[Samba] A and/or PTR record deleted after pc wake-up

L.P.H. van Belle belle at bazuin.nl
Thu Mar 6 05:06:55 MST 2014 

 Hai, 

thanks for al the responces. 

I did only check with the windows rats tools. 
i just deleted my install and im going for bind 9.9.5. from debian sid. ( rebuild to wheezy ) 

>The machine key has been used to authenticate. named must have had
>access to the dns keytab too.

yes, thats correct, i did set the default keytab to servname$@internal.domain.tld. 
check it with all tested the wiki discribed. 
pointed it to default keytab file. 

this was my krb5.conf 

[libdefaults]
        default_realm = INTERNAL.DOMAIN.TLD
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 30d
        forwardable = yes
        default_keytab_name = FILE:/etc/krb5.keytab

[realms]
 INTERNAL.DOMAIN.TLD = {
  kdc = rtd-dc1.INTERNAL.DOMAIN.TLD:88
  admin_server = rtd-dc1.INTERNAL.DOMAIN.TLD:749
  default_domain = INTERNAL.DOMAIN.TLD
 }

[domain_realm]
 .INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD
 INTERNAL.DOMAIN.TLD = INTERNAL.DOMAIN.TLD

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

the bind config contained also :
      tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";

i used the following to export the keys.
# export the kerberos keys
samba-tool domain exportkeytab /tmp/krb5.keytab
the i looked whats in there
ktutil
	: rkt /tmp/krb5.keytab
	: list 
	-> output 
	: wkt /etc/krb5.keytab
	: quit

for isc bind we need bind as owner on keytab 
chown bind /etc/krb5.keytab

and i did set the default keytab
kinit -k -t /etc/krb5.keytab RTD-DC1$@INTERNAL.DOMAIN.TLD

i check which users did have rights. 
i looked in the /var/lib/samba/named.update file 
the are 3 which had rights to update the dns. 

can someone tell if above procedure is correct.
or should i set the default keytab next install to 
/var/lib/samba/private/dns.keytab 
and not export-ing it an setting it again. 

Greetz, 

Louis


>
>@Louis: are we certain that there is nothing in DNS for Admin-PC? I
>mean, according to samba-tool dns or the windows dns admin. Maybe is
>there is, delete it, unjoin and rejoin?

only the windows admin, just before i deleted my samba, i tried to add the 
missing records again, and i was unable to, it was saying it did exists.
so the record was there, but i was nog seeing it. 




>-----Oorspronkelijk bericht-----
>Van: steve at steve-ss.com [mailto:samba-bounces at lists.samba.org] 
>Namens steve
>Verzonden: donderdag 6 maart 2014 11:37
>Aan: samba at lists.samba.org
>Onderwerp: Re: [Samba] A and/or PTR record deleted after pc wake-up
>
>On Thu, 2014-03-06 at 10:30 +0100, Peter Serbe wrote:
>> Hi Louis, 
>> 
>> > So its normal that after a pc woke up my A and PTR records 
>gets deleted ?? 
>> 
>> It doesn't look like the records were deleted...
>> The very first lines of Your log seem to indicate that the 
>authentication of the 
>> bind doesn't work. I'd fix this first. 
>> 
>> > Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: starting 
>transaction on zone INTERNAL.DOMAIN.TLD
>> > Mar  5 15:43:13 rtd-dc1 named[3717]: client 
>10.249.250.64#49271: update 'INTERNAL.DOMAIN.TLD/IN' denied
>> > Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: cancelling 
>transaction on zone INTERNAL.DOMAIN.TLD
>> 
>
>Yes, but immediately afterwards it then goes onto authenticate 
>perfectly
>well. Working on exactly the same zone it just denied access to:
>
>>Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: starting 
>>transaction on zone INTERNAL.DOMAIN.TLD
>>Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: allowing 
>>update of signer=admin-pc\$\@INTERNAL.DOMAIN.TLD 
>>name=Admin-PC.INTERNAL.DOMAIN.TLD tcpaddr= type=A 
>>key=980-ms-7.2-65f74b.f80d0c34-a464-11e3-63b9-d067e50ae371/160/0
>>
>>==>>  Mar  5 15:43:13 rtd-dc1 named[3717]: client 
>>10.249.250.64#55424: updating zone 'INTERNAL.DOMAIN.TLD/NONE': 
>>deleting an RR at Admin-PC.INTERNAL.DOMAIN.TLD A   
>>
>>Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: subtracted 
>>rdataset Admin-PC.INTERNAL.DOMAIN.TLD 
>>'Admin-PC.INTERNAL.DOMAIN.TLD.#0111200#011IN#011A#01110.249.250.64'
>>Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: subtracted 
>>rdataset INTERNAL.DOMAIN.TLD 
>>'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.
>>DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 3 900 600 86400 0'
>>Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: added rdataset 
>>INTERNAL.DOMAIN.TLD 
>>'INTERNAL.DOMAIN.TLD.#0113600#011IN#011SOA#011rtd-dc1.INTERNAL.
>>DOMAIN.TLD. hostmaster.INTERNAL.DOMAIN.TLD. 4 900 600 86400 0'
>>Mar  5 15:43:13 rtd-dc1 named[3717]: samba_dlz: committed 
>>transaction on zone INTERNAL.DOMAIN.TLD
>
>The machine key has been used to authenticate. named must have had
>access to the dns keytab too.
>
>@Louis: are we certain that there is nothing in DNS for Admin-PC? I
>mean, according to samba-tool dns or the windows dns admin. Maybe is
>there is, delete it, unjoin and rejoin?
>HTH
>Steve
>
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list