[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Norbert Hanke
norbert.hanke at gmx.ch
Mon Jul 18 09:45:18 UTC 2016
On 18.07.2016 01:52, Achim Gottinger wrote:
>
>
> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>> Hello,
>>
>> I'm trying to join a samba 4 DC to an already existing samba 4 DC,
>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
>> 9.10.4-P1, all brand new.
>>
>> The existing DC runs fine, but the added DC refuses to update its
>> local bind database: every attempt to update the local DNS results in
>> "update failed: NOTAUTH". AD replication works perfectly.
>>
>> Both systems are set up identically except for the
>> provisioning/joining command. On the first I did
>> samba-tool domain provision --use-rfc2307 --domain=$domain
>> --server-role=dc --dns-backend=BIND9_DLZ \
>> --realm=$realm --adminpass=Wonttell
>> and on the second I do
>> samba-tool domain join $domain DC -Uadministrator --realm=$realm
>> --dns-backend=BIND9_DLZ
>>
>> Versions are the same, bind config is the same, I tried follow every
>> rule I could find.
>>
>> # samba_dnsupdate --verbose -d 9
>> INFO: Current debug levels:
>> all: 9
>> (... more such levels ...)
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
>> netmask=255.255.255.0
>> IPs: ['192.168.1.9']
>> Module 'tombstone_reanimate' is disabled. Skip
>> registration.lpcfg_servicenumber: couldn't find ldb
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
>> dc2.ad.domain.ch.
>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>> need update: A ad.domain.ch 192.168.1.9
>> (... many more such Looking...need update blocks)
>> 24 DNS updates and 0 DNS deletes needed
>> ldb_wrap open of secrets.ldb
>> Received smb_krb5 packet of length 298
>> Received smb_krb5 packet of length 1311
>> update(nsupdate): A ad.domain.tld 192.168.1.9
>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> ad.domain.tld. 900 IN A 192.168.1.9
>>
>> update failed: NOTAUTH
>> Failed nsupdate: 2
>> (... many more such failed updates ...)
>> Failed update of 24 entries
>> # 22:37:30 root at dc2:/root/
>>
>>
>> In /var/log/syslog there are these equivalent 24 error message every
>> 10 minutes:
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>> Jul 17 22:52:06 dc2 samba[3960]:
>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>> and the last of the 24 entries is always followed by
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> Jul 17 22:52:06 dc2 samba[3960]:
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>> NT_STATUS_TOO_MANY_OPENED_FILES
>>
>> smb.conf is minimalistic:
>>
>> # Global parameters
>> [global]
>> netbios name = DC2
>> realm = AD.DOMAIN.TLD
>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>> workgroup = DOMAIN
>> server role = active directory domain controller
>>
>> [netlogon]
>> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>> read only = No
>>
>> [sysvol]
>> path = /usr/local/samba/var/locks/sysvol
>> read only = No
>>
>> Maybe somebody has an idea what I did wrong?
>>
>>
>>
> resolv.conf on dc2 should point to dc1 during join. Is that the case?
> Does kinit work on dc2?
>
>
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF
($ip is the local system, $otherip is the existing DC)
resulting in
# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9
Before joining I did
klist -e | grep administrator@$realm || kinit administrator
and looking at it right now half a day later I get
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at AD.DOMAIN.CH
Valid starting Expires Service principal
17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
renew until 18/07/16 21:56:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
So it is expired right now, another kinit gets me a new tgt:
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Password for administrator at AD.DOMAIN.CH:
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at AD.DOMAIN.CH
Valid starting Expires Service principal
18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
renew until 19/07/16 09:34:58, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.
More information about the samba
mailing list