[Samba] Samba 4, dynamic DNS, Kerberos
Michael Mol
mikemol at gmail.com
Mon Mar 4 19:24:45 MST 2013
Dynamic DNS updating is failing (which is bizarre, because I could have
sworn I'd had it working before). Help?
Setup: Samba 4 DC running bind 9.9.2, Samba 3.6.3 member
The output of "net -d10 ads join" is attached, compressed.
Interesting portions of named.conf:
options {
(no allow-updates section)
...
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};
include "/etc/bind/samba.conf"; /* hardlink to
/var/lib/samba/private/named.conf */
Server's smb.conf:
# Global parameters
[global]
workgroup = FIREFLY
realm = FIREFLY.MICHAEL.MOL.NAME
netbios name = KAYLEE
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate
# Force auth toward NTLM2
lanman auth = no
# Re-enabled NTLMv1, as Debian Squeeze comes with Samba 3.5.6, which
# Doesn't appear to support NTLMv2
# ntlm auth = no
# Since we use ext4, a filesystem which supports extents, we can
# enable strict allocate. (Generally a good thing; it reduces
# fragmentation.) Granted, this is a file-servig specific behavior,
# and we're not using samba as a fileserver as I write this...
strict allocate = yes
# Another fileserving optimization. See smb.conf(5) for details.
use sendfile = true
# And another. I enable this one because I've got gobs of RAM...
write cache size = 262144
idmap config * : backend = ad
idmap config * : range = 100000 - 200000
winbind max domain connections = 8
# Use Services for Unix LDAP extensions.
winbind nss info = sfu
# We want to use LDAP for credentials, anyway.
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap ssl = start tls
ldap ssl ads = yes
log level all:10
# We don't need netbios.
disable netbios = yes
[netlogon]
path = /var/lib/samba/sysvol/firefly.michael.mol.name/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Client smb.conf:
[global]
security = ads
realm = FIREFLY.MICHAEL.MOL.NAME
workgroup = FIREFLY
kerberos method = system keytab
smb ports = 455
disable netbios = yes
name resolve order = hosts
idmap uid = 200000 - 300000
idmap gid = 200000 - 300000
named logging from server:
04-Mar-2013 20:18:45.883 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.884 update: info: client 192.168.83.146#43330:
updating zone 'firefly.michael.mol.name/NONE': update unsuccessful:
saffron.firefly.michael.mol.name/A: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET)
04-Mar-2013 20:18:45.884 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.928 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.929 database: error: samba_dlz: spnego update failed
04-Mar-2013 20:18:45.929 update: info: client 192.168.83.146#43330:
updating zone 'firefly.michael.mol.name/NONE': update failed: rejected
by secure update (REFUSED)
04-Mar-2013 20:18:45.929 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
04-Mar-2013 20:18:46.001 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:46.003 database: info: samba_dlz: disallowing update
of signer=SAFFRON\$\@FIREFLY.MICHAEL.MOL.NAME
name=saffron.firefly.michael.mol.name type=A error=insufficient access
rights
04-Mar-2013 20:18:46.004 update: info: client 192.168.83.146#43330/key
SAFFRON\$\@FIREFLY.MICHAEL.MOL.NAME: updating zone
'firefly.michael.mol.name/NONE': update failed: rejected by secure
update (REFUSED)
04-Mar-2013 20:18:46.004 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
samba logging from server:
Kerberos: AS-REQ Administrator at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:43555 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ Administrator at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:41982 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data --
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: Looking for ENC-TS pa-data --
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: ENC-TS Pre-authentication succeeded --
Administrator at FIREFLY.MICHAEL.MOL.NAME using arcfour-hmac-md5
authsam_account_ok: Checking SMB password for user
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ authtime: 2013-03-04T20:18:45 starttime: unset endtime:
2013-03-05T06:18:45 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ Administrator at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:36575 for
ldap/kaylee.firefly.michael.mol.name at FIREFLY.MICHAEL.MOL.NAME [canonicalize]
Kerberos: TGS-REQ authtime: 2013-03-04T20:18:45 starttime:
2013-03-04T20:18:45 endtime: 2013-03-05T06:18:45 renew till: unset
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/SAFFRON
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SAFFRON
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ SAFFRON$@FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:48303 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ SAFFRON$@FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:59115 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: Looking for ENC-TS pa-data -- SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: ENC-TS Pre-authentication succeeded --
SAFFRON$@FIREFLY.MICHAEL.MOL.NAME using arcfour-hmac-md5
authsam_account_ok: Checking SMB password for user
SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ authtime: 2013-03-04T20:18:45 starttime: unset endtime:
2013-03-05T06:18:45 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ SAFFRON$@FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:56307 for
dns/kaylee.firefly.michael.mol.name at FIREFLY.MICHAEL.MOL.NAME [canonicalize]
Kerberos: TGS-REQ authtime: 2013-03-04T20:18:45 starttime:
2013-03-04T20:18:45 endtime: 2013-03-05T06:18:45 renew till: unset
Kerberos: AS-REQ named at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:dead:219:bbff:feea:a48:44595 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: UNKNOWN -- named at FIREFLY.MICHAEL.MOL.NAME: no such entry found
in hdb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20130304/58bace4c/attachment.pgp>
More information about the samba
mailing list