wrote:
> On 11/10/13 16:46, Daniele Dario wrote:
> > On Fri, 2013-10-11 at 16:06 +0100, Rowland Penny wrote:
> >> On 11/10/13 14:53, Daniele Dario wrote:
> >>> On Fri, 2013-10-11 at 09:59 +0100, Rowland Penny wrote:
> >>>> On 11/10/13 08:26, Daniele Dario wrote:
> >>>>> On Fri, 2013-10-11 at 16:00 +1300, Andrew Bartlett wrote:
> >>>>>> On Fri, 2013-09-13 at 09:10 +0200, christophe wrote:
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> First guys, I'd like congratulate you. Samba 4 is really a cool product.
> >>>>>>>
> >>>>>>> I have a little problem though.
> >>>>>>>
> >>>>>>> The context:
> >>>>>>>
> >>>>>>> I have Samba4 AD DC working perfectly on a virtual machine
> >>>>>>> for testing purpose I joined another Samba4 AD DC to the domain I had
> >>>>>>> provisioned and it worked perfectly but my second DC VM was deleted with no
> >>>>>>> mean to get it back.
> >>>>>>>
> >>>>>>> I have now a problem on my first DC as the second DC still shows up in the
> >>>>>>> RSAT console, NTDSUTIL, DNS and also samba-tool drs showrepl.
> >>>>>>> it seems to be impossible to delete it completely.
> >>>>>>>
> >>>>>>>
> >>>>>>> I know if I were on a windows DC I'd simply have gone for forced deletion
> >>>>>>> then metadata cleanup.
> >>>>>>> but I don't have a windows DC.
> >>>>>>>
> >>>>>>> Is there a way I can permanently remove all connection to my disappeared
> >>>>>>> second DC form the AD just using the tools provides with samba 4?
> >>>>>> Can you use the ADUC tools to do it?
> >>>>>>
> >>>>>> Yes, we are aware this isn't ideal, and patches to samba-tool are
> >>>>>> welcome.
> >>>>>>
> >>>>>>> Other question:
> >>>>>>>
> >>>>>>> I use ISC-DHCP-SERVER with SAMBA_Internal DNS.
> >>>>>>>
> >>>>>>> Is there a way to have it updating records?
> >>>>>>> >From the DNS console, it seems I can't allow for unsecure updates
> >>>>>> Currently this is controlled from the smb.conf, not DNS console.
> >>>>>>
> >>>>>> But unsecure updates are a really bad idea. Other folks have done this
> >>>>>> with GSS-TSIG and an external script, and it would be really neat to
> >>>>>> also support shared-key TSIG, but that requires work. Patches are very
> >>>>>> welcome (the shared 128 bit key can be stored in or generated from the
> >>>>>> unicodePwd).
> >>>>>>
> >>>>>> Andrew Bartlett
> >>>>>>
> >>>>> Hi,
> >>>>> I post this to samba list:
> >>>>>
> >>>>> As Cristophe, I'm trying to find a way to get records updated and I
> >>>>> found this "howto"
> >>>>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ but I'm not able to get it working properly.
> >>>>> Mainly the script would find the old record, delete it and add the new
> >>>>> one but as stated in my comment on the blog it fails due to TSIG
> >>>>> error/TKEY is unacceptable.
> >>>>>
> >>>>> The last comment on the blog says:
> >>>>>
> >>>>> Just an hint for someone else who stumbles across the same problem, if
> >>>>> you’re using Samba 4 as an AD DC, then kinit with the keytab created in
> >>>>> the script instructions above won’t work as samba4 doesn’t seem to like
> >>>>> the encryption type. Use
> >>>>> -e arcfour-hmac-md5 with the addent command instead.
