[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

Rowland penny rpenny at samba.org
Mon Jul 18 21:42:00 UTC 2016 

On 18/07/16 22:31, Norbert Hanke wrote:
> On 18.07.2016 22:48, Achim Gottinger wrote:
>>
>>
>> Am 18.07.2016 um 11:45 schrieb Norbert Hanke:
>>> On 18.07.2016 01:52, Achim Gottinger wrote:
>>>>
>>>>
>>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>>>>> Hello,
>>>>>
>>>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
>>>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>>>>> 9.10.4-P1, all brand new.
>>>>>
>>>>> The existing DC runs fine, but the added DC refuses to update its 
>>>>> local bind database: every attempt to update the local DNS results 
>>>>> in "update failed: NOTAUTH". AD replication works perfectly.
>>>>>
>>>>> Both systems are set up identically except for the 
>>>>> provisioning/joining command. On the first I did
>>>>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>>>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>>>  --realm=$realm --adminpass=Wonttell
>>>>> and on the second I do
>>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>>>>> --dns-backend=BIND9_DLZ
>>>>>
>>>>> Versions are the same, bind config is the same, I tried follow 
>>>>> every rule I could find.
>>>>>
>>>>> # samba_dnsupdate --verbose -d 9
>>>>> INFO: Current debug levels:
>>>>>   all: 9
>>>>> (... more such levels ...)
>>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>>>>> Processing section "[global]"
>>>>> Processing section "[netlogon]"
>>>>> Processing section "[sysvol]"
>>>>> pm_process() returned Yes
>>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>>>>> netmask=255.255.255.0
>>>>> IPs: ['192.168.1.9']
>>>>> Module 'tombstone_reanimate' is disabled. Skip 
>>>>> registration.lpcfg_servicenumber: couldn't find ldb
>>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>>>>> dc2.ad.domain.ch.
>>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>>>> need update: A ad.domain.ch 192.168.1.9
>>>>> (... many more such Looking...need update blocks)
>>>>> 24 DNS updates and 0 DNS deletes needed
>>>>> ldb_wrap open of secrets.ldb
>>>>> Received smb_krb5 packet of length 298
>>>>> Received smb_krb5 packet of length 1311
>>>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> ad.domain.tld.        900     IN      A       192.168.1.9
>>>>>
>>>>> update failed: NOTAUTH
>>>>> Failed nsupdate: 2
>>>>> (... many more such failed updates ...)
>>>>> Failed update of 24 entries
>>>>> # 22:37:30 root at dc2:/root/
>>>>>
>>>>>
>>>>> In /var/log/syslog there are these equivalent 24 error message 
>>>>> every 10 minutes:
>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>>>> and the last of the 24 entries is always followed by
>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>>>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>>>
>>>>> smb.conf is minimalistic:
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>>         netbios name = DC2
>>>>>         realm = AD.DOMAIN.TLD
>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>         workgroup = DOMAIN
>>>>>         server role = active directory domain controller
>>>>>
>>>>> [netlogon]
>>>>>         path = 
>>>>> /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>>>         read only = No
>>>>>
>>>>> [sysvol]
>>>>>         path = /usr/local/samba/var/locks/sysvol
>>>>>         read only = No
>>>>>
>>>>> Maybe somebody has an idea what I did wrong?
>>>>>
>>>>>
>>>>>
>>>> resolv.conf on dc2 should point to dc1 during join. Is that the case?
>>>> Does kinit work on dc2?
>>>>
>>>>
>>> Yes, I did
>>>    cat <<EOF >/etc/resolv.conf
>>>    domain $domain
>>>    nameserver $otherip
>>>    nameserver $ip
>>>    EOF
>>>
>>> ($ip is the local system, $otherip is the existing DC)
>>>
>>> resulting in
>>>
>>>    # cat /etc/resolv.conf
>>>    domain ad.domain.ch
>>>    nameserver 192.168.1.8
>>>    nameserver 192.168.1.9
>>>
>>>
>>> Before joining I did
>>>
>>>    klist -e | grep administrator@$realm || kinit administrator
>>>
>>> and looking at it right now half a day later I get
>>>
>>>    # klist -e
>>>    Ticket cache: FILE:/tmp/krb5cc_0
>>>    Default principal: administrator at AD.DOMAIN.CH
>>>
>>>    Valid starting     Expires            Service principal
>>>    17/07/16 21:56:59  18/07/16 07:56:59 
>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>>>            renew until 18/07/16 21:56:55, Etype (skey, tkt): 
>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>>
>>> So it is expired right now, another kinit gets me a new tgt:
>>>    # kinit -R
>>>    kinit: Ticket expired while renewing credentials
>>>    # kinit
>>>    Password for administrator at AD.DOMAIN.CH:
>>>    Warning: Your password will expire in 32 days on Sat 20 Aug 2016 
>>> 08:27:10 UTC
>>>    # klist -e
>>>    Ticket cache: FILE:/tmp/krb5cc_0
>>>    Default principal: administrator at AD.DOMAIN.CH
>>>
>>>    Valid starting     Expires            Service principal
>>>    18/07/16 09:35:01  18/07/16 19:35:01 
>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>>>            renew until 19/07/16 09:34:58, Etype (skey, tkt): 
>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>> samba_dnsupdate still fails.
>>>
>> You can try to run
>>
>> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ
>>
>> and verify that bind has read rights on the dns.keytab
>>
>> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab
>> -rw-r----- 1 root bind 732 Jun 28 16:08 
>> /var/lib/samba/private/dns.keytab
>>
>> Also check that the keytab contains such keys.
>>
>> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
>> Keytab name: FILE:/var/lib/samba/private/dns.keytab
>> KVNO Principal
>> ---- 
>> --------------------------------------------------------------------------
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac)  (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
>>    1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)  (...)
>>
>>
> dns.keytab already exists:
>    # ls -l /usr/local/samba/private/dns.keytab
>    -rw-r----- 1 root bind 777 Jul 17 21:59 
> /usr/local/samba/private/dns.keytab
>
> running the upgrade does not do too much:
>    # samba_upgradedns --dns-backend=BIND9_DLZ
>    Reading domain information
>    DNS accounts already exist
>    No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
>    DNS records will be automatically created
>    DNS partitions already exist
>    dns-dc2 account already exists
>    See /usr/local/samba/private/named.conf for an example 
> configuration include file for BIND
>    and /usr/local/samba/private/named.txt for further documentation 
> required for secure DNS updates
>    Finished upgrading DNS
>
> and the keytab file is unchanged. Contents looks fine:
>    # klist -Kek /usr/local/samba/private/dns.keytab
>    Keytab name: FILE:/usr/local/samba/private/dns.keytab
>    KVNO Principal
>    ---- 
> --------------------------------------------------------------------------
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc)  (...)
>       1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5)  (...)
>       1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac)  (...)
>       1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96)  
> (...)
>       1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96)  
> (...)
>       1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96)  (...)
>
> The missing zone file is also not present on the working dc1 system.
>
>

Upgrading to bind9 doesn't work at the moment, you need to upgrade to 
the internal DNS server, then upgrade again to Bind9.
When it says 'DNS accounts already exists', it isn't actually referring 
to the <DCname>-dns user, it is referring to the dnsadmins group.

Must prod Samba-technical about my patch.

What zone file is missing ?

Rowland

More information about the samba mailing list