Joining Samba AD domain: DNS update failed

zirias@

Developer
Trying to join my newly setup Samba domain, I get the following error:
Code:
DNS Update for files.home.palmen-it.de failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL

Probably relevant info:
  • The AD DC uses Samba 4.7.3 (this was the only way to get it running)
  • Both this DC and the instance I'm trying to join to it are running in jails using VIMAGE
  • The system uses libressl and MIT krb5 (base is built WITHOUT_KERBEROS and ports use option GSSAPI_MIT and DEFAULT_VERSIONS+=ssl=libressl)
  • The DC uses the DLZ_BIND9 backend, configured with dns/bind911
  • Host system: FreeBSD 11.1-RELEASE-p10 on ZFS
With debugging on samba_dlz enabled, my bind911 logs the following:

Code:
May 15 17:24:53 addc named[4851]: samba_dlz: Acquiring acceptor credentials failed: Key table entry not found
May 15 17:24:53 addc named[4851]: samba_dlz: Failed to start GENSEC server mech gssapi_krb5: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 15 17:24:53 addc named[4851]: samba_dlz: spnego update failed

Any hints what I could try?
 
I sorted out two issues: First, named was unable to read /var/db/samba4/private/dns.keytab, this is resolved by
Code:
chgrp bind /var/db/samba4/private
chmod g+rx /var/db/samba4/private
The second issue then was that named claimed to see a replay ... using this document, I could work around by creating /etc/rc.conf.d/named with
Code:
KRB5RCACHETYPE=none
export KRB5RCACHETYPE

So far so good, but now, named seems to crash when I try to add a domain member -- the last log messages are:
Code:
May 15 18:00:54 addc named[5300]: samba_dlz: spnego update failed
May 15 18:00:55 addc named[5300]: samba_dlz: unable to obtain a PAC against this GSSAPI library.  GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8
May 15 18:00:55 addc named[5300]: samba_dlz: gensec_generate_session_info_pac: Unable to find PAC for FILES$@HOME.PALMEN-IT.DE, resorting to local user lookup

This again leaves me puzzled :( I have krb5-1.16.1 installed, I guess this is ">= 1.8"?

I'm now trying to rebuild my system to use kerberos from base -- which will take a while. If that's the solution, fine :( (I hope so)
 
If I'm not mistaken Samba is built against the base OS Kerberos, not the port versions.
I would have expected it to complain about a missing library then (the base in that jail didn't have kerberos and libgssapi), which it didn't...
But maybe there is some strange incompatibility when it is built against MIT, that's why I'm doing a complete rebuild of base and packages right now, to find out.
 
You can have a look at the dependencies of Samba. It should show a dependency on the MIT Kerberos if it's correctly linked in this case.
 
SirDice: Interesting hint, thanks. No, it isn't listed, but I then looked at the ld dependencies of samba's libraries: It doesn't depend on any kerberos, instead there is libkrb5-samba4.so.26 and libgssapi-samba4.so.2, and these libs indeed export all these krb5_* symbols. So, samba comes with its own implementation ;)

Maybe this is incompatible with my named linking against MIT:
Code:
/usr/local/sbin/named:
        libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0x800b27000)
        libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x800d70000)
...

I will see if recompiling all with kerberos in base will solve the issue.
 
Thanks for this link! And oh my, now I might just go back to my old settings and hack the samba port to enable --with-system-mitkrb5...
 
For Samba 4.8 it might be a nice addition to the port to allow a choice between the builtin, base OS, Heimdal or MIT Kerberos.
 
I'm pretty sure it never uses anything from base but just incorporates heimdal source to build its own libraries. The --with-system- prefix of the configuration option also hints in this direction. But yes, making this configurable would probably be a nice feature for the port :) (maybe just add as GSSAPI_MIT option?)
 
I'm pretty sure it never uses anything from base but just incorporates heimdal source to build its own libraries.
I can't remember where I read this but if I recall correctly the Samba build process tries to use the system's Kerberos and will fall-back to it's own implementation if it doesn't exist (or isn't compatible).
 
