[Samba] A and/or PTR record deleted after pc wake-up
L.P.H. van Belle
belle at bazuin.nl
Thu Mar 6 05:06:55 MST 2014
Hai,
thanks for al the responces.
I did only check with the windows rats tools.
i just deleted my install and im going for bind 9.9.5. from debian sid. ( rebuild to wheezy )
>The machine key has been used to authenticate. named must have had
>access to the dns keytab too.
yes, thats correct, i did set the default keytab to servname$@internal.domain.tld.
check it with all tested the wiki discribed.
pointed it to default keytab file.
this was my krb5.conf
[libdefaults]
default_realm = INTERNAL.DOMAIN.TLD
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 30d
forwardable = yes
default_keytab_name = FILE:/etc/krb5.keytab
[realms]
INTERNAL.DOMAIN.TLD = {
kdc = rtd-dc1.INTERNAL.DOMAIN.TLD:88
admin_server = rtd-dc1.INTERNAL.DOMAIN.TLD:749
default_domain = INTERNAL.DOMAIN.TLD
}
[domain_realm]
.INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
the bind config contained also :
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
i used the following to export the keys.
# export the kerberos keys
samba-tool domain exportkeytab /tmp/krb5.keytab
the i looked whats in there
ktutil
: rkt /tmp/krb5.keytab
: list
-> output
: wkt /etc/krb5.keytab
: quit
for isc bind we need bind as owner on keytab
chown bind /etc/krb5.keytab
and i did set the default keytab
kinit -k -t /etc/krb5.keytab RTD-DC1$@INTERNAL.DOMAIN.TLD
i check which users did have rights.
i looked in the /var/lib/samba/named.update file
the are 3 which had rights to update the dns.
can someone tell if above procedure is correct.
or should i set the default keytab next install to
/var/lib/samba/private/dns.keytab
and not export-ing it an setting it again.
Greetz,
Louis
>
>@Louis: are we certain that there is nothing in DNS for Admin-PC? I
>mean, according to samba-tool dns or the windows dns admin. Maybe is
>there is, delete it, unjoin and rejoin?
only the windows admin, just before i deleted my samba, i tried to add the
missing records again, and i was unable to, it was saying it did exists.
so the record was there, but i was nog seeing it.
>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org]
>Namens steve
>Verzonden: donderdag 6 maart 2014 11:37
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] A and/or PTR record deleted after pc wake-up
>
>On Thu, 2014-03-06 at 10:30 +0100, Peter Serbe wrote:
>> Hi Louis,
>>
>> > So its normal that after a pc woke up my A and PTR records
>gets deleted ??
>>
>> It doesn't look like the records were deleted...
>> The very first lines of Your log seem to indicate that the
>authentication of the
>> bind doesn't work. I'd fix this first.
>>
>> > Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: starting
>transaction on zone INTERNAL.DOMAIN.TLD
>> > Mar 5 15:43:13 rtd-dc1 named[3717]: client
>10.249.250.64#49271: update 'INTERNAL.DOMAIN.TLD/IN' denied
>> > Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: cancelling
>transaction on zone INTERNAL.DOMAIN.TLD
>>
>
>Yes, but immediately afterwards it then goes onto authenticate
>perfectly
>well. Working on exactly the same zone it just denied access to:
>
>>Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: starting
>>transaction on zone INTERNAL.DOMAIN.TLD
>>Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: allowing
>>update of signer=admin-pc\$\@INTERNAL.DOMAIN.TLD
>>name=Admin-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=A
>>key=980-ms-7.2-65f74b.f80d0c34-a464-11e3-63b9-d067e50ae371/160/0
>>
>>==>> Mar 5 15:43:13 rtd-dc1 named[3717]: client
>>10.249.250.64#55424: updating zone 'INTERNAL.DOMAIN.TLD/NONE':
>>deleting an RR at Admin-PC.INTERNAL.DOMAIN.TLD A
>>
>>Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: subtracted
>>rdataset Admin-PC.INTERNAL.DOMAIN.TLD
>>'Admin-PC.INTERNAL.DOMAIN.TLD.#0111200#011IN#011A#01110.249.250.64'
>>Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: subtracted
>>rdataset INTERNAL.DOMAIN.TLD
>>'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.
>>DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 3 900 600 86400 0'
>>Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: added rdataset
>>INTERNAL.DOMAIN.TLD
>>'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.
>>DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 4 900 600 86400 0'
>>Mar 5 15:43:13 rtd-dc1 named[3717]: samba_dlz: committed
>>transaction on zone INTERNAL.DOMAIN.TLD
>
>The machine key has been used to authenticate. named must have had
>access to the dns keytab too.
>
>@Louis: are we certain that there is nothing in DNS for Admin-PC? I
>mean, according to samba-tool dns or the windows dns admin. Maybe is
>there is, delete it, unjoin and rejoin?
>HTH
>Steve
>
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list