[Samba] samba_dnsupdate options: --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
L.P.H. van Belle
belle at bazuin.nl
Mon Jan 14 08:17:22 UTC 2019
>From last logs. All i still see is :
Jan 12 15:01:22 dc01 sh[2402]: 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY gss-tsig. 0 0 3 BADKEY 0 0
Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is unacceptable
Referring to : https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
Are you using bind, yes, then check again for these options in bind global config.
dnssec-enable no;
auth-nxdomain yes;
empty-zones-enable no;
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
And set this in krb5.conf of the DC's.
; for Windows 2008 with AES
default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
And change in smb.conf
interfaces = lo eno1
To
interfaces = 127.0.0.1 172.20.10.130
>AppArmor is running, with dhcpd, named and ntpd in Complain mode; in any case, no violations are being logged as DENIED
Test with AppArmor disabled.
Last, what are the rights on the keytab files.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
> Billy Bob via samba
> Verzonden: zondag 13 januari 2019 0:56
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] samba_dnsupdate options:
> --use-samba-tool vs. --use-nsupdate, and dhcpd dynamic updates
>
>
>
> On Friday, January 11, 2019 2:21 PM, Rowland Penny via
> samba <samba at lists.samba.org> wrote:
>
> > > >
> > > On Friday, January 11, 2019 1:39 PM, Rowland Penny via samba
> > > <samba at lists.samba.org> wrote:
> > > > There doesn't seem to be anything really wrong
> there,the only really
> > > > difference between your named.conf and mine is that I have:
> > > >
> > > > dnssec-validation no;
> > > > dnssec-enable no;
> > > > dnssec-lookaside no;
> > > > listen-on-v6 { none; };
> > > > listen-on port 53 { 192.168.0.6; 127.0.0.1; };
> > > >
> > > > as well.>
> > > >
> > > > Rowland
> > > >
> > > Thank you. I am going back to bare metal, and we'll see
> where it ends
> > > up. I will leave script intact as presented in WIki. Are
> you going to
> > > change it today per comment on other thread at
> > > https://lists.samba.org/archive/samba/2019-January/220369.html ?
> > >
> > >
> > >
> >
> > I have considered this, My dhcp server is working perfectly
> after the
> > changes, but I decided (because you are having problems)
> not to change
> > the wiki yet. I know there is nothing wrong with the present scripts
> > and I may introduce an error if I do change them now, I
> don't think I
> > will, but it is better safe than sorry.>
>
> Rowland,
> I have completely rebuilt this, testing extensively along the
> way. All "appeared" fine through installation of DCHP
> (without dynamic updates), and upon introduction of the
> update script the errors returned.
> Two additional observations, though, at this point.
> (1) As a last check, I commented out the script calls in the
> dhcpd.conf file, and then set the network adapted on my
> domain joined Win 10 management workstation to register its
> own DNS. THIS FAILED, as shown in the BIND logs:
> Jan 12 17:23:01 dc01 named[1109]: samba_dlz: starting
> transaction on zone corp.<DOMAIN>.com
> Jan 12 17:23:01 dc01 named[1109]: client @0x7f87bc028a50
> 172.20.10.165#54313: update 'corp.<DOMAIN>.com/IN' denied
> Jan 12 17:23:01 dc01 named[1109]: samba_dlz: cancelling
> transaction on zone corp.<DOMAIN>.com
>
> (2) In an attempt to try to understand at least the nature of
> the error messages I used journactl to grep out more detailed
> messages associated with the dhcpd process. I am including
> that dialog at the end of this post. First, though, I am
> wondering if you wouldn't ming looking at the isc.org bug tracker at:
> https://bugs.isc.org/Public/Bug/Display.html?id=46086
> In particular, at
> https://bugs.isc.org/Public/Bug/Display.html?id=46086#txn-496516
> you will find a dialog that is the spitting image of error
> messages that I am getting. Whether this is the script (I
> don't think it is), dhcpd, bind9, krb5, samba_dlz (note first
> comment regarding failure to perform dynamic updates from the
> domain joined machine), or something else, I am hoping that
> your experience will point me in the direction of figuring
> out what is going wrong.
> Although I think I have very faithfully followed the Wiki and
> official guidance, I would be happy to find a stupid mistake
> on my part. On the other hand, I am not finding where I have
> made any departure.
> Here is the output of the journalctl -b | grep 2402 (omitting
> server dhcpd startup):
> Jan 12 15:01:22 dc01 dhcpd[2402]: Commit: IP: 172.20.10.165
> DHCID: 1:d4:be:d9:22:9f:7d Name: mgmt01
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[0] =
> /usr/local/bin/dhcp-dyndns.sh
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[1] = add
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[2] =
> 172.20.10.165
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[3] =
> 1:d4:be:d9:22:9f:7d
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute_statement argv[4] = mgmt01
> Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
> status: NXDOMAIN, id: 57445
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION:
> 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: ;mgmt01.corp.<DOMAIN>.com.
