[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

Achim Gottinger achim at ag-web.biz
Mon Jul 18 21:44:32 UTC 2016



Am 18.07.2016 um 23:31 schrieb Norbert Hanke:
> On 18.07.2016 22:48, Achim Gottinger wrote:
>>
>>
>> Am 18.07.2016 um 11:45 schrieb Norbert Hanke:
>>> On 18.07.2016 01:52, Achim Gottinger wrote:
>>>>
>>>>
>>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>>>>> Hello,
>>>>>
>>>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
>>>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>>>>> 9.10.4-P1, all brand new.
>>>>>
>>>>> The existing DC runs fine, but the added DC refuses to update its 
>>>>> local bind database: every attempt to update the local DNS results 
>>>>> in "update failed: NOTAUTH". AD replication works perfectly.
>>>>>
>>>>> Both systems are set up identically except for the 
>>>>> provisioning/joining command. On the first I did
>>>>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>>>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>>>  --realm=$realm --adminpass=Wonttell
>>>>> and on the second I do
>>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>>>>> --dns-backend=BIND9_DLZ
>>>>>
>>>>> Versions are the same, bind config is the same, I tried follow 
>>>>> every rule I could find.
>>>>>
>>>>> # samba_dnsupdate --verbose -d 9
>>>>> INFO: Current debug levels:
>>>>>   all: 9
>>>>> (... more such levels ...)
>>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>>>>> Processing section "[global]"
>>>>> Processing section "[netlogon]"
>>>>> Processing section "[sysvol]"
>>>>> pm_process() returned Yes
>>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>>>>> netmask=255.255.255.0
>>>>> IPs: ['192.168.1.9']
>>>>> Module 'tombstone_reanimate' is disabled. Skip 
>>>>> registration.lpcfg_servicenumber: couldn't find ldb
>>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>>>>> dc2.ad.domain.ch.
>>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>>>> need update: A ad.domain.ch 192.168.1.9
>>>>> (... many more such Looking...need update blocks)
>>>>> 24 DNS updates and 0 DNS deletes needed
>>>>> ldb_wrap open of secrets.ldb
>>>>> Received smb_krb5 packet of length 298
>>>>> Received smb_krb5 packet of length 1311
>>>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> ad.domain.tld.        900     IN      A       192.168.1.9
>>>>>
>>>>> update failed: NOTAUTH
>>>>> Failed nsupdate: 2
>>>>> (... many more such failed updates ...)
>>>>> Failed update of 24 entries
>>>>> # 22:37:30 root at dc2:/root/
>>>>>
>>>>>
>>>>> In /var/log/syslog there are these equivalent 24 error message 
>>>>> every 10 minutes:
>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>>>> and the last of the 24 entries is always followed by
>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>>>> Jul 17 22:52:06 dc2 samba[3960]: 
>>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>>>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>>>
>>>>> smb.conf is minimalistic:
>>>>>
>>>>> # Global parameters
>>>>> [global]
>>>>>         netbios name = DC2
>>>>>         realm = AD.DOMAIN.TLD
>>>>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>>>>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>         workgroup = DOMAIN
>>>>>         server role = active directory domain controller
>>>>>
>>>>> [netlogon]
>>>>>         path = 
>>>>> /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>>>         read only = No
>>>>>
>>>>> [sysvol]
>>>>>         path = /usr/local/samba/var/locks/sysvol
>>>>>         read only = No
>>>>>
>>>>> Maybe somebody has an idea what I did wrong?
>>>>>
>>>>>
>>>>>
>>>> resolv.conf on dc2 should point to dc1 during join. Is that the case?
>>>> Does kinit work on dc2?
>>>>
>>>>
>>> Yes, I did
>>>    cat <<EOF >/etc/resolv.conf
>>>    domain $domain
>>>    nameserver $otherip
>>>    nameserver $ip
>>>    EOF
>>>
>>> ($ip is the local system, $otherip is the existing DC)
>>>
>>> resulting in
>>>
>>>    # cat /etc/resolv.conf
>>>    domain ad.domain.ch
>>>    nameserver 192.168.1.8
>>>    nameserver 192.168.1.9
>>>
>>>
>>> Before joining I did
>>>
>>>    klist -e | grep administrator@$realm || kinit administrator
>>>
>>> and looking at it right now half a day later I get
