• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

FreeBSD 11.0, samba45, DLZ, BIND9.11.2, no auto DNS update


Aspiring Daemon

Thanks: 92
Messages: 865

The following has been driving me crazy.

I have a 11.0-RELEASE-p12, samba45 from pkg, BIND-9.11.2_2 from ports with GSSAPI_BASE, DLZ_FILESYSTEM and no PYTHON support and the following config files (relevant bits only):

BIND is running outside chroot!

        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 48h
        renew_lifetime = 7d
        forwardable = true
#        default_keytab_name = FILE:/var/db/samba4/private/dns.keytab

        kdc = samdom.example.com
        admin_server = samdom.example.com

        .samdom.example.com = SAMDOM.EXAMPLE.COM
        samdom.example.com = SAMDOM.EXAMPLE.COM
tkey-gssapi-keytab "/etc/krb5.keytab";
        tkey-domain "SAMDOM.EXAMPLE.COM";

dlz "AD DNS Zone" {
        database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_11.so -d 3";
/etc/krb5.keytab is a copy of /var/db/samba4/private/dns.keytab and has perm 640 and root:bind ownership.

        netbios name = SAMBA
        realm = SAMDOM.EXAMPLE.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MYWRKGRP
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        nsupdate command = /usr/local/bin/samba_dnsupdate -g
        interfaces = 192.168.x.1
        bind interfaces only = yes
        ea support = yes
        domain master = yes
        preferred master = yes

        tkey-gssapi-credential "DNS/samdom.example.com@SAMDOM.EXAMPLE.COM";
        tkey-domain "SAMDOM.EXAMPLE.COM";
[root@samba.xxx 1:40am] /usr/ports/dns/bind911/>klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@SAMDOM.EXAMPLE.COM

  Issued                Expires               Principal
Nov  4 01:02:54 2017  Nov  4 11:02:54 2017  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
Now, the problem:
Samba will not update BIND when I join a new PC to the domain and I get is this:
04-Nov-2017 01:10:39.220 client @0x29104000 using view '_default'
04-Nov-2017 01:10:39.220 client @0x29104000 request has valid signature: administrator\@SAMDOM.EXAMPLE.COM
04-Nov-2017 01:10:39.220 client @0x29104000 administrator\@SAMDOM.EXAMPLE.COM: recursion available
04-Nov-2017 01:10:39.220 client @0x29104000 administrator\@SAMDOM.EXAMPLE.COM: update
04-Nov-2017 01:10:39.220 samba_dlz: starting transaction on zone samdom.example.com
04-Nov-2017 01:10:39.229 samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.230 samba_dlz: spnego update failed
04-Nov-2017 01:10:39.230 client @0x29104000 administrator\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE': update failed: rejected by secure update (REFUSED)
04-Nov-2017 01:10:39.230 samba_dlz: cancelling transaction on zone samdom.example.com
I was only able to find the same issue on FreeBSD and not any Linux distro. Is this something specific to samba and the OS or am I missing something?

The following work perfectly fine and so do the shares and net join
smbclient -L \\samdom.example.com -U userX
smbclient //samdom.example.com/netlogon -Uadministrator
The only issue is the auto (or lack thereof) DNS creation.