[Samba] after DCs migration to 4.7, two things

mj lists at merit.unu.edu
Tue Nov 7 18:16:28 UTC 2017 

Hi,

I migrated our DCs from 4.5/internal dns to 4.7.1/bind9_dlz. Short 
summary of the steps taken:

- added a new temp dc,
- removed the old DCs
- cleaned sam database
- installed new DCs, with their old dns/ip
- removed the temp dc again
- synced sysvol

and all is looking well: no db errors, no replication issues, ldapcmp 
matches across DCs, etc.

So, I took things to production today, and now I see two things that I 
would like some feedback on:

Bind complains:
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA error=insufficient access rights
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#57335/key p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE': update failed: rejected by secure update (REFUSED)
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#51536: update 'samba.domain.com/IN' denied
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: starting transaction on zone samba.domain.com
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: disallowing update of signer=p002507\$\@SAMBA.DOMAIN.COM name=P002507.samba.domain.com type=AAAA error=insufficient access rights
> Nov 07 18:20:28 dc4 named[19990]: client 192.168.10.12#59032/key p002507\$\@SAMBA.DOMAIN.COM: updating zone 'samba.domain.com/NONE': update failed: rejected by secure update (REFUSED)
> Nov 07 18:20:28 dc4 named[19990]: samba_dlz: cancelling transaction on zone samba.domain.com

Since this seems to be only about AAAA records... should I do something 
to disable ipv6 perhaps..? It happens for many of our workstations.

A second (and perhaps more serious?) issue:

On all four DCs, we're seeing in log.smbd:
> [2017/11/07 18:23:25.114429,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:23:25.114456,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
> [2017/11/07 18:30:02.741596,  1] ../source4/auth/gensec/gensec_gssapi.c:790(gensec_gssapi_update_internal)
>   GSS server Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Failed to find DC4$@SAMBA.COMPANY.COM(kvno 1) in keytab FILE:/var/lib/samba/private/secrets.keytab (arcfour-hmac-md5)
> [2017/11/07 18:30:02.741629,  1] ../auth/gensec/spnego.c:411(gensec_spnego_parse_negTokenInit)
>   SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE

The message is always about the local DC account, so DC4$ on dc4, DC3$ 
on dc3, DC2$ on dc2. Permissions on 
/var/lib/samba/private/secrets.keytab are 600, root:root.

I guess this is relevant:
> root at dc3:/var/log/samba# klist -ek /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Principal
> ---- --------------------------------------------------------------------------
>    2 HOST/dc3 at SAMBA.COMPANY.COM (des-cbc-crc) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (des-cbc-crc) 
>    2 DC3$@SAMBA.COMPANY.COM (des-cbc-crc) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (des-cbc-md5) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (des-cbc-md5) 
>    2 DC3$@SAMBA.COMPANY.COM (des-cbc-md5) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (arcfour-hmac) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (arcfour-hmac) 
>    2 DC3$@SAMBA.COMPANY.COM (arcfour-hmac) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96) 
>    2 DC3$@SAMBA.COMPANY.COM (aes128-cts-hmac-sha1-96) 
>    2 HOST/dc3 at SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96) 
>    2 HOST/dc3.SAMBA.COMPANY.COM at SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96) 
>    2 DC3$@SAMBA.COMPANY.COM (aes256-cts-hmac-sha1-96) 

The smb.conf on the DCs are basically as generated by the samba-tool 
domain join, with only some minor additions:

> root at dc4:/var/lib/samba/private# cat /etc/samba/smb.conf 
> # Global parameters
> [global]
> 	netbios name = DC4
> 	realm = SAMBA.COMPANY.COM
> 	server role = active directory domain controller
> #	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
> 	server services = -dns
> 	workgroup = WRKGRP
> 
> 	idmap_ldb:use rfc2307 = yes
> 	ldap server require strong auth = no
> 	ntlm auth = mschapv2-and-ntlmv2-only
> 	log level = 1 auth_audit:3
> 
> [netlogon]
> 	path = /var/lib/samba/sysvol/samba.company.com/scripts
> 	read only = No
> 
> [sysvol]
> 	path = /var/lib/samba/sysvol
> 	read only = No

Suggestions would be appreciated!

MJ

More information about the samba mailing list