• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

FreeBSD 11.0, samba45, DLZ, BIND9.11.2, no auto DNS update

da1

Aspiring Daemon

Thanks: 92
Messages: 865

#1
The following has been driving me crazy.

I have a 11.0-RELEASE-p12, samba45 from pkg, BIND-9.11.2_2 from ports with GSSAPI_BASE, DLZ_FILESYSTEM and no PYTHON support and the following config files (relevant bits only):

BIND is running outside chroot!

/etc/krb5.conf
Code:
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 48h
        renew_lifetime = 7d
        forwardable = true
#        default_keytab_name = FILE:/var/db/samba4/private/dns.keytab

[realms]
        SAMDOM.EXAMPLE.COM = {
        kdc = samdom.example.com
        admin_server = samdom.example.com
}

[domain_realm]
        .samdom.example.com = SAMDOM.EXAMPLE.COM
        samdom.example.com = SAMDOM.EXAMPLE.COM
/var/named/etc/named.conf
Code:
tkey-gssapi-keytab "/etc/krb5.keytab";
        tkey-domain "SAMDOM.EXAMPLE.COM";

dlz "AD DNS Zone" {
        database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_11.so -d 3";
};
/etc/krb5.keytab is a copy of /var/db/samba4/private/dns.keytab and has perm 640 and root:bind ownership.

/usr/local/etc/smb4.conf
Code:
[global]
        netbios name = SAMBA
        realm = SAMDOM.EXAMPLE.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MYWRKGRP
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        nsupdate command = /usr/local/bin/samba_dnsupdate -g
        interfaces = 192.168.x.1
        bind interfaces only = yes
        ea support = yes
        domain master = yes
        preferred master = yes

        tkey-gssapi-credential "DNS/samdom.example.com@SAMDOM.EXAMPLE.COM";
        tkey-domain "SAMDOM.EXAMPLE.COM";
Code:
[root@samba.xxx 1:40am] /usr/ports/dns/bind911/>klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@SAMDOM.EXAMPLE.COM

  Issued                Expires               Principal
Nov  4 01:02:54 2017  Nov  4 11:02:54 2017  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
Now, the problem:
Samba will not update BIND when I join a new PC to the domain and I get is this:
Code:
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238: using view '_default'
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238: request has valid signature: administrator\@SAMDOM.EXAMPLE.COM
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: recursion available
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: update
04-Nov-2017 01:10:39.220 samba_dlz: starting transaction on zone samdom.example.com
04-Nov-2017 01:10:39.229 samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.230 samba_dlz: spnego update failed
04-Nov-2017 01:10:39.230 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE': update failed: rejected by secure update (REFUSED)
04-Nov-2017 01:10:39.230 samba_dlz: cancelling transaction on zone samdom.example.com
I was only able to find the same issue on FreeBSD and not any Linux distro. Is this something specific to samba and the OS or am I missing something?

LE:
The following work perfectly fine and so do the shares and net join
Code:
smbclient -L \\samdom.example.com -U userX
smbclient //samdom.example.com/netlogon -Uadministrator
The only issue is the auto (or lack thereof) DNS creation.
 
Top