[Samba] Samba 4, dynamic DNS, Kerberos

Michael Mol mikemol at gmail.com
Mon Mar 4 19:24:45 MST 2013 

Dynamic DNS updating is failing (which is bizarre, because I could have
sworn I'd had it working before). Help?

Setup: Samba 4 DC running bind 9.9.2, Samba 3.6.3 member


The output of "net -d10 ads join" is attached, compressed.

Interesting portions of named.conf:

options {
  (no allow-updates section)

  ...

  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

};


include "/etc/bind/samba.conf"; /* hardlink to
/var/lib/samba/private/named.conf */



Server's smb.conf:

# Global parameters
[global]
        workgroup = FIREFLY
        realm = FIREFLY.MICHAEL.MOL.NAME
        netbios name = KAYLEE
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbind, ntp_signd, kcc, dnsupdate

        # Force auth toward NTLM2
        lanman auth = no
        # Re-enabled NTLMv1, as Debian Squeeze comes with Samba 3.5.6, which
        # Doesn't appear to support NTLMv2
        # ntlm auth = no

        # Since we use ext4, a filesystem which supports extents, we can
        # enable strict allocate. (Generally a good thing; it reduces
        # fragmentation.) Granted, this is a file-servig specific behavior,
        # and we're not using samba as a fileserver as I write this...
        strict allocate = yes

        # Another fileserving optimization. See smb.conf(5) for details.
        use sendfile = true

        # And another. I enable this one because I've got gobs of RAM...
        write cache size = 262144

        idmap config * : backend = ad
        idmap config * : range = 100000 - 200000

        winbind max domain connections = 8

        # Use Services for Unix LDAP extensions.
        winbind nss info = sfu

        # We want to use LDAP for credentials, anyway.
        ldapsam:trusted = yes
        ldapsam:editposix = yes

        ldap ssl = start tls
        ldap ssl ads = yes

        log level all:10

        # We don't need netbios.
        disable netbios = yes

[netlogon]
        path = /var/lib/samba/sysvol/firefly.michael.mol.name/scripts
        read only = No

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

Client smb.conf:
[global]
        security = ads
        realm = FIREFLY.MICHAEL.MOL.NAME
        workgroup = FIREFLY
        kerberos method = system keytab
        smb ports = 455
        disable netbios = yes
        name resolve order = hosts
        idmap uid = 200000 - 300000
        idmap gid = 200000 - 300000


named logging from server:

04-Mar-2013 20:18:45.883 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.884 update: info: client 192.168.83.146#43330:
updating zone 'firefly.michael.mol.name/NONE': update unsuccessful:
saffron.firefly.michael.mol.name/A: 'RRset exists (value dependent)'
prerequisite not satisfied (NXRRSET)
04-Mar-2013 20:18:45.884 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.928 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:45.929 database: error: samba_dlz: spnego update failed
04-Mar-2013 20:18:45.929 update: info: client 192.168.83.146#43330:
updating zone 'firefly.michael.mol.name/NONE': update failed: rejected
by secure update (REFUSED)
04-Mar-2013 20:18:45.929 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name
04-Mar-2013 20:18:46.001 database: info: samba_dlz: starting transaction
on zone firefly.michael.mol.name
04-Mar-2013 20:18:46.003 database: info: samba_dlz: disallowing update
of signer=SAFFRON\$\@FIREFLY.MICHAEL.MOL.NAME
name=saffron.firefly.michael.mol.name type=A error=insufficient access
rights
04-Mar-2013 20:18:46.004 update: info: client 192.168.83.146#43330/key
SAFFRON\$\@FIREFLY.MICHAEL.MOL.NAME: updating zone
'firefly.michael.mol.name/NONE': update failed: rejected by secure
update (REFUSED)
04-Mar-2013 20:18:46.004 database: info: samba_dlz: cancelling
transaction on zone firefly.michael.mol.name

samba logging from server:

Kerberos: AS-REQ Administrator at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:43555 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ Administrator at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:41982 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data --
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: Looking for ENC-TS pa-data --
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: ENC-TS Pre-authentication succeeded --
Administrator at FIREFLY.MICHAEL.MOL.NAME using arcfour-hmac-md5
authsam_account_ok: Checking SMB password for user
Administrator at FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ authtime: 2013-03-04T20:18:45 starttime: unset endtime:
2013-03-05T06:18:45 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ Administrator at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:36575 for
ldap/kaylee.firefly.michael.mol.name at FIREFLY.MICHAEL.MOL.NAME [canonicalize]
Kerberos: TGS-REQ authtime: 2013-03-04T20:18:45 starttime:
2013-03-04T20:18:45 endtime: 2013-03-05T06:18:45 renew till: unset
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
schannel_store_session_key_tdb: stored schannel info with key
SECRETS/SCHANNEL/SAFFRON
schannel_fetch_session_key_tdb: restored schannel info key
SECRETS/SCHANNEL/SAFFRON
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[NT_STATUS_CONNECTION_DISCONNECTED]
Terminating connection - 'wbsrv_call_loop: tstream_read_pdu_blob_recv()
- NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[wbsrv_call_loop: tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: AS-REQ SAFFRON$@FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:48303 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: No preauth found, returning PREAUTH-REQUIRED --
SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ SAFFRON$@FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:59115 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: Client sent patypes: encrypted-timestamp
Kerberos: Looking for PKINIT pa-data -- SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: Looking for ENC-TS pa-data -- SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: ENC-TS Pre-authentication succeeded --
SAFFRON$@FIREFLY.MICHAEL.MOL.NAME using arcfour-hmac-md5
authsam_account_ok: Checking SMB password for user
SAFFRON$@FIREFLY.MICHAEL.MOL.NAME
Kerberos: AS-REQ authtime: 2013-03-04T20:18:45 starttime: unset endtime:
2013-03-05T06:18:45 renew till: unset
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5,
using arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: forwardable
Kerberos: TGS-REQ SAFFRON$@FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:beef:4eed:deff:fe93:63a0:56307 for
dns/kaylee.firefly.michael.mol.name at FIREFLY.MICHAEL.MOL.NAME [canonicalize]
Kerberos: TGS-REQ authtime: 2013-03-04T20:18:45 starttime:
2013-03-04T20:18:45 endtime: 2013-03-05T06:18:45 renew till: unset
Kerberos: AS-REQ named at FIREFLY.MICHAEL.MOL.NAME from
ipv6:2001:470:c5b9:dead:219:bbff:feea:a48:44595 for
krbtgt/FIREFLY.MICHAEL.MOL.NAME at FIREFLY.MICHAEL.MOL.NAME
Kerberos: UNKNOWN -- named at FIREFLY.MICHAEL.MOL.NAME: no such entry found
in hdb




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 555 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20130304/58bace4c/attachment.pgp>

More information about the samba mailing list