[Samba] SPNEGO cannot find mechanisms to negotiate
Matthias Kühne | Ellerhold AG
matthias.kuehne at ellerhold.de
Thu Oct 27 06:43:54 UTC 2022
Hello,
we've found the problem right after posting to the mailing list.
Weve added some apparmor rules in complain mode to secure samba.
aa-logprof did not print out anything.
samba_dnsupdate executes python and nsupdate. I've added the "rUx" so
that it can execute them unconfined. And I thought in complain mode:
nothing actually gets blocked - just reported!
The difference between rUx and rux is the scrubbing the env before the
execution. Changing the rules to "rux" made the samba_dnsupdate work
again. So that part of my question is gone.
As we always say in our department "It is ALWAYS apparmor" after a long
debugging session ;-)
Thanks and best regards, Matthias Kühne.
Am 27.10.22 um 08:05 schrieb Matthias Kühne | Ellerhold AG via samba:
> Hello Samba people,
>
> we've recently upgraded our debian bullseye AD-DCs from 4.15 (louis
> repo) to 4.16 (backports). We're using the BIND_DLZ with Bind 9.16.33.
> Somehow the samba_dnsupdate broke. We're running
> "/usr/sbin/samba_dnsupdate --all-names" every hour (is this even
> recommended?). In pre 4.16 this works correctly.
>
> Now this error is printed:
>
> "tkey query failed: GSSAPI error: Major = Unspecified GSS failure.
> Minor code may provide more information, Minor = SPNEGO cannot find
> mechanisms to negotiate." (28 times to be exact).
>
> Just calling samba_dnsupdate without --all-names doesnt print anything.
> Using --all-names and --use-samba-tool leads to this error message:
>
> "ERROR: Record already exists; record could not be added.
> zone[ad.ellerhold.lan] name[rad-2]" (28 times to be exact).
>
> Does this mean everything is already correct and hes still trying to add
> new records?
>
> Is it necessary to call the samba_dnsupdate with --all-names hourly?
> I've read somewhere to do this to fix some weird problems. Or any other
> combination of the switches (--all-names and --use-samba-tool)
> samba_dnsupdate?
>
> Any advice would be much appreciated.
>
> Have a nice day, Matthias Kühne.
>
--
Matthias Kühne
Senior Webentwickler
Datenschutzbeauftragter
Ellerhold Aktiengesellschaft
Friedrich-List-Str. 4
01445 Radebeul
Telefon: +49 (0) 351 83933-61
Telefax: +49 (0) 351 83933-99
Web www.ellerhold.de
Twitter www.twitter.com/Ellerhold_AG
Youtube www.youtube.com/user/ellerholdgruppe
Amtsgericht Dresden / HRB 23769
Vorstand: Stephan Ellerhold, Maximilian Ellerhold
Vorsitzender des Aufsichtsrates: Frank Ellerhold
---Diese E-Mail und Ihre Anlagen enthalten vertrauliche Mitteilungen. Sollten Sie nicht der beabsichtigte Adressat sein, so bitten wir Sie um Mitteilung und um sofortiges löschen dieser E-Mail und der Anlagen.
Unsere Hinweise zum Datenschutz finden Sie hier: http://www.ellerhold.de/datenschutz/
This e-mail and its attachments are privileged and confidential. If you are not the intended recipient, please notify us and immediately delete this e-mail and its attachments.
You can find our privacy policy here: http://www.ellerhold.de/datenschutz/
More information about the samba
mailing list