The following has been driving me crazy.
I have a 11.0-RELEASE-p12, samba45 from pkg, BIND-9.11.2_2 from ports with GSSAPI_BASE, DLZ_FILESYSTEM and no PYTHON support and the following config files (relevant bits only):
BIND is running outside chroot!
/etc/krb5.conf
/var/named/etc/named.conf
/etc/krb5.keytab is a copy of /var/db/samba4/private/dns.keytab and has perm 640 and root:bind ownership.
/usr/local/etc/smb4.conf
Now, the problem:
Samba will not update BIND when I join a new PC to the domain and I get is this:
I was only able to find the same issue on FreeBSD and not any Linux distro. Is this something specific to samba and the OS or am I missing something?
LE:
The following work perfectly fine and so do the shares and net join
The only issue is the auto (or lack thereof) DNS creation.
I have a 11.0-RELEASE-p12, samba45 from pkg, BIND-9.11.2_2 from ports with GSSAPI_BASE, DLZ_FILESYSTEM and no PYTHON support and the following config files (relevant bits only):
BIND is running outside chroot!
/etc/krb5.conf
Code:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = SAMDOM.EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 48h
renew_lifetime = 7d
forwardable = true
# default_keytab_name = FILE:/var/db/samba4/private/dns.keytab
[realms]
SAMDOM.EXAMPLE.COM = {
kdc = samdom.example.com
admin_server = samdom.example.com
}
[domain_realm]
.samdom.example.com = SAMDOM.EXAMPLE.COM
samdom.example.com = SAMDOM.EXAMPLE.COM
/var/named/etc/named.conf
Code:
tkey-gssapi-keytab "/etc/krb5.keytab";
tkey-domain "SAMDOM.EXAMPLE.COM";
dlz "AD DNS Zone" {
database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_11.so -d 3";
};
/etc/krb5.keytab is a copy of /var/db/samba4/private/dns.keytab and has perm 640 and root:bind ownership.
/usr/local/etc/smb4.conf
Code:
[global]
netbios name = SAMBA
realm = SAMDOM.EXAMPLE.COM
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = MYWRKGRP
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
nsupdate command = /usr/local/bin/samba_dnsupdate -g
interfaces = 192.168.x.1
bind interfaces only = yes
ea support = yes
domain master = yes
preferred master = yes
tkey-gssapi-credential "DNS/samdom.example.com@SAMDOM.EXAMPLE.COM";
tkey-domain "SAMDOM.EXAMPLE.COM";
Code:
[root@samba.xxx 1:40am] /usr/ports/dns/bind911/>klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@SAMDOM.EXAMPLE.COM
Issued Expires Principal
Nov 4 01:02:54 2017 Nov 4 11:02:54 2017 krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
Now, the problem:
Samba will not update BIND when I join a new PC to the domain and I get is this:
Code:
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238: using view '_default'
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238: request has valid signature: administrator\@SAMDOM.EXAMPLE.COM
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: recursion available
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: update
04-Nov-2017 01:10:39.220 samba_dlz: starting transaction on zone samdom.example.com
04-Nov-2017 01:10:39.229 samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.230 samba_dlz: spnego update failed
04-Nov-2017 01:10:39.230 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE': update failed: rejected by secure update (REFUSED)
04-Nov-2017 01:10:39.230 samba_dlz: cancelling transaction on zone samdom.example.com
I was only able to find the same issue on FreeBSD and not any Linux distro. Is this something specific to samba and the OS or am I missing something?
LE:
The following work perfectly fine and so do the shares and net join
Code:
smbclient -L \\samdom.example.com -U userX
smbclient //samdom.example.com/netlogon -Uadministrator
The only issue is the auto (or lack thereof) DNS creation.