IN SOA
> Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: corp.<DOMAIN>.com.
> 0 IN SOA dc01.corp.<DOMAIN>.com.
> hostmaster.corp.<DOMAIN>.com. 20 900 600 86400 3600
> Jan 12 15:01:22 dc01 sh[2402]: Found zone name: corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
> status: NOERROR, id: 525
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1,
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY
> gss-tsig. 1547326882 1547326882 3 NOERROR 1397
> YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF
> SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg
> AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg
> AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg
> AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv
> 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6
> vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT
> RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv
> QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa
> RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc
> bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN
> Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz
> tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7
> K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL
> t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN
> miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w
> EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X
> pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2
> FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc
> BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh
> LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7
> mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1
> HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu
> Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu
> 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W
> HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4
> LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw
> 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHje4jcNkyR
> L3BtTFOr35zzpxfW9BM5nMEjbH5R+UtagN9ahwTy2T7A8wC3jYOsG8Lw
> RuCKU/+IOag9LOgJ6xiDTt51TO4DuK+suSlIPbkaqcxOS8e0VBAOmeJy
> tSydV7cII6fkZOqQiywSG0vbsF1F+Yr5O3pQtbdv4XvJ/+qGyt0n+mZA
> EiiB0GuCtYBTZk0Hi87R+fymMCKEJv0Zfc51gNYvTYmtKRyC/HWxaBIY
> rdj3OGZfyCcdOKACT3OItCk0BisrGXEXGhDEzqDXZEffHrsuNrjkdPmE
> bRH24L58VcEBAfs= 0
> Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
> status: NOERROR, id: 525
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1,
> ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> ;3835165544.sig-dc01.corp.<DOMAIN>.com. ANY TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> 3835165544.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY
> gss-tsig. 0 0 3 BADKEY 0 0
> Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is
> unacceptable
> Jan 12 15:01:22 dc01 sh[2402]: Reply from SOA query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
> status: NXDOMAIN, id: 59301
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr aa ra; QUESTION:
> 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: ;165.10.20.172.in-addr.arpa.
IN SOA
> Jan 12 15:01:22 dc01 sh[2402]: ;; AUTHORITY SECTION:
> Jan 12 15:01:22 dc01 sh[2402]: 10.20.172.in-addr.arpa.
> 0 IN SOA dc01.corp.<DOMAIN>.com.
> hostmaster.corp.<DOMAIN>.com. 2 900 600 86400 3600
> Jan 12 15:01:22 dc01 sh[2402]: Found zone name: 10.20.172.in-addr.arpa
> Jan 12 15:01:22 dc01 sh[2402]: The master is: dc01.corp.<DOMAIN>.com
> Jan 12 15:01:22 dc01 sh[2402]: start_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: send_gssrequest
