[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Dario Lesca d.lesca at solinos.it
Mon Dec 4 10:35:29 UTC 2017

I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.

All seem work fine: I can join to domain, add/remove dns records with
samba-tools, access to shared folder, use MS Management Console on
Win7, ecc

But when I join a new machine Samba winbind Member server to domain 

    [    root at server-dati     ~]# net ads join DOGMA-TO -U administrator
    Using short domain name -- DOGMA-TO
    Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
    DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED

or run this command on Samba AD-DC: 

    [    root at server-addc     ~]# samba_dnsupdate  --all-names --fail-immediately
    update failed: REFUSED

Into system log I get:

    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed
    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
    dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc

What kind of problem it's?

These are my config files and SElinux is Off

### Samba:
            passdb backend = samba_dsdb
            realm = DOGMA-TO.LOC
            server role = active directory domain controller
    services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
    ntp_signd, kcc, dnsupdate
            template homedir = /home/%U
    plate shell = /bin/bash
            workgroup = DOGMA-TO
    cpip = no
            rpc_daemon:spoolssd = embedded
    ss = embedded
            rpc_server:winreg = embedded
    vcs = embedded
            rpc_server:eventlog = embedded
    srvsvc = embedded
            rpc_server:svcctl = embedded
    :default = external
            winbindd:use external pipes = true
    map_ldb:use rfc2307 = yes
            idmap config * : backend = tdb
    map archive = No
            map readonly = no
            store dos attributes =
            vfs objects = dfs_samba4 acl_xattr

            path = /var/lib/samba/sysvol/dogma-to.loc/scripts
            read only = No

            path = /var/lib/samba/sysvol
            read only = No


    [    root at server-addc     ~]# cat /etc/krb5.conf
            default_realm = DOGMA-TO.LOC
            dns_lookup_realm = false
            dns_lookup_kdc = true

### Bind

    options {
            listen-on port 53 {;; };
            //listen-on-v6 port 53 { ::1; };
            directory       "/var/named";
            dump-file       "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            memstatistics-file "/var/named/data/named_mem_stats.txt";
            allow-query     { localhost;; };

             - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
             - If you are building a RECURSIVE (caching) DNS server, you need to enable
             - If your recursive DNS server has a public IP address, you MUST enable access
               control to limit queries to your legitimate users. Failing to do so will
               cause your server to become part of large scale DNS amplification
               attacks. Implementing BCP38 within your network would greatly
               reduce such attack surface
            recursion yes;

            dnssec-enable yes;
            dnssec-validation yes;

            managed-keys-directory "/var/named/dynamic";

            pid-file "/run/named/named.pid";
            session-keyfile "/run/named/session.key";

            /*     https://fedoraproject.org/wiki/Changes/CryptoPolicy     */
            include "/etc/crypto-policies/back-ends/bind.config";

            tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";


    logging {
            channel default_debug {
                    file "data/named.run";
                    severity dynamic;

    zone "." IN {
            type hint;
            file "named.ca";

    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";

    include "/var/lib/samba/bind-dns/named.conf";

Someone can help me?

Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

More information about the samba mailing list