[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2
L.P.H. van Belle
belle at bazuin.nl
Thu Nov 29 14:03:03 UTC 2018
You dns keytab looks strange, my be due to manual changes..
klist -k /var/lib/samba/private/dns.keytab
Should show.
1 dns-mysamba4dc at REALM
1 DNS/mysamba4dc.mydomain.com at REALM
So check this again.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Giacomo Gorgellino via samba
> Verzonden: donderdag 29 november 2018 14:37
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] samba_dnsupdate REFUSED between Samba4
> AD DC and Win 2008r2
>
>
> Il 29/11/2018 13:05, Rowland Penny via samba ha scritto:
> > On Thu, 29 Nov 2018 12:30:28 +0100
> > Giacomo Gorgellino via samba <samba at lists.samba.org> wrote:
> >
> >> ; TSIG error with server: tsig verify failure
> >> update failed: REFUSED
> >> Failed nsupdate: 2
> >> Failed update of 1 entries
> >>
> >> Any hints?
> >>
> > Start by reading this:
> >
> >
> https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_i
s_unacceptable
> >
> > Rowland
> >
> Thanks for pointing that. TKEY seems get received by remote DNS:
>
> Here are the related logs on Windows DNS side:
>
> 29/11/2018 12:03:17 0CCC PACKET 0000000004E5AD10 TCP Rcv
> 10.0.16.25 ccd3 Q [0000 NOERROR] TKEY
> (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
> 29/11/2018 12:03:17 1378 PACKET 0000000004E5AD10 TCP Snd
> 10.0.16.25 ccd3 R Q [0080 NOERROR] TKEY
> (10)2105411177(19)sig-mywindc01(7)MYDOMAIN(3)com(0)
>
> I did't find the dns.keytab file:
>
> find / -iname *.keytab
> /var/lib/samba/private/secrets.keytab
>
> Because I'm already using SAMBA_INTERNAL as dns backend I've tried to
> switch to BIND9 and back again to INTERNAL.
>
> root at mysamba4dc:~# samba_upgradedns --dns-backend=BIND9_DLZ
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
> DNS records will be automatically created
> DNS partitions already exist
> Adding dns-mysamba4dc.MYDOMAIN.com account
> Unable to find group id for BIND,
> set permissions to sam.ldb* files manually
> BIND version unknown, please modify /var/lib/samba/private/named.conf
> manually.
> See /var/lib/samba/private/named.conf for an example configuration
> include file for BIND
> and /var/lib/samba/private/named.txt for further
> documentation required
> for secure DNS updates
> Finished upgrading DNS
> You have switched to using BIND9_DLZ as your dns backend, but
> still have
> the internal dns starting. Please make sure you add '-dns' to your
> server services line in your smb.conf.
>
> root at mysamba4dc:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL
> Reading domain information
> DNS accounts already exist
> No zone file /var/lib/samba/private/dns/MYDOMAIN.COM.zone
> DNS records will be automatically created
> DNS partitions already exist
> Finished upgrading DNS
> root at mysamba4dc:~# find / -iname *.keytab
> /var/lib/samba/private/secrets.keytab
> /var/lib/samba/private/dns.keytab
>
> Now I can list my dns key:
>
> root at mysamba4dc:~# klist -k /var/lib/samba/private/dns.keytab
> Keytab name: FILE:/var/lib/samba/private/dns.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------
> ------------
> 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
> 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
> 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
> 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
> 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
> 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
> 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
> 1 DNS/mysamba4dc.mydomain.com at MYDOMAIN.COM
> 1 dns-mysamba4dc.MYDOMAIN.com at MYDOMAIN.COM
>
> And krb5.conf is world readable
>
> -rw-r--r-- 1 root root 101 Nov 9 11:37 /etc/krb5.conf
>
> but samba_dnsupdate is again failing:
>
> update failed: REFUSED
>
> G.
>
> ||
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list