[Samba] Samba 4.7 DC with BIND9_DLZ and MIT Kerberos fails at DNS Update
Marc Muehlfeld
mmuehlfeld at samba.org
Tue Nov 7 20:04:09 UTC 2017
Hi Johannes,
Am 07.11.2017 um 18:35 schrieb Johannes Engel via samba:
> a month ago I have filed bug #13066 about Samba 4.7 DC using BIND9_DLZ
> as DNS backend failing to run samba_dnsupdate using MIT Kerberos. The
> logs show a kerberos error "Request is a replay". Logs attached here:
> https://bugzilla.samba.org/show_bug.cgi?id=13066.
>
> Since I have not received any feedback on the bug report, I am trying
> this channel if someone has any idea how to fix this. Thanks a lot in
> advance.
A while ago I tested a git branch from Andreas' about moving some
BIND-related files from the private to a separate directory. During
testing I discovered some DNS update problems if the system used MIT
Kerberos. He fixed everything in his branch, and updates worked.
@Andreas: Do you remember if these fixes are all in master/4.7? I can
confirm that dynamic updates fail here on F27 with self-compiled 4.7.1
and latest master (both with MIT).
# smbd -b | grep HAVE_LIBKADM5SRV_MIT
HAVE_LIBKADM5SRV_MIT
# samba_dnsupdate --verbose --all-names
...
update failed: REFUSED
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
DC3.samdom.example.com 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com
DC3.samdom.example.com 389 (add)
Successfully obtained Kerberos ticket to DNS/dc3.samdom.example.com as DC3$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.example.com.
900 IN SRV 0 100 389 DC3.samdom.example.com.
update failed: REFUSED
Failed nsupdate: 2
Failed update of 29 entries
Regards,
Marc
More information about the samba
mailing list