[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

Achim Gottinger achim at ag-web.biz
Mon Jul 18 20:48:37 UTC 2016 


Am 18.07.2016 um 11:45 schrieb Norbert Hanke:
> On 18.07.2016 01:52, Achim Gottinger wrote:
>>
>>
>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>>> Hello,
>>>
>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>>> 9.10.4-P1, all brand new.
>>>
>>> The existing DC runs fine, but the added DC refuses to update its 
>>> local bind database: every attempt to update the local DNS results 
>>> in "update failed: NOTAUTH". AD replication works perfectly.
>>>
>>> Both systems are set up identically except for the 
>>> provisioning/joining command. On the first I did
>>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>  --realm=$realm --adminpass=Wonttell
>>> and on the second I do
>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>>> --dns-backend=BIND9_DLZ
>>>
>>> Versions are the same, bind config is the same, I tried follow every 
>>> rule I could find.
>>>
>>> # samba_dnsupdate --verbose -d 9
>>> INFO: Current debug levels:
>>>   all: 9
>>> (... more such levels ...)
>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>>> Processing section "[global]"
>>> Processing section "[netlogon]"
>>> Processing section "[sysvol]"
>>> pm_process() returned Yes
>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>>> netmask=255.255.255.0
>>> IPs: ['192.168.1.9']
>>> Module 'tombstone_reanimate' is disabled. Skip 
>>> registration.lpcfg_servicenumber: couldn't find ldb
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>>> dc2.ad.domain.ch.
>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>> need update: A ad.domain.ch 192.168.1.9
>>> (... many more such Looking...need update blocks)
>>> 24 DNS updates and 0 DNS deletes needed
>>> ldb_wrap open of secrets.ldb
>>> Received smb_krb5 packet of length 298
>>> Received smb_krb5 packet of length 1311
>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> ad.domain.tld.        900     IN      A       192.168.1.9
>>>
>>> update failed: NOTAUTH
>>> Failed nsupdate: 2
>>> (... many more such failed updates ...)
>>> Failed update of 24 entries
>>> # 22:37:30 root at dc2:/root/
>>>
>>>
>>> In /var/log/syslog there are these equivalent 24 error message every 
>>> 10 minutes:
>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>> and the last of the 24 entries is always followed by
>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>
>>> smb.conf is minimalistic:
>>>
>>> # Global parameters
>>> [global]
>>>         netbios name = DC2
>>>         realm = AD.DOMAIN.TLD
>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>         workgroup = DOMAIN
>>>         server role = active directory domain controller
>>>
>>> [netlogon]
>>>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>         read only = No
>>>
>>> [sysvol]
>>>         path = /usr/local/samba/var/locks/sysvol
>>>         read only = No
>>>
>>> Maybe somebody has an idea what I did wrong?
>>>
>>>
>>>
>> resolv.conf on dc2 should point to dc1 during join. Is that the case?
>> Does kinit work on dc2?
>>
>>
> Yes, I did
>    cat <<EOF >/etc/resolv.conf
>    domain $domain
>    nameserver $otherip
>    nameserver $ip
>    EOF
>
> ($ip is the local system, $otherip is the existing DC)
>
> resulting in
>
>    # cat /etc/resolv.conf
>    domain ad.domain.ch
>    nameserver 192.168.1.8
>    nameserver 192.168.1.9
>
>
> Before joining I did
>
>    klist -e | grep administrator@$realm || kinit administrator
>
> and looking at it right now half a day later I get
>
>    # klist -e
>    Ticket cache: FILE:/tmp/krb5cc_0
>    Default principal: administrator at AD.DOMAIN.CH
>
>    Valid starting     Expires            Service principal
>    17/07/16 21:56:59  18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>            renew until 18/07/16 21:56:55, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>
> So it is expired right now, another kinit gets me a new tgt:
>    # kinit -R
>    kinit: Ticket expired while renewing credentials
>    # kinit
>    Password for administrator at AD.DOMAIN.CH:
>    Warning: Your password will expire in 32 days on Sat 20 Aug 2016 
> 08:27:10 UTC
>    # klist -e
>    Ticket cache: FILE:/tmp/krb5cc_0
>    Default principal: administrator at AD.DOMAIN.CH
>
>    Valid starting     Expires            Service principal
>    18/07/16 09:35:01  18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>            renew until 19/07/16 09:34:58, Etype (skey, tkt): 
> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> samba_dnsupdate still fails.
>
You can try to run

root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ

and verify that bind has read rights on the dns.keytab

root at dc2:~# ls -l /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab

Also check that the keytab contains such keys.

root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (...)
    1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc)  (...)
    1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (...)
    1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5)  (...)
    1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac)  (...)
    1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac)  (...)
    1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
    1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)  (...)
    1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
    1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)  (...)

More information about the samba mailing list