[Samba] Samba4 LDAP returns wrong responses in some cases, BIND-DLZ refuses to update

Dmitry Khromov icechrome at gmail.com
Fri Sep 28 18:10:41 MDT 2012 

Hello.

We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running on Gentoo GNU/Linux

1) Is MS 1.2.840.113556.1.4.1941 operator support implemented (planned to be implemented) in Samba 4 internal LDAP server? Please compare:

$ ldapsearch -h 192.168.1.32 -x -D 'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b 'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W '(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))' | tail -n2 # Windows 2003 R2 DC
Enter LDAP Password: 
# numResponses: 2
# numEntries: 1
$ ldapsearch -h 192.168.1.31 -x -D 'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b 'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W '(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))' | tail -n2 # Samba DC
Enter LDAP Password: 

# numResponses: 1

First command returns the correct mebership check result. Second - just silenty returns nothing. Although not that widely used, this operator is quite useful in some cases, when you just can't implement any loop-based logic. For example, for us it breaks IEEE 802.1X VLAN assignment with FreeRADIUS.

Replication is working and this account's membership is correct on both DCs.

2) We have a problem with Samba refusing to update DNS records with Gentoo's BIND 9.9.1_p3 (GSSAPI, DLZ)
BIND log says:
...
named[12365]: samba_dlz: configured writeable zone 'klin.kifato-mk.com'
named[12365]: samba_dlz: configured writeable zone '172.in-addr.arpa'
...
named[12365]: samba b9_putrr: unhandled record type 65281
named[12365]: samba_dlz: starting transaction on zone klin.kifato-mk.com
named[12365]: client 192.168.1.32#1039: view realdns: update 'klin.kifato-mk.com/IN' denied
named[12365]: samba_dlz: cancelling transaction on zone klin.kifato-mk.com
log.samba says:
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable 

Related parts of named.conf:
options {
 ...
 tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
 ...
};
view realdns {
 ...
 dlz "AD DNS Zones" {
  database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
 };
 ...
};

Keytab is accessible by named process effective UID. Use of BIND's views doesn't affect behaviour.
Maybe this is totally wrong, but we had to delete ..trustanchors zone, since BIND refuses to start with it. By the way, this renders DNS unmanageable:
# bin/samba-tool dns zonelist dc0 
Password for [someadminuser at KLIN.KIFATO-MK.COM]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')

Any suggestions on getting updates to work?

-- 
Best regards,
Dmitry Khromov

More information about the samba mailing list