[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed
Dario Lesca
d.lesca at solinos.it
Mon Dec 4 13:10:06 UTC 2017
Il giorno lun, 04/12/2017 alle 13.17 +0100, Christian Naumer via samba
ha scritto:
> Is
>
> /var/lib/samba/bind-dns/
>
> accessible by bind?
Yes, and selinux is disable
[ root at server-addc ~]# find /var/lib/samba/bind-dns/ -ls
3149158 0 drwxrwx--- 3 root named 95 dic 4 14:03 /var/lib/samba/bind-dns/
111 0 drwxrwx--- 3 root named 38 dic 4 13:57 /var/lib/samba/bind-dns/dns
1049422 4 drwxrwx--- 2 root named 4096 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d
1049423 1256 -rw-rw---- 1 root named 1286144 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOGMA-TO,DC%3DLOC.ldb
2118093 812 -rw-rw---- 2 root named 831488 dic 4 14:02 /var/lib/samba/bind-dns/dns/sam.ldb.d/metadata.tdb
2118098 4148 -rw-rw---- 2 root named 4247552 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb
2118099 4148 -rw-rw---- 2 root named 4247552 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/DC%3DFORESTDNSZONES,DC%3DDOGMA-TO,DC%3DLOC.ldb
2118101 6992 -rw-rw---- 1 root named 7159808 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb
2118102 8300 -rw-rw---- 1 root named 8499200 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb.d/CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DDOGMA-TO,DC%3DLOC.ldb
1049424 2944 -rw-rw---- 1 root named 3014656 dic 4 13:57 /var/lib/samba/bind-dns/dns/sam.ldb
3149184 4 -rw-r--r-- 1 root root 721 dic 4 13:57 /var/lib/samba/bind-dns/named.conf
3149185 4 -rw-r--r-- 1 root root 2092 dic 4 13:57 /var/lib/samba/bind-dns/named.txt
1049430 4 -rw-r----- 2 root named 772 dic 4 13:57 /var/lib/samba/bind-dns/dns.keytab
3149744 4 -r--r--r-- 1 root root 230 dic 4 14:01 /var/lib/samba/bind-dns/named.conf.update
>
> Regards
>
>
> Christian
>
>
>
>
>
>
> Am 04.12.2017 um 11:35 schrieb Dario Lesca via samba:
> > I have setup on Fedora 27 server a AD-DC samba server + bind +
> > dhcp.
> >
> > All seem work fine: I can join to domain, add/remove dns records
> > with
> > samba-tools, access to shared folder, use MS Management Console on
> > Win7, ecc
> >
> > But when I join a new machine Samba winbind Member server to
> > domain
> >
> > [ root at server-dati ~]# net ads join DOGMA-TO -U
> > administrator
> > Using short domain name -- DOGMA-TO
> > Joined 'SERVER-DATI' to dns domain 'dogma-to.loc'
> > DNS Update for server-dati.dogma-to.loc failed:
> > ERROR_DNS_UPDATE_FAILED
> > DNS update failed: NT_STATUS_UNSUCCESSFUL
> >
> > or run this command on Samba AD-DC:
> >
> > [ root at server-addc ~]# samba_dnsupdate --all-names --
> > fail-immediately
> > update failed: REFUSED
> >
> > Into system log I get:
> >
> > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]:
> > samba_dlz: starting transaction on zone dogma-to.loc
> > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]:
> > samba_dlz: spnego update failed
> > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]: client
> > @0x7fe71c49f7b0 192.168.41.1#48521/key SERVER-ADDC\$\@DOGMA-TO.LOC:
> > updating zone 'dogma-to.loc/NONE': update failed: rejected by
> > secure update (REFUSED)
> > dic 04 10:14:52 server-addc.dogma-to.loc named[7839]:
> > samba_dlz: cancelling transaction on zone dogma-to.loc
> >
> > What kind of problem it's?
