[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Norbert Hanke
norbert.hanke at gmx.ch
Mon Jul 18 21:31:38 UTC 2016
On 18.07.2016 22:48, Achim Gottinger wrote:
>
>
> Am 18.07.2016 um 11:45 schrieb Norbert Hanke:
>> On 18.07.2016 01:52, Achim Gottinger wrote:
>>>
>>>
>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>>>> Hello,
>>>>
>>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC,
>>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
>>>> 9.10.4-P1, all brand new.
>>>>
>>>> The existing DC runs fine, but the added DC refuses to update its
>>>> local bind database: every attempt to update the local DNS results
>>>> in "update failed: NOTAUTH". AD replication works perfectly.
>>>>
>>>> Both systems are set up identically except for the
>>>> provisioning/joining command. On the first I did
>>>> samba-tool domain provision --use-rfc2307 --domain=$domain
>>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>> --realm=$realm --adminpass=Wonttell
>>>> and on the second I do
>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm
>>>> --dns-backend=BIND9_DLZ
>>>>
>>>> Versions are the same, bind config is the same, I tried follow
>>>> every rule I could find.
>>>>
>>>> # samba_dnsupdate --verbose -d 9
>>>> INFO: Current debug levels:
>>>> all: 9
>>>> (... more such levels ...)
>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>>>> Processing section "[global]"
>>>> Processing section "[netlogon]"
>>>> Processing section "[sysvol]"
>>>> pm_process() returned Yes
>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
>>>> netmask=255.255.255.0
>>>> IPs: ['192.168.1.9']
>>>> Module 'tombstone_reanimate' is disabled. Skip
>>>> registration.lpcfg_servicenumber: couldn't find ldb
>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
>>>> dc2.ad.domain.ch.
>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>>> need update: A ad.domain.ch 192.168.1.9
>>>> (... many more such Looking...need update blocks)
>>>> 24 DNS updates and 0 DNS deletes needed
>>>> ldb_wrap open of secrets.ldb
>>>> Received smb_krb5 packet of length 298
>>>> Received smb_krb5 packet of length 1311
>>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>>> Outgoing update query:
>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>> ;; UPDATE SECTION:
>>>> ad.domain.tld. 900 IN A 192.168.1.9
>>>>
>>>> update failed: NOTAUTH
>>>> Failed nsupdate: 2
>>>> (... many more such failed updates ...)
>>>> Failed update of 24 entries
>>>> # 22:37:30 root at dc2:/root/
>>>>
>>>>
>>>> In /var/log/syslog there are these equivalent 24 error message
>>>> every 10 minutes:
>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>>> Jul 17 22:52:06 dc2 samba[3960]:
>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>>> and the last of the 24 entries is always followed by
>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>>> Jul 17 22:52:06 dc2 samba[3960]:
>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>>
>>>> smb.conf is minimalistic:
>>>>
>>>> # Global parameters
>>>> [global]
>>>> netbios name = DC2
>>>> realm = AD.DOMAIN.TLD
>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>> workgroup = DOMAIN
>>>> server role = active directory domain controller
>>>>
>>>> [netlogon]
>>>> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>> read only = No
>>>>
>>>> [sysvol]
>>>> path = /usr/local/samba/var/locks/sysvol
>>>> read only = No
>>>>
>>>> Maybe somebody has an idea what I did wrong?
>>>>
>>>>
>>>>
>>> resolv.conf on dc2 should point to dc1 during join. Is that the case?
>>> Does kinit work on dc2?
>>>
>>>
>> Yes, I did
>> cat <<EOF >/etc/resolv.conf
>> domain $domain
>> nameserver $otherip
>> nameserver $ip
>> EOF
>>
>> ($ip is the local system, $otherip is the existing DC)
>>
>> resulting in
>>
>> # cat /etc/resolv.conf
>> domain ad.domain.ch
>> nameserver 192.168.1.8
>> nameserver 192.168.1.9
>>
>>
>> Before joining I did
>>
>> klist -e | grep administrator@$realm || kinit administrator
>>
>> and looking at it right now half a day later I get
>>
>> # klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at AD.DOMAIN.CH
>>
>> Valid starting Expires Service principal
>> 17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>> renew until 18/07/16 21:56:55, Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>
>> So it is expired right now, another kinit gets me a new tgt:
>> # kinit -R
>> kinit: Ticket expired while renewing credentials
>> # kinit
>> Password for administrator at AD.DOMAIN.CH:
>> Warning: Your password will expire in 32 days on Sat 20 Aug 2016
>> 08:27:10 UTC
>> # klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: administrator at AD.DOMAIN.CH
>>
>> Valid starting Expires Service principal
>> 18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>> renew until 19/07/16 09:34:58, Etype (skey, tkt):
>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>> samba_dnsupdate still fails.
>>
> You can try to run
>
> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ
>
> and verify that bind has read rights on the dns.keytab
>
> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab
> -rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab
>
> Also check that the keytab contains such keys.
>
> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
> Keytab name: FILE:/var/lib/samba/private/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...)
> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...)
> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...)
> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...)
> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...)
> 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...)
> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
> 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...)
> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
> 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
>
>
dns.keytab already exists:
# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 1 root bind 777 Jul 17 21:59
/usr/local/samba/private/dns.keytab
running the upgrade does not do too much:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc2 account already exists
See /usr/local/samba/private/named.conf for an example configuration
include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Finished upgrading DNS
and the keytab file is unchanged. Contents looks fine:
# klist -Kek /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...)
1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...)
1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...)
1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...)
1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...)
1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...)
1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)
1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)
The missing zone file is also not present on the working dc1 system.
More information about the samba
mailing list