[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates

L.P.H. van Belle belle at bazuin.nl
Mon Jan 14 08:17:22 UTC 2019


>From last logs. All i still see is : 

Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        gss-tsig. 0 0 3 BADKEY 0  0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable 

Referring to : https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable 

Are  you using bind, yes, then check again for these options in bind global config. 
    dnssec-enable no;
    auth-nxdomain yes;    
    empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";


And set this in krb5.conf of the DC's.
; for Windows 2008 with AES
    default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
    permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

And change in smb.conf
interfaces = lo eno1 
To 
interfaces = 127.0.0.1 172.20.10.130


>AppArmor is running, with dhcpd, named and ntpd in Complain mode; in any case, no violations are being logged as DENIED
Test with AppArmor disabled. 

Last, what are the rights on the keytab files. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Billy Bob via samba
> Verzonden: zondag 13 januari 2019 0:56
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] samba_dnsupdate options: 
> --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
> 
>  
> 
>     On Friday, January 11, 2019 2:21 PM, Rowland Penny via 
> samba <samba at lists.samba.org> wrote:
>   
> > > > 
> > >    On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba
> > > <samba at lists.samba.org> wrote: 
> > > > There doesn't seem to be anything really wrong 
> there,the only really
> > > > difference between your named.conf and mine is that I have:
> > > > 
> > > >     dnssec-validation no;
> > > >     dnssec-enable no;
> > > >     dnssec-lookaside no;
> > > >     listen-on-v6 { none; };
> > > >     listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > > > 
> > > > as well.> 
> > > > 
> > > > Rowland
> > > > 
> > > Thank you. I am going back to bare metal, and we'll see 
> where it ends
> > > up. I will leave script intact as presented in WIki. Are 
> you going to
> > > change it today per comment on other thread at
> > > https://lists.samba.org/archive/samba/2019-January/220369.html ?
> > > 
> > > 
> > >    
> > 
> > I have considered this, My dhcp server is working perfectly 
> after the
> > changes, but I decided (because you are having problems) 
> not to change
> > the wiki yet. I know there is nothing wrong with the present scripts
> > and I may introduce an error if I do change them now, I 
> don't think I
> > will, but it is better safe than sorry.> 
> 
> Rowland,
> I have completely rebuilt this, testing extensively along the 
> way. All "appeared" fine through installation of DCHP 
> (without dynamic updates), and upon introduction of the 
> update script the errors returned.
> Two additional observations, though, at this point.
> (1) As a last check, I commented out the script calls in the 
> dhcpd.conf file, and then set the network adapted on my 
> domain joined Win 10 management workstation to register its 
> own DNS. THIS FAILED, as shown in the BIND logs:
> Jan 12 17:23:01 dc01 named[1109]: samba_dlz: starting 
> transaction on zone corp.<DOMAIN>.com
> Jan 12 17:23:01 dc01 named[1109]: client @0x7f87bc028a50 
> 172.20.10.165#54313: update 'corp.<DOMAIN>.com/IN' denied
> Jan 12 17:23:01 dc01 named[1109]: samba_dlz: cancelling 
> transaction on zone corp.<DOMAIN>.com
> 
> (2) In an attempt to try to understand at least the nature of 
> the error messages I used journactl to grep out more detailed 
> messages associated with the dhcpd process. I am including 
> that dialog at the end of this post. First, though, I am 
> wondering if you wouldn't ming looking at the isc.org bug tracker at:
> https://bugs.isc.org/Public/Bug/Display.html?id=46086
> In particular, at
> https://bugs.isc.org/Public/Bug/Display.html?id=46086#txn-496516
> you will find a dialog that is the spitting image of error 
> messages that I am getting. Whether this is the script (I 
> don't think it is), dhcpd, bind9, krb5, samba_dlz (note first 
> comment regarding failure to perform dynamic updates from the 
> domain joined machine), or something else, I am hoping that 
> your experience will point me in the direction of figuring 
> out what is going wrong.
> Although I think I have very faithfully followed the Wiki and 
> official guidance, I would be happy to find a stupid mistake 
> on my part. On the other hand, I am not finding where I have 
> made any departure.
> Here is the output of the journalctl -b | grep 2402 (omitting 
> server dhcpd startup):
> Jan 12 15:01:22 dc01 dhcpd[2402]: Commit: IP: 172.20.10.165 
> DHCID: 1:d4:be:d9:22:9f:7d Name: mgmt01
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[0] = 
> /usr/local/bin/dhcp-dyndns.sh
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[1] = add
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[2] = 
> 172.20.10.165
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[3] = 
> 1:d4:be:d9:22:9f:7d
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[4] = mgmt01
> Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NXDOMAIN, id:  57445
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 
> 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: ;mgmt01.corp.<DOMAIN>.com.     
           IN        SOA
> Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: corp.<DOMAIN>.com.             
>    0        IN        SOA        dc01.corp.<DOMAIN>.com. 
> hostmaster.corp.<DOMAIN>.com. 20 900 600 86400 3600
> Jan 12 15:01:22 dc01 sh[2402]: Found zone name: corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:    525
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, 
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 1547326882 1547326882 3 NOERROR 1397 
> YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF 
> SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg 
> AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg 
> AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg 
> AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv 
> 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6 
> vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT 
> RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv 
> QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa 
> RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc 
> bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN 
> Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz 
> tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7 
> K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL 
> t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN 
> miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w 
> EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X 
> pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2 
> FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc 
> BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh 
> LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7 
> mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1 
> HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu 
> Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu 
> 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W 
> HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4 
> LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw 
> 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHje4jcNkyR 
> L3BtTFOr35zzpxfW9BM5nMEjbH5R+UtagN9ahwTy2T7A8wC3jYOsG8Lw 
> RuCKU/+IOag9LOgJ6xiDTt51TO4DuK+suSlIPbkaqcxOS8e0VBAOmeJy 
> tSydV7cII6fkZOqQiywSG0vbsF1F+Yr5O3pQtbdv4XvJ/+qGyt0n+mZA 
> EiiB0GuCtYBTZk0Hi87R+fymMCKEJv0Zfc51gNYvTYmtKRyC/HWxaBIY 
> rdj3OGZfyCcdOKACT3OItCk0BisrGXEXGhDEzqDXZEffHrsuNrjkdPmE 
> bRH24L58VcEBAfs= 0
> Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:    525
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, 
> ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 0 0 3 BADKEY 0  0
> Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is 
> unacceptable
> Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NXDOMAIN, id:  59301
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION: 
> 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: ;165.10.20.172.in-addr.arpa.   
     IN        SOA
> Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 10.20.172.in-addr.arpa.        
> 0        IN        SOA        dc01.corp.<DOMAIN>.com. 
> hostmaster.corp.<DOMAIN>.com. 2 900 600 86400 3600
> Jan 12 15:01:22 dc01 sh[2402]: Found zone name: 10.20.172.in-addr.arpa
> Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:  10987
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1, 
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 1547326882 1547326882 3 NOERROR 1397 
> YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF 
> SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg 
> AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg 
> AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg 
> AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv 
> 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6 
> vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT 
> RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv 
> QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa 
> RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc 
> bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN 
> Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz 
> tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7 
> K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL 
> t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN 
> miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w 
> EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X 
> pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2 
> FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc 
> BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh 
> LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7 
> mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1 
> HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu 
> Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu 
> 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W 
> HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4 
> LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw 
> 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHj8A+H/HqI 
> uJGQ1BkC2aHoH2Z8wK5kko2Z03RMxyxdfV0NeXI4aOmNRk4R6A/9oguR 
> 2k7/rkz7RuJhgHXaZuPZ3qiz3lSHQMBY3QYGJxcDPNvCeIldBChe+Krj 
> zV96NBNWnl/V9Cax85a1nvktOk9zffA7TpncQq06bvVWn2NnZxkKkxcv 
> ZdNrRha8MrszSHtObY/PPjb7wEOSPAM5C27QOrXsyZr2BopPtWAXiuRV 
> g6oHW+5kwNhB4ZRq3ccQxj8jEnZ8jX4t6Px4avee/GeyIGVXhQKwCYFQ 
> fJ94W9DktWCMQ2w= 0
> Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY, 
> status: NOERROR, id:  10987
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1, 
> ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY        TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 
> 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY        
> gss-tsig. 0 0 3 BADKEY 0  0
> Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is 
> unacceptable
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute: 
> /usr/local/bin/dhcp-dyndns.sh exit status 2816
> Jan 12 15:01:22 dc01 dhcpd[2402]: reuse_lease: lease age 3321 
> (secs) under 25% threshold, reply with unaltered, existing 
> lease for 172.20.10.165
> Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPREQUEST for 
> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1
> Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPACK on 172.20.10.165 to 
> d4:be:d9:22:9f:7d (mgmt01) via eno1
> 
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>    
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 




More information about the samba mailing list