> Jan 12 15:01:22 dc01 sh[2402]: Outgoing update query:
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
> status: NOERROR, id: 10987
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags:; QUESTION: 1,
> ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ADDITIONAL SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY
> gss-tsig. 1547326882 1547326882 3 NOERROR 1397
> YIIFcQYGKwYBBQUCoIIFZTCCBWGgDTALBgkqhkiG9xIBAgKiggVOBIIF
> SmCCBUYGCSqGSIb3EgECAgEAboIFNTCCBTGgAwIBBaEDAgEOogcDBQAg
> AAAAo4IEJmGCBCIwggQeoAMCAQWhDxsNQ09SUC5XSkNJLkNPTaIkMCKg
> AwIBAaEbMBkbA0ROUxsSZGMwMS5jb3JwLndqY2kuY29to4ID3jCCA9qg
> AwIBF6EDAgEBooIDzASCA8iVAPBZaj8JavXuM4Ux0yRsk6zSJFmNz4dv
> 98fvpBL3zYmNDcv9qAtwiqF1bpqNmnRapvEPxrmsfvaccY+QrbH/Cth6
> vcAhx0NaaV3tYgiQEu8STY506RtzWubnalAEV5ZVVhloSfDjXT0TjqhT
> RFucrAA1SoB2lhwfZmS2Ny96SPS/pDecUcQLSUR4vbN/onqELocjzVHv
> QiPqBdiWCRl9IAMvLy+X+07FfZfT60rCguFSPQuy2lotKHwz+3G+OGBa
> RpLh3S2Oxvw5iwBNQO3XT1maQMJRHepCNmP31v+6yQbCyo2Hgun8wcqc
> bWUSp1SRv8j+i7vnHutEA5sB8TUsJCo3oV82uUHfrq/RMyHLzLH1KkXN
> Mt5f3EPjjbbc4VDcXiHrIXhGRdpoR5O/2/XyEg6fN8TlBxCzU2FB29vz
> tLku29vMCNXnLF58jciFXFjHRNC1WnswwxDsiyZ2d8QlO0Jovkl713v7
> K0lczOxCijvSyzmxBER2q2rK2daRLsIhpcAXSFPRjyR3VxcNWLTpbxLL
> t2JL/S6o7C0n5WRlDtXQIU2innZGF9IrLJsy8XyJsDC2zfeO3Bq7qYSN
> miTul8JrMbeo2Fd3MfuK+UNBfAzwbDaA2Evr7KrkeVaI8eW3F+fGp04w
> EFmgZJbz6Ah6W+BGGu6YcxqTS3FgFvb+KDPh3r76Sef0jCLR3S9aXH9X
> pvNFMTEa707M00WFIbAW4Q72LUw/60XBEssR0BrmDXoecqWBLp0vm+S2
> FmOPSrgWEkef/Ya+Cx2L6GFdq0Rdh9vTSH4usq47vSq+u/Cn24AChQZc
> BO7KjzKZ4Up7Y5oiPGN8rEe03qbX3IDvuGl/PhMz0Y356Wbtv4Mwdahh
> LndzGCq6skmcryImtI+LSQLUl8AKlBtefH8PEsXkheNuLWzOoN+AC0s7
> mS0f+ouvd6HGwA/MaGX5YNvGoxLqHkWgLLTX1kPjN/cdvaBtm8l37JK1
> HkIGbO/DMAnUN/tSt+W38KEJG6ST8GWcMuyoaROS7cowo0bT0EBO7fGu
> Xgmnl10eGbmfccFGt9jEGY91m47iMjB0FehCPa/sJ/LW5UNwOozZ/8Yu
> 7aryJyVBA7isxWpZ9UTMeA+Y+y+tNiEtpi5f05BubjydSbJ5S8+qGq5W
> HzYXTUzs5vQZvmve0XNLj5bh2Lh38v+Yzl7RbuNNukgT4LfzSKXUMyI4
> LJ9yTQND2geopPSxp2+LRMaFQ8YUuB8okL62m6W+l+QYiHK+UoI6eVNw
> 1LHvVQUcjYJS5kaqBBLAsw5buKSB8TCB7qADAgEXooHmBIHj8A+H/HqI
> uJGQ1BkC2aHoH2Z8wK5kko2Z03RMxyxdfV0NeXI4aOmNRk4R6A/9oguR
> 2k7/rkz7RuJhgHXaZuPZ3qiz3lSHQMBY3QYGJxcDPNvCeIldBChe+Krj
> zV96NBNWnl/V9Cax85a1nvktOk9zffA7TpncQq06bvVWn2NnZxkKkxcv
> ZdNrRha8MrszSHtObY/PPjb7wEOSPAM5C27QOrXsyZr2BopPtWAXiuRV
> g6oHW+5kwNhB4ZRq3ccQxj8jEnZ8jX4t6Px4avee/GeyIGVXhQKwCYFQ
> fJ94W9DktWCMQ2w= 0
> Jan 12 15:01:22 dc01 sh[2402]: recvmsg reply from GSS-TSIG query
> Jan 12 15:01:22 dc01 sh[2402]: ;; ->>HEADER<<- opcode: QUERY,
> status: NOERROR, id: 10987
> Jan 12 15:01:22 dc01 sh[2402]: ;; flags: qr ra; QUESTION: 1,
> ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
> Jan 12 15:01:22 dc01 sh[2402]: ;; QUESTION SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> ;1551722865.sig-dc01.corp.<DOMAIN>.com. ANY TKEY
> Jan 12 15:01:22 dc01 sh[2402]: ;; ANSWER SECTION:
> Jan 12 15:01:22 dc01 sh[2402]:
> 1551722865.sig-dc01.corp.<DOMAIN>.com. 0 ANY TKEY
> gss-tsig. 0 0 3 BADKEY 0 0
> Jan 12 15:01:22 dc01 sh[2402]: dns_tkey_gssnegotiate: TKEY is
> unacceptable
> Jan 12 15:01:22 dc01 dhcpd[2402]: execute:
> /usr/local/bin/dhcp-dyndns.sh exit status 2816
> Jan 12 15:01:22 dc01 dhcpd[2402]: reuse_lease: lease age 3321
> (secs) under 25% threshold, reply with unaltered, existing
> lease for 172.20.10.165
> Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPREQUEST for
> 172.20.10.165 from d4:be:d9:22:9f:7d (mgmt01) via eno1
> Jan 12 15:01:22 dc01 dhcpd[2402]: DHCPACK on 172.20.10.165 to
> d4:be:d9:22:9f:7d (mgmt01) via eno1
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list