[Samba] howto test ddns
steve
steve at steve-ss.com
Sat Aug 2 15:53:32 MDT 2014
On Sat, 2014-08-02 at 22:26 +0100, Rowland Penny wrote:
> On 02/08/14 22:12, shadrock uhuru wrote:
> > hi
> > using the instructions from this page
> > http://linuxcostablanca.blogspot.co.uk/2013/04/sssd-in-samba-40.html i
> > added sssd,
> > it was the sssd log that indicated that something was wrong with ddns
> > upate so i needed to establish whether the problem was on samba side or
> > sssd side
> > this is why i was testing it on ashanti,
> > after reading your advice i changed the test on the DC
> > i changed the nsupdate command to update the dns record for a server
> > called testserver with ip address 10.2.1.50 instead of ashanti,
> > this worked and updated without error,
>
> This proves that nsupdate is working.
>
> > which brings me back to the sssd startup output,
> > i have added the upper case server name to the keytab to see if it made
> > a difference.
> > the startup runs without error until it get to the dns update section,
> >
> > this is the first error -
> > tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> > Minor code may provide more information, Minor = Server not found in
> > Kerberos database.
> > and this is the second -
> > could not find enclosing zone
> >
> > have you any idea why sssd is trying to nsupdate ashanti on startup ?
> >
> > sudo klist -k -K /etc/krb5.keytab
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > --------------------------------------------------------------------------
> > 1 ashanti$@TISSISAT.CO.UK (0x3d193b5de35b7010)
> > 1 ashanti$@TISSISAT.CO.UK (0x3d193b5de35b7010)
> > 1 ashanti$@TISSISAT.CO.UK (0xe15ce7729bc37077442e0771c0faaf48)
> > 1 ASHANTI$@TISSISAT.CO.UK (0x3d193b5de35b7010)
> > 1 ASHANTI$@TISSISAT.CO.UK (0x3d193b5de35b7010)
> > 1 ASHANTI$@TISSISAT.CO.UK (0xe15ce7729bc37077442e0771c0faaf48)
> >
> > sssd -i -d7
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [set_tgt_child_timeout] (0x0400): Setting 6 seconds timeout for tgt child
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [write_pipe_handler] (0x0400): All data has been sent!
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [main] (0x0400):
> > ldap_child started.
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): total buffer size: 38
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): realm_str size: 14
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): got realm_str: TISSISAT.CO.UK
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): princ_str size: 8
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): got princ_str: ASHANTI$
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): keytab_name size: 0
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [unpack_buffer]
> > (0x1000): lifetime: 86400
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]]
> > [ldap_child_get_tgt_sync] (0x0100): Principal name is:
> > [ASHANTI$@TISSISAT.CO.UK]
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]]
> > [ldap_child_get_tgt_sync] (0x0100): Using keytab [default]
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [prepare_response]
> > (0x0400): Building response for result [0]
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [pack_buffer]
> > (0x1000): result [0] krberr [0] msgsize [42] msg
> > [FILE:/var/lib/sss/db/ccache_TISSISAT.CO.UK]
> > (Sat Aug 2 21:18:14 2014) [[sssd[ldap_child[2199]]]] [main] (0x0400):
> > ldap_child completed successfully
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [read_pipe_handler] (0x0400): EOF received, client finished
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [sdap_get_tgt_recv] (0x0400): Child responded: 0
> > [FILE:/var/lib/sss/db/ccache_TISSISAT.CO.UK], expired on [1407046694]
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [sdap_cli_auth_step] (0x0100): expire timeout is 900
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [sdap_cli_auth_step] (0x1000): the connection will expire at 1407011594
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]] [sasl_bind_send]
> > (0x0100): Executing sasl bind mech: gssapi, user: ASHANTI$
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [child_sig_handler] (0x1000): Waiting for child [2199].
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [child_sig_handler] (0x0100): child [2199] finished successfully.
