[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Christian Naumer
cn at brain-biotech.de
Mon Dec 4 12:17:47 UTC 2017
Is
/var/lib/samba/bind-dns/
accessible by bind?
Regards
Christian
Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba:
> I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.
>
> All seem work fine: I can join to domain, add/remove dns records with
> samba-tools, access to shared folder, use MS Management Console on
> Win7, ecc
>
> But when I join a new machine Samba winbind Member server to domain
>
> [ root at server-dati ~]# net ads join DOGMA-TO -U administrator
> Using short domain name -- DOGMA-TO
> Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
> DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED
> DNS update failed: NT_STATUS_UNSUCCESSFUL
>
> or run this command on Samba AD-DC:
>
> [ root at server-addc ~]# samba_dnsupdate --all-names --fail-immediately
> update failed: REFUSED
>
> Into system log I get:
>
> dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc
> dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed
> dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
> dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc
>
> What kind of problem it's?
>
> These are my config files and SElinux is Off
>
> ### Samba:
> [global]
> passdb backend = samba_dsdb
> realm = DOGMA-TO.LOC
> server role = active directory domain controller
> server
> services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
> ntp_signd, kcc, dnsupdate
> template homedir = /home/%U
> tem
> plate shell = /bin/bash
> workgroup = DOGMA-TO
> rpc_server:t
> cpip = no
> rpc_daemon:spoolssd = embedded
> rpc_server:spool
> ss = embedded
> rpc_server:winreg = embedded
> rpc_server:nts
> vcs = embedded
> rpc_server:eventlog = embedded
> rpc_server:
> srvsvc = embedded
> rpc_server:svcctl = embedded
> rpc_server
> :default = external
> winbindd:use external pipes = true
> id
> map_ldb:use rfc2307 = yes
> idmap config * : backend = tdb
>
> map archive = No
> map readonly = no
> store dos attributes =
> Yes
> vfs objects = dfs_samba4 acl_xattr
>
> [netlogon]
> path = /var/lib/samba/sysvol/dogma-to.loc/scripts
> read only = No
>
> [sysvol]
> path = /var/lib/samba/sysvol
> read only = No
>
>
> Kerberos
>
> [ root at server-addc ~]# cat /etc/krb5.conf
> [libdefaults]
> default_realm = DOGMA-TO.LOC
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
>
> ### Bind
>
> options {
> listen-on port 53 { 127.0.0.1; 192.168.41.1; };
> //listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; 192.168.41.0/24; };
>
> /*
> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
> - If you are building a RECURSIVE (caching) DNS server, you need to enable
> recursion.
> - If your recursive DNS server has a public IP address, you MUST enable access
> control to limit queries to your legitimate users. Failing to do so will
> cause your server to become part of large scale DNS amplification
> attacks. Implementing BCP38 within your network would greatly
> reduce such attack surface
> */
> recursion yes;
>
> dnssec-enable yes;
> dnssec-validation yes;
>
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
>
> /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
> include "/etc/crypto-policies/back-ends/bind.config";
>
> tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> include "/var/lib/samba/bind-dns/named.conf";
>
>
> Someone can help me?
>
--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30 / fax +49-6251-9331-11
Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller
More information about the samba
mailing list