> >>>>>
> >>>>> The first script posted on the blog states
> >>>>>
> >>>>> # keytab can be generated using
> >>>>> # $ ktutil
> >>>>> # ktutil: addent -password -p dhcpduser at EXAMPLE.COM -k 1 -e
> >>>>> aes256-cts-hmac-sha1-96
> >>>>> # Password for dhcpduser at EXAMPLE.COM:
> >>>>> # ktutil: wkt dhcpduser.keytab
> >>>>> # ktutil: quit
> >>>>>
> >>>>> but next changes in
> >>>>>
> >>>>> Using samba AD DC I used
> >>>>> # keytab can be generated using the Samba4 tool:
> >>>>> # samba-tool domain exportkeytab /etc/dhcpd/dhcpduser.keytab
> >>>>> --principal=dhcpduser
> >>>>>
> >>>>> and klist -k dhcpduser.keytab -e shows
> >>>>> Keytab name: WRFILE:/etc/dhcp/dhcpduser.keytab
> >>>>> KVNO Principal
> >>>>> ----
> >>>>> --------------------------------------------------------------------------
> >>>>> 1 dhcpduser at SAITEL.LOC (DES cbc mode with CRC-32)
> >>>>> 1 dhcpduser at SAITEL.LOC (DES cbc mode with RSA-MD5)
> >>>>> 1 dhcpduser at SAITEL.LOC (ArcFour with HMAC/md5)
> >>>>>
> >>>>> so it seems that the keytab contains the arcfour-hmac-md5 encription
> >>>>> key.
> >>>>>
> >>>>> Can someone put some light on this?
> >>>>>
> >>>>> Thanks,
> >>>>> Daniele.
> >>>>>
> >>>> Hi, I have been using something similar for some time now, without any
> >>>> great problems. I have attached my notes and hope that these help.
> >>>>
> >>>> Rowland
> >>> Hi Rowland,
> >>> I'm trying with your script and something changed so I guess I'm on the
> >>> right way to get DDNS working but what I'm seeing now is
> >>>
> >>> Oct 11 15:35:26 kdc01 dhcpd: Commit: IP: 192.168.12.204 DHCID:
> >>> 1:0:22:43:1b:9f:b2 Name: alaska
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[0]
> >>> = /etc/dhcp/dhcp-krbnsupdate.sh
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[1] = add
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[2] = 192.168.12.204
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[3] =
> >>> 1:0:22:43:1b:9f:b2
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute_statement argv[4] = alaska
> >>> Oct 11 15:35:26 kdc01 dhcpd: execute: /etc/dhcp/dhcp-krbnsupdate.sh exit
> >>> status 256
> >>> Oct 11 15:35:26 kdc01 dhcpd: Unable to add forward map from
> >>> alaska.saitel.loc to 192.168.12.204: timed out
> >>> Oct 11 15:35:26 kdc01 dhcpd: DHCPREQUEST for 192.168.12.204 from
> >>> 00:22:43:1b:9f:b2 (alaska) via eth0
> >>> Oct 11 15:35:26 kdc01 dhcpd: DHCPACK on 192.168.12.204 to
> >>> 00:22:43:1b:9f:b2 (alaska) via eth0
> >>>
> >>> as you can see the script exits with status 256 which is not a value
> >>> given from the script.
