[Samba] SPNEGO cannot find mechanisms to negotiate

Matthias Kühne | Ellerhold AG matthias.kuehne at ellerhold.de
Thu Oct 27 06:43:54 UTC 2022 

Hello,

we've found the problem right after posting to the mailing list.

Weve added some apparmor rules in complain mode to secure samba. 
aa-logprof did not print out anything.

samba_dnsupdate executes python and nsupdate. I've added the "rUx" so 
that it can execute them unconfined. And I thought in complain mode: 
nothing actually gets blocked - just reported!

The difference between rUx and rux is the scrubbing the env before the 
execution. Changing the rules to "rux" made the samba_dnsupdate work 
again. So that part of my question is gone.

As we always say in our department "It is ALWAYS apparmor" after a long 
debugging session ;-)

Thanks and best regards, Matthias Kühne.

Am 27.10.22 um 08:05 schrieb Matthias Kühne | Ellerhold AG via samba:
> Hello Samba people,
>
> we've recently upgraded our debian bullseye AD-DCs from 4.15 (louis
> repo) to 4.16 (backports). We're using the BIND_DLZ with Bind 9.16.33.
> Somehow the samba_dnsupdate broke. We're running
> "/usr/sbin/samba_dnsupdate --all-names" every hour (is this even
> recommended?). In pre 4.16 this works correctly.
>
> Now this error is printed:
>
> "tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = SPNEGO cannot find
> mechanisms to negotiate." (28 times to be exact).
>
> Just calling samba_dnsupdate without --all-names doesnt print anything.
> Using --all-names and --use-samba-tool leads to this error message:
>
> "ERROR: Record already exists; record could not be added.
> zone[ad.ellerhold.lan] name[rad-2]" (28 times to be exact).
>
> Does this mean everything is already correct and hes still trying to add
> new records?
>
> Is it necessary to call the samba_dnsupdate with --all-names hourly?
> I've read somewhere to do this to fix some weird problems. Or any other
> combination of the switches (--all-names and --use-samba-tool)
> samba_dnsupdate?
>
> Any advice would be much appreciated.
>
> Have a nice day, Matthias Kühne.
>
-- 
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter

Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul

Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99

Web     www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe

Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold



---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.

Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/

This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.

You can find our privacy policy here: http://www.ellerhold.de/datenschutz/

More information about the samba mailing list