> >
> > These are my config files and SElinux is Off
> >
> > ### Samba:
> > [global]
> > passdb backend = samba_dsdb
> > realm = DOGMA-TO.LOC
> > server role = active directory domain controller
> > server
> > services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> > winbindd,
> > ntp_signd, kcc, dnsupdate
> > template homedir = /home/%U
> > tem
> > plate shell = /bin/bash
> > workgroup = DOGMA-TO
> > rpc_server:t
> > cpip = no
> > rpc_daemon:spoolssd = embedded
> > rpc_server:spool
> > ss = embedded
> > rpc_server:winreg = embedded
> > rpc_server:nts
> > vcs = embedded
> > rpc_server:eventlog = embedded
> > rpc_server:
> > srvsvc = embedded
> > rpc_server:svcctl = embedded
> > rpc_server
> > :default = external
> > winbindd:use external pipes = true
> > id
> > map_ldb:use rfc2307 = yes
> > idmap config * : backend = tdb
> >
> > map archive = No
> > map readonly = no
> > store dos attributes =
> > Yes
> > vfs objects = dfs_samba4 acl_xattr
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/dogma-to.loc/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> > Kerberos
> >
> > [ root at server-addc ~]# cat /etc/krb5.conf
> > [libdefaults]
> > default_realm = DOGMA-TO.LOC
> > dns_lookup_realm = false
> > dns_lookup_kdc = true
> >
> >
> > ### Bind
> >
> > options {
> > listen-on port 53 { 127.0.0.1; 192.168.41.1; };
> > //listen-on-v6 port 53 { ::1; };
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> > statistics-file "/var/named/data/named_stats.txt";
> > memstatistics-file
> > "/var/named/data/named_mem_stats.txt";
> > allow-query { localhost; 192.168.41.0/24; };
> >
> > /*
> > - If you are building an AUTHORITATIVE DNS server, do
> > NOT enable recursion.
> > - If you are building a RECURSIVE (caching) DNS
> > server, you need to enable
> > recursion.
> > - If your recursive DNS server has a public IP
> > address, you MUST enable access
> > control to limit queries to your legitimate users.
> > Failing to do so will
> > cause your server to become part of large scale DNS
> > amplification
> > attacks. Implementing BCP38 within your network
> > would greatly
> > reduce such attack surface
> > */
> > recursion yes;
> >
> > dnssec-enable yes;
> > dnssec-validation yes;
> >
> > managed-keys-directory "/var/named/dynamic";
> >
> > pid-file "/run/named/named.pid";
> > session-keyfile "/run/named/session.key";
> >
> > /* https://fedoraproject.org/wiki/Changes/CryptoPol
> > icy */
> > include "/etc/crypto-policies/back-ends/bind.config";
> >
> > tkey-gssapi-keytab "/var/lib/samba/bind-
> > dns/dns.keytab";
> >
> > };
> >
> > logging {
> > channel default_debug {
> > file "data/named.run";
> > severity dynamic;
> > };
> > };
> >
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> >
> > include "/etc/named.rfc1912.zones";
> > include "/etc/named.root.key";
> >
> > include "/var/lib/samba/bind-dns/named.conf";
> >
> >
> > Someone can help me?
> >
>
> --
> Dr. Christian Naumer
> Research Scientist
> Plattform-Koordinator Bioprozesstechnik
>
> B.R.A.I.N Aktiengesellschaft
> Darmstaedter Str. 34-36, D-64673 Zwingenberg
> e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
> fon +49-6251-9331-30 / fax +49-6251-9331-11
>
> Follow @BRAINbiotech on Twitter: https://twitter.com/BRAINbiotech
>
> Sitz der Gesellschaft: Zwingenberg/Bergstrasse
> Registergericht AG Darmstadt, HRB 24758
> Vorstand: Dr. Juergen Eck (Vorsitzender), Frank Goebel
> Aufsichtsratsvorsitzender: Dr. Ludger Mueller
>
--
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)
More information about the samba
mailing list