[Samba] Reverse DNS

L.P.H. van Belle belle at bazuin.nl
Wed Jun 19 06:40:56 UTC 2019


Hai, 

Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: spnego update failed
Jun 19 02:47:19 server5-ad named[3166]: client @0x7f1c64008380 192.168.14.187#59581/key site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': update failed: rejected by secure update (REFUSED)

This part tells me your dns setup is not correct. 
These 2: 
samba_dlz: spnego update failed	< DLZ failed. 
client @0x7f1c64008380 .... 		< normal attempt. 
update failed: rejected by secure update (REFUSED)  

This look like a wrong setup in bind. 
>From bind.conf.options. 


        // https://wiki.samba.org/index.php/Dns-backend_bind
        // DNS dynamic updates via Kerberos (optional, but recommended)
        //tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";		< samba 4.9 before upgradeing the dns location.
        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";		< samba 4.9+ after upgradeing the dns location.
	  // Note, i manualy moved the dns.keytab file and check the path. 

};
// you might be missing this one also, yes, its really needed.
include "/etc/bind/rndc.key";
    controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
};


The DHCP server(Ubuntu 16.04)  is different to the AD server and not in the same AD domain
Thats fine as long as the user and SPN's exists that are needed for updateing. 

Good to see your on ubuntu. 
Can you run this for me on the DC's. 
https://raw.githubusercontent.com/thctlo/samba4/master/samba-collect-debug-info.sh 
And post the output.
And for the dhcp server, post the dhcp config. 

And review the dhcp setup with this link. 
https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9


Its better to set these to No. 
Your setup will still work but now a bit faster ;-) 
>         winbind enum users = yes
>         winbind enum groups = yes


