[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Christian Naumer cn at brain-biotech.de
Mon Dec 4 12:17:47 UTC 2017 

Is

/var/lib/samba/bind-dns/

accessible by bind?


Regards


Christian






Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba:
> I have setup on Fedora 27 server a AD-DC samba server + bind + dhcp.
> 
> All seem work fine: I can join to domain, add/remove dns records with
> samba-tools, access to shared folder, use MS Management Console on
> Win7, ecc
> 
> But when I join a new machine Samba winbind Member server to domain 
> 
>     [    root at server-dati     ~]# net ads join DOGMA-TO -U administrator
>     Using short domain name -- DOGMA-TO
>     Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
>     DNS Update for server-dati.dogma-to.loc failed: ERROR_DNS_UPDATE_FAILED
>     DNS update failed: NT_STATUS_UNSUCCESSFUL
> 
> or run this command on Samba AD-DC: 
> 
>     [    root at server-addc     ~]# samba_dnsupdate  --all-names --fail-immediately
>     update failed: REFUSED
> 
> Into system log I get:
> 
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: starting transaction on zone dogma-to.loc
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: spnego update failed
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
>     dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: samba_dlz: cancelling transaction on zone dogma-to.loc
> 
> What kind of problem it's?
> 
> These are my config files and SElinux is Off
> 
> ### Samba:
>     [global]
>             passdb backend = samba_dsdb
>             realm = DOGMA-TO.LOC
>             server role = active directory domain controller
>             server
>     services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd,
>     ntp_signd, kcc, dnsupdate
>             template homedir = /home/%U
>             tem
>     plate shell = /bin/bash
>             workgroup = DOGMA-TO
>             rpc_server:t
>     cpip = no
>             rpc_daemon:spoolssd = embedded
>             rpc_server:spool
>     ss = embedded
>             rpc_server:winreg = embedded
>             rpc_server:nts
>     vcs = embedded
>             rpc_server:eventlog = embedded
>             rpc_server:
>     srvsvc = embedded
>             rpc_server:svcctl = embedded
>             rpc_server
>     :default = external
>             winbindd:use external pipes = true
>             id
>     map_ldb:use rfc2307 = yes
>             idmap config * : backend = tdb
>             
>     map archive = No
>             map readonly = no
>             store dos attributes =
>     Yes
>             vfs objects = dfs_samba4 acl_xattr
> 
>     [netlogon]
>             path = /var/lib/samba/sysvol/dogma-to.loc/scripts
>             read only = No
> 
>     [sysvol]
>             path = /var/lib/samba/sysvol
>             read only = No
> 
> 
> Kerberos
> 
>     [    root at server-addc     ~]# cat /etc/krb5.conf
>     [libdefaults]
>             default_realm = DOGMA-TO.LOC
>             dns_lookup_realm = false
>             dns_lookup_kdc = true
> 
> 
> ### Bind
> 
>     options {
>             listen-on port 53 { 127.0.0.1; 192.168.41.1; };
>             //listen-on-v6 port 53 { ::1; };
>             directory       "/var/named";
>             dump-file       "/var/named/data/cache_dump.db";
>             statistics-file "/var/named/data/named_stats.txt";
>             memstatistics-file "/var/named/data/named_mem_stats.txt";
>             allow-query     { localhost; 192.168.41.0/24; };
> 
>             /*
>              - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
>              - If you are building a RECURSIVE (caching) DNS server, you need to enable
>                recursion. 
>              - If your recursive DNS server has a public IP address, you MUST enable access
>                control to limit queries to your legitimate users. Failing to do so will
>                cause your server to become part of large scale DNS amplification
>                attacks. Implementing BCP38 within your network would greatly
>                reduce such attack surface
>             */
>             recursion yes;
> 
>             dnssec-enable yes;
>             dnssec-validation yes;
> 
>             managed-keys-directory "/var/named/dynamic";
> 
>             pid-file "/run/named/named.pid";
>             session-keyfile "/run/named/session.key";
> 
>             /*     https://fedoraproject.org/wiki/Changes/CryptoPolicy     */
>             include "/etc/crypto-policies/back-ends/bind.config";
> 
>             tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
> 
>     };
> 
>     logging {
>             channel default_debug {
>                     file "data/named.run";
>                     severity dynamic;
>             };
>     };
> 
>     zone "." IN {
>             type hint;
>             file "named.ca";
>     };
> 
>     include "/etc/named.rfc1912.zones";
>     include "/etc/named.root.key";
> 
>     include "/var/lib/samba/bind-dns/named.conf";
> 
> 
> Someone can help me?
> 

-- 
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
Aufsichtsratsvorsitzender: Dr. Ludger Mueller

More information about the samba mailing list