[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Achim Gottinger
achim at ag-web.biz
Mon Jul 18 22:06:55 UTC 2016
Am 18.07.2016 um 23:42 schrieb Rowland penny:
> On 18/07/16 22:31, Norbert Hanke wrote:
>> On 18.07.2016 22:48, Achim Gottinger wrote:
>>>
>>>
>>> Am 18.07.2016 um 11:45 schrieb Norbert Hanke:
>>>> On 18.07.2016 01:52, Achim Gottinger wrote:
>>>>>
>>>>>
>>>>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>>>>>> Hello,
>>>>>>
>>>>>> I'm trying to join a samba 4 DC to an already existing samba 4
>>>>>> DC, both with BIND9_DLZ. Samba is at version 4.4.5, bind is
>>>>>> version 9.10.4-P1, all brand new.
>>>>>>
>>>>>> The existing DC runs fine, but the added DC refuses to update its
>>>>>> local bind database: every attempt to update the local DNS
>>>>>> results in "update failed: NOTAUTH". AD replication works perfectly.
>>>>>>
>>>>>> Both systems are set up identically except for the
>>>>>> provisioning/joining command. On the first I did
>>>>>> samba-tool domain provision --use-rfc2307 --domain=$domain
>>>>>> --server-role=dc --dns-backend=BIND9_DLZ \
>>>>>> --realm=$realm --adminpass=Wonttell
>>>>>> and on the second I do
>>>>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm
>>>>>> --dns-backend=BIND9_DLZ
>>>>>>
>>>>>> Versions are the same, bind config is the same, I tried follow
>>>>>> every rule I could find.
>>>>>>
>>>>>> # samba_dnsupdate --verbose -d 9
>>>>>> INFO: Current debug levels:
>>>>>> all: 9
>>>>>> (... more such levels ...)
>>>>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>>>>>> Processing section "[global]"
>>>>>> Processing section "[netlogon]"
>>>>>> Processing section "[sysvol]"
>>>>>> pm_process() returned Yes
>>>>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
>>>>>> netmask=255.255.255.0
>>>>>> IPs: ['192.168.1.9']
>>>>>> Module 'tombstone_reanimate' is disabled. Skip
>>>>>> registration.lpcfg_servicenumber: couldn't find ldb
>>>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>>>> schema_fsmo_init: we are master[no] updates allowed[no]
>>>>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
>>>>>> dc2.ad.domain.ch.
>>>>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>>>>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>>>>>> need update: A ad.domain.ch 192.168.1.9
>>>>>> (... many more such Looking...need update blocks)
>>>>>> 24 DNS updates and 0 DNS deletes needed
>>>>>> ldb_wrap open of secrets.ldb
>>>>>> Received smb_krb5 packet of length 298
>>>>>> Received smb_krb5 packet of length 1311
>>>>>> update(nsupdate): A ad.domain.tld 192.168.1.9
>>>>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>>>>>> Outgoing update query:
>>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>>> ;; UPDATE SECTION:
>>>>>> ad.domain.tld. 900 IN A 192.168.1.9
>>>>>>
>>>>>> update failed: NOTAUTH
>>>>>> Failed nsupdate: 2
>>>>>> (... many more such failed updates ...)
>>>>>> Failed update of 24 entries
>>>>>> # 22:37:30 root at dc2:/root/
>>>>>>
>>>>>>
>>>>>> In /var/log/syslog there are these equivalent 24 error message
>>>>>> every 10 minutes:
>>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
>>>>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>>>>> Jul 17 22:52:06 dc2 samba[3960]:
>>>>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>>>>>> and the last of the 24 entries is always followed by
>>>>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
>>>>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>>>>> Jul 17 22:52:06 dc2 samba[3960]:
>>>>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
>>>>>> NT_STATUS_TOO_MANY_OPENED_FILES
>>>>>>
>>>>>> smb.conf is minimalistic:
>>>>>>
>>>>>> # Global parameters
>>>>>> [global]
>>>>>> netbios name = DC2
>>>>>> realm = AD.DOMAIN.TLD
>>>>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
>>>>>> kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
>>>>>> workgroup = DOMAIN
>>>>>> server role = active directory domain controller
>>>>>>
>>>>>> [netlogon]
>>>>>> path =
>>>>>> /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>>>>> read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>> path = /usr/local/samba/var/locks/sysvol
>>>>>> read only = No
>>>>>>
>>>>>> Maybe somebody has an idea what I did wrong?
>>>>>>
>>>>>>
>>>>>>
>>>>> resolv.conf on dc2 should point to dc1 during join. Is that the case?
>>>>> Does kinit work on dc2?