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Praveen Ghimire via samba
> Verzonden: woensdag 19 juni 2019 5:22
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Reverse DNS
> 
> Hi,
> 
> We have some issue with the reverse DNS in Samba AD. We're 
> running Bind9_DLZ on Ubuntu 18.04. The DHCP server(Ubuntu 
> 16.04)  is different to the AD server and not in the same AD 
> domain. The DHCP scope points to the Samba AD server as the DNS server
> 
> When a machine with DHCP assigned address tries to update the 
> DNS record, it is able to update the forward zone but not the 
> reverse zone. The only time it updates both the forward and 
> the reverse is if the machine is setup with a static IP.
> 
> The global bit of the smb.conf
> [global]
>         workgroup = LIN
>         realm = LIN.GROUP
>         netbios name = server5
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         log file = /var/log/samba/log.%m
>         log level = 4
>         winbind nss info = rfc2307
>         winbind enum users = yes
>         winbind enum groups = yes
>         acl allow execute always = True
>         server services = -dns
> allow dns updates = nonsecure
>         unix extensions = No
> 
> The following syslog is with the allow dns updates = nonsecure
> 
> root at server5-ad:/var/log# tail -f syslog
> Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: spnego 
> update failed
> Jun 19 02:47:19 server5-ad named[3166]: client 
> @0x7f1c64008380 192.168.14.187#59581/key 
> site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': 
> update failed: rejected by secure update (REFUSED)
> Jun 19 02:47:19 server5-ad named[3166]: samba_dlz: cancelling 
> transaction on zone LIN.group
> Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting 
> transaction on zone LIN.group
> Jun 19 02:47:22 server5-ad named[3166]: client 
> @0x7f1c64008380 192.168.14.187#50012: update 'LIN.group/IN' denied
> Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling 
> transaction on zone LIN.group
> Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: starting 
> transaction on zone LIN.group
> Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: spnego 
> update failed
> Jun 19 02:47:22 server5-ad named[3166]: client 
> @0x7f1c64008380 192.168.14.187#52845/key 
> site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': 
> update failed: rejected by secure update (REFUSED)
> Jun 19 02:47:22 server5-ad named[3166]: samba_dlz: cancelling 
> transaction on zone LIN.group
> Jun 19 02:47:44 server5-ad samba[3132]:   dnsserver: Invalid 
> zone operation IsSigneddnsserver: Invalid zone operation 
> IsSignedTerminating connection - 'dcesrv: 
> NT_STATUS_CONNECTION_DISCONNECTED'
> 
> The following syslog is with the allow dns updates = secure
> 
> Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing 
> update of signer=site01-WIN7-01\$\@LIN.GROUP 
> name=site01-WIN7-01.LIN.group tcpaddr=192.168.14.187 type=A 
> key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0
> Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: allowing 
> update of signer=site01-WIN7-01\$\@LIN.GROUP 
> name=site01-WIN7-01.LIN.group tcpaddr=192.168.14.187 type=A 
> key=336-ms-7.1-6486.54f98f94-923d-11e9-7380-6e00fbaf891e/160/0
> Jun 19 02:52:54 server5-ad named[3221]: client 
> @0x7fda290b99c0 192.168.14.187#52268/key 
> site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': 
> deleting rrset at 'site01-WIN7-01.LIN.group' AAAA
> Jun 19 02:52:54 server5-ad named[3221]: client 
> @0x7fda290b99c0 192.168.14.187#52268/key 
> site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': 
> deleting rrset at 'site01-WIN7-01.LIN.group' A
> Jun 19 02:52:54 server5-ad named[3221]: client 
> @0x7fda290b99c0 192.168.14.187#52268/key 
> site01-WIN7-01\$\@LIN.GROUP: updating zone 'LIN.group/NONE': 
> adding an RR at 'site01-WIN7-01.LIN.group' A 192.168.14.187
> Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added 
> rdataset site01-WIN7-01.LIN.group 
> 'site01-WIN7-01.LIN.group.#0111200#011IN#011A#011192.168.14.187'
> Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: subtracted 
> rdataset LIN.group 
> 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. 
> hostmaster.LIN.group. 12474 900 600 86400 3600'
> Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: added 
> rdataset LIN.group 
> 'LIN.group.#0113600#011IN#011SOA#011server5.LIN.group. 
> hostmaster.LIN.group. 12475 900 600 86400 3600'
> Jun 19 02:52:54 server5-ad named[3221]: samba_dlz: committed 
> transaction on zone LIN.group
> Jun 19 02:52:56 server5-ad samba[3240]:   dnsserver: Invalid 
> zone operation IsSignedldb_wrap open of secrets.ldb
> Jun 19 02:53:27 server5-ad samba[3240]: [2019/06/19 
> 02:53:27.656391,  0] 
> ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsser
> ver_query_zone)
> 
> The following syslog is with the allow dns updates = 
> nonsecure  but with a static IP
> samba_dlz: added rdataset 14.168.192.in-addr.arpa 
> '14.168.192.in-addr.arpa.#0113600#011IN#011SOA#011server5.LIN.
> group. hostmaster.LIN.group.
> 
> 
> The bind files
> root at server5-ad:/etc/bind# cat named.conf
> // This is the primary configuration file for the BIND DNS 
> server named.
> //
> // Please read /usr/share/doc/bind9/README.Debian.gz for 
> information on the
> // structure of BIND configuration files in Debian, *BEFORE* 
> you customize
> // this configuration file.
> //
> // If you are just adding zones, please do that in 
> /etc/bind/named.conf.local
> 
> include "/etc/bind/named.conf.options";
> include "/etc/bind/named.conf.local";
> include "/etc/bind/named.conf.default-zones";
> include "/var/lib/samba/private/named.conf";
> 
> root at server5-ad:/etc/bind# cat named.conf.options
> options {
>         directory "/var/cache/bind";
> 
>         // If there is a firewall between you and nameservers you want
>         // to talk to, you may need to fix the firewall to 
> allow multiple
>         // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
> 
>         // If your ISP provided one or more IP addresses for stable
>        // nameservers, you probably want to use them as forwarders.
>         // Uncomment the following block, and insert the 
> addresses replacing
>         // the all-0's placeholder.
> 
>         // forwarders {
>         //      0.0.0.0;
>         // };
> 
>         
> //============================================================
> ============
>         // If BIND logs error messages about the root key 
> being expired,
>         // you will need to update your keys.  See 
> https://www.isc.org/bind-keys
>         
> //============================================================
> ============
>         dnssec-validation auto;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>         auth-nxdomain no;    # conform to RFC1035
>         listen-on-v6 { any; };
> };
> 
> The named.conf is /var/lib/samba/private
> 
> dlz "AD DNS Zone" {
>     # For BIND 9.8.x
>     # database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
> 
>     # For BIND 9.9.x
>     # database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
> 
>     # For BIND 9.10.x
>     # database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
> 
>     # For BIND 9.11.x
>      database "dlopen 
> /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
> };
> 
> 
> root at server5-ad:/var/lib/samba/private# klist -kte 
> /var/lib/samba/private/dns.keytab
> Keytab name: FILE:/var/lib/samba/private/dns.keytab
> KVNO Timestamp         Principal
> ---- ----------------- 
> --------------------------------------------------------
>    1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-crc)
>    1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-crc)
>    1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (des-cbc-md5)
>    1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (des-cbc-md5)
>    1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP (arcfour-hmac)
>    1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (arcfour-hmac)
>    1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP 
> (aes128-cts-hmac-sha1-96)
>    1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes128-cts-hmac-sha1-96)
>    1 06/14/19 04:37:19 DNS/server5.LIN.group at LIN.GROUP 
> (aes256-cts-hmac-sha1-96)
>    1 06/14/19 04:37:19 dns-server5 at LIN.GROUP (aes256-cts-hmac-sha1-96)
> 
> 
> 
> 
> root at server5-ad:/var/log# service --status-all
> [ - ]  apparmor
> [ + ]  bind9
> [ - ]  console-setup.sh
> [ + ]  cron
> [ + ]  dbus
> [ - ]  hwclock.sh
> [ - ]  irqbalance
> [ - ]  keyboard-setup.sh
> [ - ]  kmod
> [ - ]  nmbd
> [ + ]  ntp
> [ - ]  plymouth
> [ - ]  plymouth-log
> [ + ]  postfix
> [ + ]  procps
> [ - ]  rsync
> [ + ]  rsyslog
> [ + ]  samba-ad-dc
> [ - ]  smbd
> [ + ]  ssh
> [ - ]  udev
> [ + ]  ufw
> [ - ]  urandom
> [ - ]  uuidd
> [ - ]  winbind
> [ - ]  x11-common
> 
> 
> 
> 
> 
> Regards,
> Praveen Ghimire
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 




More information about the samba mailing list