> >>>
> >>> Looking deeper I found that when you look if a ticket is already present
> >>> you look
> >>> if [ -z $KRB5CCNAME]; then
> >>> # if no ticket set expiration to 0
> >>> expiration=0
> >>> else
> >>> # get expiration time as a number
> >>> edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $3}' | tr '/' '-')
> >>> etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $4}')
> >>> expiration=$(date -d "$edate $etime" '+%s')
> >>> fi
> >>>
> >>> but [-z] just check if a string is empty and you set KRB5CCNAME before
> >>> so it seems to me that you should test if the cached ticket is present
> >>> using
> >>>
> >>> if [ -f $KRB5CCNAME]; then
> >>> # a ticket is present
> >>> # get expiration time as a number
> >>> edate=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $3}' | tr '/' '-')
> >>> etime=$(klist | grep $realm | grep '/' | sort | head -n 1 | awk
> >>> '{print $4}')
> >>> expiration=$(date -d "$edate $etime" '+%s')
> >>> else
> >>> # if no ticket set expiration to 0
> >>> expiration=0
> >>> fi
> >>>
> >>> BTW, running the script manually this is what I can see:
> >>>
> >>> [root at kdc01:~]# ./etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183
> >>> 1:14:7d:c5:48:7a:d5 android-b9c850d595c8b543
> >>> dhcpd: DHCP-DNS: no ticket present
> >>> dhcpd: Getting new ticket, old one expired 0, now is 1318512848
> >>> dhcpd: DHCP-DNS: kinit succeeded
> >>> dns_tkey_negotiategss: TKEY is unacceptable
> >>> dhcpd: result1 = 1
> >>> dns_tkey_negotiategss: TKEY is unacceptable
> >>> dhcpd: result2 = 1
> >>> dhcpd: DHCP-DNS_Update-failed
> >>>
> >>> Any idea of what I'm doing wrong?
> >>>
> >>> Daniele.
> >>>
> >> Have you created the keytab ? : samba-tool domain exportkeytab
> >> /etc/dhcp/dhcpduser.keytab --principal=dhcpduser@$realm
> >>
> >> Once this is created, you need to ensure that the dhcp user owns all the
> >> files in /etc/dhcp : chown dhcpd:dhcpd -R /etc/dhcp
> >>
> >> If everything is correct, running the script as the dhcp user should work
> >>
> >> su - -s /bin/bash dhcpd -c "/usr/local/sbin/dhcp-dyndns.sh add
> >> 192.168.0.204 1:84:a6:c8:3b:da:7b ThinkPad"
> >> Getting new ticket, old one expired 0, now is 1381503295
> >> DHCP-DNS Update succeeded
> >>
> >> and you should find this in /var/log/syslog:
> >>
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: starting transaction
> >> on zone home.lan
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=ThinkPad.home.lan tcpaddr=127.0.0.1
> >> type=A key=2712415368.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=ThinkPad.home.lan tcpaddr=127.0.0.1
> >> type=A key=2712415368.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:56 homeserver named[1115]: client 127.0.0.1#51111/key
> >> dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': deleting rrset at
> >> 'ThinkPad.home.lan' A
> >> Oct 11 15:54:56 homeserver named[1115]: client 127.0.0.1#51111/key
> >> dhcpduser\@HOME.LAN: updating zone 'home.lan/NONE': adding an RR at
> >> 'ThinkPad.home.lan' A
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: added
> >> ThinkPad.home.lan ThinkPad.home.lan.#0113600#011IN#011A#011192.168.0.204
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: subtracted rdataset
> >> home.lan 'home.lan.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 2 900 600 86400 0'
> >> Oct 11 15:54:56 homeserver named[1115]: samba_dlz: added rdataset
> >> home.lan 'home.lan.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 3 900 600 86400 0'
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: committed transaction
> >> on zone home.lan
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: starting transaction
> >> on zone 0.168.192.in-addr.arpa
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=204.0.168.192.in-addr.arpa
> >> tcpaddr=127.0.0.1 type=PTR key=2492596725.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: allowing update of
> >> signer=dhcpduser\@HOME.LAN name=204.0.168.192.in-addr.arpa
> >> tcpaddr=127.0.0.1 type=PTR key=2492596725.sig-homeserver.home.lan/160/0
> >> Oct 11 15:54:57 homeserver named[1115]: client 127.0.0.1#37499/key
> >> dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE':
> >> deleting rrset at '204.0.168.192.in-addr.arpa' PTR
> >> Oct 11 15:54:57 homeserver named[1115]: client 127.0.0.1#37499/key
> >> dhcpduser\@HOME.LAN: updating zone '0.168.192.in-addr.arpa/NONE': adding
> >> an RR at '204.0.168.192.in-addr.arpa' PTR
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz:added
> >> 204.0.168.192.in-addr.arpa
> >> 204.0.168.192.in-addr.arpa.#0113600#011IN#011PTR#011ThinkPad.home.lan.