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [fo_set_port_status] (0x0100): Marking port 0 of server
> > 'ashanti.tissisat.co.uk' as 'working'
> > (Sat Aug 2 21:18:14 2014) [sssd[be[tissisat.co.uk]]]
> > [set_server_common_status] (0x0100): Marking server
> > 'ashanti.tissisat.co.uk' as 'working'
> > [snip]
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [ad_dyndns_update_send] (0x0400): Performing update
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of
> > 'ashanti' in DNS
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [request_watch_destructor] (0x0400): Deleting request watch
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record
> > of 'ashanti' in DNS
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [request_watch_destructor] (0x0400): Deleting request watch
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [resolv_gethostbyname_next] (0x0200): No more address families to retry
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [nsupdate_msg_create_common] (0x0200): Creating update message for realm
> > [TISSISAT.CO.UK].
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
> > realm TISSISAT.CO.UK
> > update delete ashanti. in A
> > send
> > update delete ashanti. in AAAA
> > send
> > update add ashanti. 3600 in A 10.2.1.6
> > send
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [be_nsupdate_create_fwd_msg] (0x0400): -- End nsupdate message --
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [write_pipe_handler] (0x0400): All data has been sent!
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]] [be_nsupdate_args]
> > (0x0200): nsupdate auth type: GSS-TSIG
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]] [ad_online_cb]
> > (0x0400): The AD provider is online
> > tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor
> > code may provide more information, Minor = Server not found in Kerberos
> > database.
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [child_sig_handler] (0x1000): Waiting for child [1990].
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [child_sig_handler] (0x0020): child [1990] failed with status [1].
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status
> > [256]
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]] [be_nsupdate_done]
> > (0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS
> > update failed
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying with
> > server name
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [nsupdate_msg_create_common] (0x0200): Creating update message for
> > server [ashanti.tissisat.co.uk] and realm [TISSISAT.CO.UK]
> > .(Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
> > server ashanti.tissisat.co.uk
> > realm TISSISAT.CO.UK
> > update delete ashanti. in A
> > send
> > update delete ashanti. in AAAA
> > send
> > update add ashanti. 3600 in A 10.2.1.6
> > send
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [be_nsupdate_create_fwd_msg] (0x0400): -- End nsupdate message --
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [write_pipe_handler] (0x0400): All data has been sent!
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]] [be_nsupdate_args]
> > (0x0200): nsupdate auth type: GSS-TSIG
> > could not find enclosing zone
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [child_sig_handler] (0x1000): Waiting for child [1994].
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [child_sig_handler] (0x0020): child [1994] failed with status [1].
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status
> > [256]
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]] [be_nsupdate_done]
> > (0x0040): nsupdate child execution failed [1432158228]: Dynamic DNS
> > update failed
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed
> > [1432158228]: Dynamic DNS update failed
> > (Sat Aug 2 19:18:05 2014) [sssd[be[tissisat.co.uk]]]
> > [ad_dyndns_nsupdate_done] (0x0040): Updating DNS entry failed
> > [1432158228]: Dynamic DNS update failed
> > (Sat Aug 2 19:18:09 2014) [sssd] [services_startup_timeout] (0x0400):
> > Handling timeout
> >
> > Shadrock
> I feel that dns on your server is not set up correctly, it seems that
> even though you now have /etc/hosts set up, something else is wrong.
> What have you got in your networking file (on debian this is
> /etc/network/interfaces, don't know what it is on archlinux) ?
>
> Rowland
>
Hi everyone
Please do not use ddns on a DC. This must remain as a static A rr. It is
10.2.1.6. Leave it as it is.
If you wish to use any recent version of sssd on the DC then you should
add the following to sssd.conf:
dyndns_update = false
dyndns_update_ptr = false
This will cure the errors that you are finding.
If you wish to see how ddns works with sssd then you must install a
separate client and join it to the domain.
HTH,
Steve
More information about the samba
mailing list