>>>
>>>    # klist -e
>>>    Ticket cache: FILE:/tmp/krb5cc_0
>>>    Default principal: administrator at AD.DOMAIN.CH
>>>
>>>    Valid starting     Expires            Service principal
>>>    17/07/16 21:56:59  18/07/16 07:56:59 
>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>>>            renew until 18/07/16 21:56:55, Etype (skey, tkt): 
>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>>
>>> So it is expired right now, another kinit gets me a new tgt:
>>>    # kinit -R
>>>    kinit: Ticket expired while renewing credentials
>>>    # kinit
>>>    Password for administrator at AD.DOMAIN.CH:
>>>    Warning: Your password will expire in 32 days on Sat 20 Aug 2016 
>>> 08:27:10 UTC
>>>    # klist -e
>>>    Ticket cache: FILE:/tmp/krb5cc_0
>>>    Default principal: administrator at AD.DOMAIN.CH
>>>
>>>    Valid starting     Expires            Service principal
>>>    18/07/16 09:35:01  18/07/16 19:35:01 
>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>>>            renew until 19/07/16 09:34:58, Etype (skey, tkt): 
>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>> samba_dnsupdate still fails.
>>>
>> You can try to run
>>
>> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ
>>
>> and verify that bind has read rights on the dns.keytab
>>
>> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab
>> -rw-r----- 1 root bind 732 Jun 28 16:08 
>> /var/lib/samba/private/dns.keytab
>>
>> Also check that the keytab contains such keys.
>>
>> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
>> Keytab name: FILE:/var/lib/samba/private/dns.keytab
>> KVNO Principal
>> ---- 
>> --------------------------------------------------------------------------
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc)  (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5)  (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac)  (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
>>    1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96)  (...)
>>    1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
>>    1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96)  (...)
>>
>>
> dns.keytab already exists:
>    # ls -l /usr/local/samba/private/dns.keytab
>    -rw-r----- 1 root bind 777 Jul 17 21:59 
> /usr/local/samba/private/dns.keytab
>
> running the upgrade does not do too much:
>    # samba_upgradedns --dns-backend=BIND9_DLZ
>    Reading domain information
>    DNS accounts already exist
>    No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
>    DNS records will be automatically created
>    DNS partitions already exist
>    dns-dc2 account already exists
>    See /usr/local/samba/private/named.conf for an example 
> configuration include file for BIND
>    and /usr/local/samba/private/named.txt for further documentation 
> required for secure DNS updates
>    Finished upgrading DNS
>
> and the keytab file is unchanged. Contents looks fine:
>    # klist -Kek /usr/local/samba/private/dns.keytab
>    Keytab name: FILE:/usr/local/samba/private/dns.keytab
>    KVNO Principal
>    ---- 
> --------------------------------------------------------------------------
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc)  (...)
>       1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5)  (...)
>       1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac)  (...)
>       1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96)  
> (...)
>       1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96)  (...)
>       1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96)  
> (...)
>       1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96)  (...)
>
> The missing zone file is also not present on the working dc1 system.
>
samba_dnsupdate uses nsupdate to modify dns records the NOAUTH response 
is comming from such an nsupdate call.

The samba wiki recommends these settings

     kerberos method = system keytab
     client ldap sasl wrapping = sign
     allow dns updates = nonsecure and secure
     nsupdate command =  /usr/bin/nsupdate -g
     server services = -dns

You can keep your server services line i think.




More information about the samba mailing list