[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Dario Lesca
d.lesca at solinos.it
Mon Dec 4 10:35:29 UTC 2017
I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.
All seem work fine: I can join to domain, add/remove dns records with
samba-tools, access to shared folder, use MS Management Console on
Win7, ecc
But when I join a new machine Samba winbind Member server to domain
[ root at server-dati ~]# net ads join DOGMA-TO -U administrator
Using short domain name -- DOGMA-TO
Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED
DNS update failed: NT_STATUS_UNSUCCESSFUL
or run this command on Samba AD-DC:
[ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately
update failed: REFUSED
Into system log I get:
dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc
dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed
dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc
What kind of problem it's?
These are my config files and SElinux is Off
### Samba:
[global]
passdb backend = samba_dsdb
realm = DOGMA-TO.LOC
server role = active directory domain controller
server
services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
ntp_signd, kcc, dnsupdate
template homedir = /home/%U
tem
plate shell = /bin/bash
workgroup = DOGMA-TO
rpc_server:t
cpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spool
ss = embedded
rpc_server:winreg = embedded
rpc_server:nts
vcs = embedded
rpc_server:eventlog = embedded
rpc_server:
srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server
:default = external
winbindd:use external pipes = true
id
map_ldb:use rfc2307 = yes
idmap config * : backend = tdb
map archive = No
map readonly = no
store dos attributes =
Yes
vfs objects = dfs_samba4 acl_xattr
[netlogon]
path = /var/lib/samba/sysvol/dogma-to.loc/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Kerberos
[ root at server-addc ~]# cat /etc/krb5.conf
[libdefaults]
default_realm = DOGMA-TO.LOC
dns_lookup_realm = false
dns_lookup_kdc = true
### Bind
options {
listen-on port 53 { 127.0.0.1; 192.168.41.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.41.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";
Someone can help me?
--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)
More information about the samba
mailing list