[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Dario Lesca d.lesca at solinos.it
Mon Dec 4 14:34:37 UTC 2017 

Il giorno lun, 04/12/2017 alle 12.07 +0000, Rowland Penny via samba ha
scritto:
> Is the DHCP server updating the records for you ?

Yes, but for now the problem is not dhcp (see follow)

> If so, you need to stop the windows clients trying to update their
> own records, they don't own them.

I have the problem when join to domani via samba on another server, or
when I run samba_dnsupdate  --all-name 

Now I have do this test:

I have save the machine status with a snapshot.
Then I have reload a snapshot done before deploy samba AD DC.
Then, On A fresh Fedora 27 server up to date I have
Stop selinux, restart and run this command:

+ dnf install samba-client samba-dc samba-winbind attr acl krb5-
workstation tdb-tools samba-winbind-clients python bind bind-utils
samba-dc-bind-dlz

+ test '!' -e /etc/krb5.conf.orig
+ test -e /etc/krb5.conf
+ test '!' -e /etc/samba/smb.conf.orig
+ test -e /etc/samba/smb.conf

+ samba-tool domain provision --realm=dogma-to.loc --domain=dogma-to --dns-backend=BIND9_DLZ --use-rfc2307 --server-role=dc --function-level=2008_R2 --adminpass=P at ssw0rd

Open the all port needed

cp -a /var/lib/samba/private/krb5.conf /etc/krb5.conf

Add this to the [global] of new smb.conf
 template shell = /bin/bash
 template homedir = /home/%U

Add "winbind" string to passwd, shadow and group of /etc/nsswitch.conf

Edit the /etc/named.conf and add
    listen-on port 53 { 127.0.0.1; 192.168.41.1; };
    allow-query     { localhost; 191.168.41.0/24; };
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";

and at the end 
    include "/var/lib/samba/bind-dns/named.conf";

without modify any other

Start and enable named
    systemctl enable named
    systemctl restart named

Point dns to my IP 192.168.41.1 and restart network

# Start samba
    systemctl enable samba
    systemctl restart samba.service

test some resolver ...

    host $(hostname)
    host -t SRV _ldap._tcp.$(hostname -d)

try access to server

    smbclient -L $(hostname)     -Uadministrator%P at aaw0rd

Try add a dns record ...

At this point All work fine

Then I try 

    samba_dnsupdate --verbose  --all-names --fail-immediately

And the problem persist:

    update failed: REFUSED
    Failed update with /tmp/tmpmRYs8r
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#26896: update 'dogma-to.loc/IN' denied
    dic 04 15:20:21 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc

The problem is when the tools try execute this command:

    cat /tmp/tmpmRYs8r | nsupdate

    [    root at server-addc     ~]# cat /tmp/tmpmRYs8r
    server server-addc.dogma-to.loc
    update add server-addc.dogma-to.loc. 900 A 192.168.41.1
    show
    send

seem that nsupdate cannot update dns

I have add "debug" and remove "show" directive from this file

    [    root at server-addc     ~]# cat /tmp/tmpmRYs8r
    debug
    server server-addc.dogma-to.loc
    update add server-addc.dogma-to.loc. 900 A 192.168.41.1
    send

the rerun it:

    [    root at server-addc     ~]# cat /tmp/tmpmRYs8r|nsupdate 
    Reply from SOA query:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16228
    ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;server-addc.dogma-to.loc.      IN      SOA

    ;; AUTHORITY SECTION:
    dogma-to.loc.           3600    IN      SOA     server-addc.dogma-to.loc. hostmaster.dogma-to.loc. 1 900 600 86400 3600

    Found zone name: dogma-to.loc
    The master is: server-addc.dogma-to.loc
    Sending update to 192.168.41.1#53
    Outgoing update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  37799
    ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 0
    ;; UPDATE SECTION:
    server-addc.dogma-to.loc. 900   IN      A       192.168.41.1


    Reply from update query:
    ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  37799
    ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
    ;; ZONE SECTION:
    ;dogma-to.loc.                  IN      SOA

    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: client @0x7f06840c6f20 192.168.41.1#39052: update 'dogma-to.loc/IN' denied
    dic 04 15:26:14 server-addc.dogma-to.loc named[2269]: samba_dlz: cancelling transaction on zone dogma-to.loc

Some error

Someone have some suggest?

Many thanks


-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

More information about the samba mailing list