[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Dario Lesca d.lesca at solinos.it
Mon Dec 4 11:56:19 UTC 2017

Il giorno lun, 04/12/2017 alle 11.29 +0000, Rowland Penny via samba ha
> Try changing the 'options' of named.conf to this:

Thanks Rowland

Integrated your suggested changes and restart samba and named

Now my named.conf is this[1], but none is change:
    [    root at server-addc     ~]# samba_dnsupdate  --all-names --fail-immediately
    update failed: REFUSED

    dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: samba_dlz: spnego update failed
    dic 04 12:46:43 server-addc.dogma-to.loc named[8474]: client @0x7fc9310a5e80 SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)

I have also try this:

    [    root at server-addc     ~]# samba_dnsupdate  --all-names --use-samba-tool --fail-immediately
    ERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
      File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run
        return self.run(*args, **kwargs)
      File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 940, in run
        raise e

But also fail.

Some other suggest?


[1] /etc/named.conf

options {
        listen-on port 53 {;; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost;; };
        recursion yes;
        //dnssec-enable yes;
        //dnssec-validation yes;
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
            allow-recursion {;; };
            notify no;
            empty-zones-enable no;
            forwarders {;; };
            dnssec-validation no;
            dnssec-enable no;
            allow-transfer { none; };
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
zone "." IN {
        type hint;
        file "named.ca";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/var/lib/samba/bind-dns/named.conf";

Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

More information about the samba mailing list