>>>>>
>>>>>
>>>> Yes, I did
>>>> cat <<EOF >/etc/resolv.conf
>>>> domain $domain
>>>> nameserver $otherip
>>>> nameserver $ip
>>>> EOF
>>>>
>>>> ($ip is the local system, $otherip is the existing DC)
>>>>
>>>> resulting in
>>>>
>>>> # cat /etc/resolv.conf
>>>> domain ad.domain.ch
>>>> nameserver 192.168.1.8
>>>> nameserver 192.168.1.9
>>>>
>>>>
>>>> Before joining I did
>>>>
>>>> klist -e | grep administrator@$realm || kinit administrator
>>>>
>>>> and looking at it right now half a day later I get
>>>>
>>>> # klist -e
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: administrator at AD.DOMAIN.CH
>>>>
>>>> Valid starting Expires Service principal
>>>> 17/07/16 21:56:59 18/07/16 07:56:59
>>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>>>> renew until 18/07/16 21:56:55, Etype (skey, tkt):
>>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>>>
>>>> So it is expired right now, another kinit gets me a new tgt:
>>>> # kinit -R
>>>> kinit: Ticket expired while renewing credentials
>>>> # kinit
>>>> Password for administrator at AD.DOMAIN.CH:
>>>> Warning: Your password will expire in 32 days on Sat 20 Aug 2016
>>>> 08:27:10 UTC
>>>> # klist -e
>>>> Ticket cache: FILE:/tmp/krb5cc_0
>>>> Default principal: administrator at AD.DOMAIN.CH
>>>>
>>>> Valid starting Expires Service principal
>>>> 18/07/16 09:35:01 18/07/16 19:35:01
>>>> krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
>>>> renew until 19/07/16 09:34:58, Etype (skey, tkt):
>>>> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
>>>> samba_dnsupdate still fails.
>>>>
>>> You can try to run
>>>
>>> root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ
>>>
>>> and verify that bind has read rights on the dns.keytab
>>>
>>> root at dc2:~# ls -l /var/lib/samba/private/dns.keytab
>>> -rw-r----- 1 root bind 732 Jun 28 16:08
>>> /var/lib/samba/private/dns.keytab
>>>
>>> Also check that the keytab contains such keys.
>>>
>>> root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
>>> Keytab name: FILE:/var/lib/samba/private/dns.keytab
>>> KVNO Principal
>>> ----
>>> --------------------------------------------------------------------------
>>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...)
>>> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...)
>>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...)
>>> 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...)
>>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...)
>>> 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...)
>>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
>>> 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...)
>>> 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
>>> 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
>>>
>>>
>> dns.keytab already exists:
>> # ls -l /usr/local/samba/private/dns.keytab
>> -rw-r----- 1 root bind 777 Jul 17 21:59
>> /usr/local/samba/private/dns.keytab
>>
>> running the upgrade does not do too much:
>> # samba_upgradedns --dns-backend=BIND9_DLZ
>> Reading domain information
>> DNS accounts already exist
>> No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
>> DNS records will be automatically created
>> DNS partitions already exist
>> dns-dc2 account already exists
>> See /usr/local/samba/private/named.conf for an example
>> configuration include file for BIND
>> and /usr/local/samba/private/named.txt for further documentation
>> required for secure DNS updates
>> Finished upgrading DNS
>>
>> and the keytab file is unchanged. Contents looks fine:
>> # klist -Kek /usr/local/samba/private/dns.keytab
>> Keytab name: FILE:/usr/local/samba/private/dns.keytab
>> KVNO Principal
>> ----
>> --------------------------------------------------------------------------
>> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...)
>> 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...)
>> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...)
>> 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...)
>> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...)
>> 1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...)
>> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96)
>> (...)
>> 1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
>> 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96)
>> (...)
>> 1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)
>>
>> The missing zone file is also not present on the working dc1 system.
>>
>>
>
> Upgrading to bind9 doesn't work at the moment, you need to upgrade to
> the internal DNS server, then upgrade again to Bind9.
> When it says 'DNS accounts already exists', it isn't actually
> referring to the <DCname>-dns user, it is referring to the dnsadmins
> group.
>
Thank you for clarification, was wondering because in my test setup
dns-dc2 is missing and did not be created even with switching between
backends like you described.
So i did it similar to the dovecot kerberos steps.
samba-tool user create dns-dc2 --random-password
samba-tool spn add DNS/dc2.domain.local dns-dc2
mv /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
samba-tool domain exportkeytab --principal dns-dc2
/var/lib/samba/private/dns.keytab
samba-tool domain exportkeytab --principal DNS/dc2.domain.local
/var/lib/samba/private/dns.keytab
I restarted bind9 and this works
kinit Administrator
nsupdate -g
>update add test.domain.local. 0 A 192.168.100.123
>send
Without the dns-dc2 account that fails.
> Must prod Samba-technical about my patch.
>
> What zone file is missing ?
>
> Rowland
>
>
More information about the samba
mailing list