[Samba] Please Help! Dynamic DNS just will not work: " failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure"

Ludek Finstrle ludek.finstrle at pzkagis.cz
Mon Jun 3 01:01:05 MDT 2013


Hello,

  I had the same problem during this weekend and I found the solution.

Sat, Jun 01, 2013 at 02:58:04PM -0700, Gary Maurizi napsal(a):
> 01-Jun-2013 14:56:05.799 samba_dlz: starting transaction on zone
> mtolympus.local
> 01-Jun-2013 14:56:05.800 client 10.0.0.106#60674: update
> 'mtolympus.local/IN' denied
> 01-Jun-2013 14:56:05.800 samba_dlz: cancelling transaction on zone
> mtolympus.local

This means that non-secure updates are forbidden in the zone.

> 01-Jun-2013 14:56:05.894 client 10.0.0.106#57284: TCP request
> 01-Jun-2013 14:56:05.894 client 10.0.0.106#57284: using view '_default'
> 01-Jun-2013 14:56:05.894 client 10.0.0.106#57284: request is not signed
> 01-Jun-2013 14:56:05.894 client 10.0.0.106#57284: recursion available
> 01-Jun-2013 14:56:05.894 client 10.0.0.106#57284: query
> 01-Jun-2013 14:56:05.894 failed gss_inquire_cred: GSSAPI error: Major =
> Unspecified GSS failure.  Minor code may provide more information, Minor =
> Success.
> 01-Jun-2013 14:56:05.940 gss-api source name (accept) is
> gm-bed-desktop$@MTOLYMPUS.LOCAL
> 01-Jun-2013 14:56:05.940 process_gsstkey(): dns_tsigerror_noerror

I don't think it's the major problem (but I had no time to debug it
after I solve the problem). It's in log_cred function which doesn't
return any value and it's continue well - gss-api source name (accept).
I see in tcpdump that bind returns success but windows doesn't continue
in TSIG.

> Thank you so very much for any help, I am so desperately lost at this
> point, I have tried everything.

Not everything ;o) You trust the RH too much.
As you can see at least steve has no problem with it (on ubuntu, suse).

> On Sat, Jun 1, 2013 at 1:13 PM, Gary Maurizi <garymaurizi at gmail.com> wrote:
> > On Sat, Jun 1, 2013 at 9:46 AM, Michael De Groote <
> > ict at sint-pietersschool.be> wrote:
> >
> >> Nick,
> >>
> >> doesn't that bug apply to internal dns only? (Gary says he's using
> >> BIND9_DLZ)
> >>
> >> 2013/6/1 Nick Semenkovich <semenko at alum.mit.edu>
> >>
> >> > Looks like bug https://bugzilla.samba.org/show_bug.cgi?id=9559 which
> >> > looks like it'll be fixed in git momentarily.
> >> >
> >> > On Sat, Jun 1, 2013 at 1:59 AM, Gary Maurizi <garymaurizi at gmail.com>
> >> > wrote:
> >> > > I just can't seem to get dynamic DNS updates working on CentOS 6.4
> >> with
> >> > > samba 4.0 .tar.gz from samba.org using BIND9_DLZ.
> >> > >
> >> > > If I run bind 9.8.2.rc1 in debug mode and go to a domain joined
> >> windows
> >> > > client and run 'ipconfig /registerdns' this is what I get in my
> >> console:
> >> > >
> >> > > 31-May-2013 23:51:06.520 client 10.0.0.106#54352: new TCP connection
> >> > > 31-May-2013 23:51:06.520 client 10.0.0.106#54352: replace
> >> > > 31-May-2013 23:51:06.520 clientmgr @0x7fe0575b5010: createclients
> >> > > 31-May-2013 23:51:06.520 clientmgr @0x7fe0575b5010: recycle
> >> > > 31-May-2013 23:51:06.520 client 10.0.0.106#54352: read
> >> > > 31-May-2013 23:51:06.520 client @0x7fe04c159600: accept
> >> > > 31-May-2013 23:51:06.529 client 10.0.0.106#54352: TCP request
> >> > > 31-May-2013 23:51:06.529 client 10.0.0.106#54352: view internal-view:
> >> > using
> >> > > view 'internal-view'
> >> > > 31-May-2013 23:51:06.529 client 10.0.0.106#54352: view internal-view:
> >> > > request is not signed
> >> > > 31-May-2013 23:51:06.529 client 10.0.0.106#54352: view internal-view:
> >> > > recursion available
> >> > > 31-May-2013 23:51:06.529 client 10.0.0.106#54352: view internal-view:
> >> > query
> >> > > 31-May-2013 23:51:06.529 failed gss_inquire_cred: GSSAPI error: Major
> >> =
> >> > > Unspecified GSS failure.  Minor code may provide more information,
> >> Minor
> >> > =
> >> > > Success.
> >> > > 31-May-2013 23:51:06.573 gss-api source name (accept) is
> >> > > gm-bed-desktop$@MTOLYMPUS.LOCAL
> >> > > 31-May-2013 23:51:06.573 process_gsstkey(): dns_tsigerror_noerror
> >> > > 31-May-2013 23:51:06.573 client 10.0.0.106#54352: view internal-view:
> >> > send
> >> > > 31-May-2013 23:51:06.573 client 10.0.0.106#54352: view internal-view:
> >> > sendto
> >> > > 31-May-2013 23:51:06.573 client 10.0.0.106#54352: view internal-view:
> >> > > senddone
> >> > > 31-May-2013 23:51:06.573 client 10.0.0.106#54352: view internal-view:
> >> > next
> >> > > 31-May-2013 23:51:06.573 client 10.0.0.106#54352: view internal-view:
> >> > > endrequest
> >> > > 31-May-2013 23:51:06.573 client 10.0.0.106#54352: read
> >> > > 31-May-2013 23:51:06.609 client 10.0.0.106#54352: next
> >> > > 31-May-2013 23:51:06.609 client 10.0.0.106#54352: request failed: end
> >> of
> >> > > file
> >> > > 31-May-2013 23:51:06.609 client 10.0.0.106#54352: endrequest
> >> > > 31-May-2013 23:51:06.609 client 10.0.0.106#54352: closetcp
> >> > > ^C31-May-2013 23:51:29.665 shutting down
> >> > > 31-May-2013 23:51:29.665 stopping command channel on 127.0.0.1#953
> >> > > 31-May-2013 23:51:29.665 res 0x7fe0575c3010: shutdown
> >> > > 31-May-2013 23:51:29.665 res 0x7fe0575c3010: exiting
> >> > >
> >> > > I have checked file permissions everywhere I can think of, this is my
> >> 7th
> >> > > time following the official samba.org samba 4 primary domain
> >> controller
> >> > > tutorial and this has happened every single time.
> >> > >
> >> > > Everything else seems to be functioning, I can manage everything from
> >> a
> >> > > windows client with the AD snap-ins and the computer shows up in
> >> > 'Computers
> >> > > and Users' snap in, it just does NOT have a DNS A record!

So the solution is very simple. You need to compile bind without
--disable-isc-spnego

Just download the bind src.rpm, install it, edit rpmbuild/SPEC/bind.spec
and remove the line with --disable-isc-spnego and rebuild the package
using rpmbuild -ba. Install newly created packages and restart named.

That's all.

Can someone write warning about this option (at least on RH like systems)
into the wiki?
https://wiki.samba.org/index.php/Dns-backend_bind#Compiling_Bind

I hope it helps and save time to others (It took 8 hours of my life).

Best regards,

Luf


More information about the samba mailing list