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: subtracted rdataset
> >> 0.168.192.in-addr.arpa
> >> '0.168.192.in-addr.arpa.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 4 900 600 86400 3600'
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: added rdataset
> >> 0.168.192.in-addr.arpa
> >> '0.168.192.in-addr.arpa.#0113600#011IN#011SOA#011homeserver.home.lan.
> >> hostmaster.home.lan. 5 900 600 86400 3600'
> >> Oct 11 15:54:57 homeserver named[1115]: samba_dlz: committed transaction
> >> on zone 0.168.192.in-addr.arpa
> >> Oct 11 15:54:57 homeserver root: DHCP-DNS Update succeeded
> >>
> >> Rowland
> >>
> > Just to be sure I did it again
> >
> > [root at kdc01:~]# samba-tool domain
> > exportkeytab /etc/dhcp/dhcpduser.keytab --principal=dhcpduser at SAITEL.LOC
> > [root at kdc01:~]# sudo -R chown dhcpd.dhcpd /etc/dhcp
> > [root at kdc01:~]# su - -s /bin/bash dhcpd -c
> > "/etc/dhcp/dhcp-krbnsupdate.sh add 192.168.12.183 1:14:7d:c5:48:7a:d5
> > android-b9c850d595c8b543"
> > dhcpd: DHCP-DNS: found ticket: look if valid
> > dhcpd: Getting new ticket, old one expired 1292206524, now ie 1318518931
> > dhcpd: DHCP-DNS: kinit succeeded
> > dns_tkey_negotiategss: TKEY is unacceptable
> > dhcpd: result1 = 1
> > dns_tkey_negotiategss: TKEY is unacceptable
> > dhcpd: result2 = 1
> > dhcpd: DHCP-DNS_Update-failed
> >
> > I'm working on an Ubuntu server 11.04 x86. Apparmor would impact in this
> > scenario?
> >
> > Daniele.
> >
> Hi, mine is running on Ubuntu server 12.04.3 x86_64 without apparmor, so
> yes it could be apparmor that is stopping it working.
> I hate both selinux and apparmor, both have given me problems in the
> past, I have spent hours trying to get something to work, only to find
> out that turning off selinux or apparmor cured the problem. One of these
> days I must learn how to use them ;-)
>
> Rowland
Hi Rowland, list,
after digging and googling I found that somebody else had problems on
secure updates related to wrong SOA records and so I had a look at my
configuration.
My configuration is with 2 samba4 DCs both with internal DNS and the
DHCP server was running on the second DC (the one joined to the domain
not the one where I provisioned the domain).
I transferred the FSMO roles from one DC to the other and after updating
to latest release (4.1.0) updated the SOA records accordingly.
After that, everything started working properly.
There's just a side note that even if the dns zones are correctly
updated, the TSIG error with server is still present during nsupdate.
Sending update to 192.168.12.5#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 46737
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; UPDATE SECTION:
221.12.168.192.in-addr.arpa. 0 ANY PTR
221.12.168.192.in-addr.arpa. 3600 IN PTR prova.saitel.loc.
;; TSIG PSEUDOSECTION:
3070058307.sig-kdc01.saitel.loc. 0 ANY TSIG gss-tsig. 1383669095 300 28
BAQE//////8AAAAAHv6H7OgwRE4oNWGPRDHpmQ== 46737 NOERROR 0
; TSIG error with server: tsig verify failure
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 46737
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;12.168.192.in-addr.arpa. IN SOA
;; UPDATE SECTION:
221.12.168.192.in-addr.arpa. 0 ANY PTR
221.12.168.192.in-addr.arpa. 3600 IN PTR prova.saitel.loc.
Thanks a lot for your help,
Daniele.
More information about the samba-technical
mailing list