[Samba] Samba AD DNS problem

Kristján V. Jónsson kristjan at rvx.is
Wed May 17 15:40:03 UTC 2017

Hello there.

I have a setup with Samba AD and a Named backend.
Everything has been working fine, until a few days ago, I cannot start the DNS snap-in from windows.  I get a dialog box saying
"Access was denied. Would you like to add it anyway?"

If I enable level 3 debugging in the samba.conf, I get the following:

[2017/05/11 07:25:30.413481,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ kristjan at RVX.IS from ipv4: for DnsServerApp at RVX.IS [canonicalize, renewable, forwardable]
[2017/05/11 07:25:30.414016,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Searching referral for DnsServerApp
[2017/05/11 07:25:30.414141,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database: DnsServerApp at RVX.IS: No such entry in the database
[2017/05/11 07:25:30.414215,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:
[2017/05/11 07:25:30.415231,  3] ../source4/smbd/service_stream.c:66(stream_terminate_connection)

I googled a lot for this, particularly "DnsServerApp" and found no solution.  In desperation, using the ActiveDirectory, I added a "Computer" entry called "DnsServerApp".
This didn't resolve the issue, but changed it.  Now I get in the log:

[2017/05/11 12:23:29.195608,  3] ../lib/ldb-samba/ldb_wrap.c:325(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2017/05/11 12:23:29.199719,  1] ../source4/auth/gensec/gensec_gssapi.c:622(gensec_gssapi_update)
  GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC01$@RVX.IS(kvno 2) in keytab FILE:/usr/local/samba/private/secrets.keytab (arcfour-hmac-md5)
[2017/05/11 12:23:29.199832,  1] ../auth/gensec/spnego.c:545(gensec_spnego_parse_negTokenInit)
[2017/05/11 12:23:29.199925,  2] ../auth/gensec/spnego.c:720(gensec_spnego_server_negTokenTarg)

The DC is called dc01.rvx.is.
Curiously, even after I removed the AD "computer" entry DnsServerApp, I still get the above, second, error in the log.

I'm relatively new to both Samba and AD configuration, but having failed to find any reference to the above problems on the net, I think they may be due to some internal database corruption or other such things.  Any thoughts?

Kristján Valur Jónsson |CTA | RVX

More information about the samba mailing list