[Samba] Samba 4.7.2 + bind on Fedora 27: samba_dlz: spnego update failed

Dario Lesca d.lesca at solinos.it
Mon Dec 4 20:14:05 UTC 2017 

Il giorno lun, 04/12/2017 alle 18.12 +0100, Achim Gottinger via samba
ha scritto:
> > > But I cannot see the "Adding dns-DC1 account" message like howto
> > > say
> > 
> > Follow what it says in the blue box under the ldbsearch output on
> > the wiki page.
> > 
> > Rowland
> > 
> 
> On a sidenote, your server has the name server-addc so your dns
> account name is dns-server-addc which exists on your server.

Ok, thanks Achim, now I have understood

Then the DNS account exist.

Now I execute the dns backend swap, like the  blue box says, and when I
switch to BIND9_DLZ the account is recreated:

    [    root at server-addc     ~]# samba_upgradedns --dns-backend=BIND9_DLZ
    Reading domain information
    DNS accounts already exist
    No zone file /var/lib/samba/bind-dns/dns/DOGMA-TO.LOC.zone
    DNS records will be automatically created
    DNS partitions already exist
    Adding dns-server-addc account
    See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
    and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
    Finished upgrading DNS

Then restart samba and bind

    [    root at server-addc     ~]# systemctl restart named samba

But If I run the ldbsearch the account it still does not exist:

    [    root at server-addc     ~]# LDB_MODULES_PATH=/usr/lib64/samba/ldb/ ldbsearch -H /var/lib/samba/bind-dns/dns/sam.ldb 'cn=dns-server-addc' dn
    # Referral
    ref: ldap://dogma-to.loc/CN=Configuration,DC=dogma-to,DC=loc

    # Referral
    ref: ldap://dogma-to.loc/DC=DomainDnsZones,DC=dogma-to,DC=loc

    # Referral
    ref: ldap://dogma-to.loc/DC=ForestDnsZones,DC=dogma-to,DC=loc

    # returned 3 records
    # 0 entries
    # 3 referrals

and the initial problem persist

    [    root at server-addc     ~]# samba_dnsupdate --all-names --fail-immediately
    update failed: REFUSED

    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: starting transaction on zone dogma-to.loc
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: Starting GENSEC mechanism spnego
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: Starting GENSEC submechanism gssapi_krb5
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: GSS server Update(krb5)(1) Update failed: Unspecified GSS failure.  Minor code may provide more information: Request is a replay
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: spnego update failed
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: client @0x7fb32d0c1320 192.168.41.1#36717/key SERVER-ADDC\$\@DOGMA-TO.LOC: updating zone 'dogma-to.loc/NONE': update failed: rejected by secure update (REFUSED)
    dic 04 21:13:10 server-addc.dogma-to.loc named[2169]: samba_dlz: cancelling transaction on zone dogma-to.loc


-- 
Dario Lesca
(inviato dal mio Linux Fedora 27 Workstation)

More information about the samba mailing list