[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2
Giacomo Gorgellino
giacomo.gorgellino at risorsa.com
Thu Nov 29 13:36:58 UTC 2018
Il 29/11/2018 13:05, Rowland Penny via samba ha scritto:
> On Thu, 29 Nov 2018 12:30:28 +0100
> Giacomo Gorgellino via samba <samba at lists.samba.org> wrote:
>
>> ; TSIG error with server: tsig verify failure
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 1 entries
>>
>> Any hints?
>>
> Start by reading this:
>
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
>
> Rowland
>
Thanks for pointing that. TKEY seems get received by remote DNS:
Here are the related logs on Windows DNS side:
29/11/2018 12:03:17 0CCC PACKET 0000000004E5AD10 TCP Rcv
10.0.16.25 ccd3 Q [0000 NOERROR] TKEY
(10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
29/11/2018 12:03:17 1378 PACKET 0000000004E5AD10 TCP Snd
10.0.16.25 ccd3 R Q [0080 NOERROR] TKEY
(10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
I did't find the dns.keytab file:
find / -iname *.keytab
/var/lib/samba/private/secrets.keytab
Because I'm already using SAMBA_INTERNAL as dns backend I've tried to
switch to BIND9 and back again to INTERNAL.
root at mysamba4dc:~# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-mysamba4dc.MYDOMAIN.com account
Unable to find group id for BIND,
set permissions to sam.ldb* files manually
BIND version unknown, please modify /var/lib/samba/private/named.conf
manually.
See /var/lib/samba/private/named.conf for an example configuration
include file for BIND
and /var/lib/samba/private/named.txt for further documentation required
for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have
the internal dns starting. Please make sure you add '-dns' to your
server services line in your smb.conf.
root at mysamba4dc:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
root at mysamba4dc:~# find / -iname *.keytab
/var/lib/samba/private/secrets.keytab
/var/lib/samba/private/dns.keytab
Now I can list my dns key:
root at mysamba4dc:~# klist -k /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
And krb5.conf is world readable
-rw-r--r-- 1 root root 101 Nov 9 11:37 /etc/krb5.conf
but samba_dnsupdate is again failing:
update failed: REFUSED
G.
||
More information about the samba
mailing list