Well, if that's the case, it doesn't like the kerberos in base -- I checked yesterday, building in a jail "standard" base still creates a version linking against the internal implementations.
Unfortunately, this didn't work for me either, with dns/bind911 linked against base kerberos, the DNS update fails as well and doesn't give any meaningful output in the logs :(

So now trying the approach with --with-system-mitkrb5. Here's a patch against net/samba48 in case anyone's interested:
Code:
Index: Makefile
===================================================================
--- Makefile    (revision 470059)
+++ Makefile    (working copy)
@@ -84,7 +84,7 @@
 OPTIONS_SUB=                   yes
 
 OPTIONS_DEFINE=                        AD_DC ADS DEBUG DOCS FAM LDAP \
-                               QUOTAS SYSLOG UTMP PROFILE
+                               QUOTAS SYSLOG UTMP PROFILE GSSAPI_MIT
 # Make those default options
 OPTIONS_DEFAULT:=              ${OPTIONS_DEFINE}
 # This shouldn't be default in the release
@@ -334,6 +334,11 @@
 MANDOC_BUILD_DEPENDS=          ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:textproc/docbook-xsl \
                                xsltproc:textproc/libxslt
 MANDOC_CONFIGURE_ENV_OFF=      XSLTPROC="true"
+
+GSSAPI_MIT_CONFIGURE_ON=       --with-system-mitkrb5 \
+                               --with-system-mitkdc=/usr/local/sbin/krb5kdc
+GSSAPI_MIT_USES=               gssapi:mit
+
 # !SAMBA4_SUBPORT
 .endif
 
@@ -578,6 +583,10 @@
                                ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR}
 .endfor
 
+post-install-GSSAPI_MIT-on:
+                               ${INSTALL} -d -m 0755 "${STAGEDIR}${SAMBA4_MODULEDIR}/krb5/plugins/kdb"
+                               ${MV} "${STAGEDIR}${SAMBA4_LIBDIR}/krb5/plugins/kdb/samba.so" "${STAGEDIR}${SAMBA4_MODULEDIR}/krb5/plugins/kdb/"
+
 # !SAMBA4_SUBPORT
 .endif
 
Index: pkg-plist
===================================================================
--- pkg-plist   (revision 470059)
+++ pkg-plist   (working copy)
@@ -187,13 +187,13 @@                                                          
 %%AD_DC%%lib/samba4/private/libprocess-model-samba4.so                        
 %%AD_DC%%lib/samba4/private/libservice-samba4.so                              
 lib/samba4/private/libCHARSET3-samba4.so                                      
-%%AD_DC%%lib/samba4/private/libHDB-SAMBA4-samba4.so                           
+%%NO_GSSAPI_MIT%%%%AD_DC%%lib/samba4/private/libHDB-SAMBA4-samba4.so          
 lib/samba4/private/libLIBWBCLIENT-OLD-samba4.so                               
 lib/samba4/private/libMESSAGING-samba4.so                                     
 lib/samba4/private/libMESSAGING-SEND-samba4.so                                
 lib/samba4/private/libaddns-samba4.so                                         
 lib/samba4/private/libads-samba4.so                                           
-lib/samba4/private/libasn1-samba4.so.8                                        
+%%NO_GSSAPI_MIT%%lib/samba4/private/libasn1-samba4.so.8                       
 lib/samba4/private/libasn1util-samba4.so                                      
 lib/samba4/private/libauth-samba4.so                                          
 lib/samba4/private/libauth-unix-token-samba4.so                               
@@ -208,7 +208,7 @@                                                            
 lib/samba4/private/libcliauth-samba4.so                                       
 lib/samba4/private/libcluster-samba4.so                                       
 lib/samba4/private/libcmdline-credentials-samba4.so                           
-lib/samba4/private/libcom_err-samba4.so.0                                     
+%%NO_GSSAPI_MIT%%lib/samba4/private/libcom_err-samba4.so.0                    
 lib/samba4/private/libcommon-auth-samba4.so                                   
 %%AD_DC%%lib/samba4/private/libdb-glue-samba4.so                              
 lib/samba4/private/libdbwrap-samba4.so                                        
@@ -224,18 +224,18 @@                                                          
 lib/samba4/private/libgensec-samba4.so                                        
 lib/samba4/private/libgpext-samba4.so                                         
 lib/samba4/private/libgse-samba4.so                                           
-lib/samba4/private/libgssapi-samba4.so.2                                      
-lib/samba4/private/libhcrypto-samba4.so.5                                     
-lib/samba4/private/libhdb-samba4.so.11                                        
-lib/samba4/private/libheimbase-samba4.so.1                                    
-lib/samba4/private/libheimntlm-samba4.so.1                                    
+%%NO_GSSAPI_MIT%%lib/samba4/private/libgssapi-samba4.so.2                     
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhcrypto-samba4.so.5                    
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhdb-samba4.so.11                       
+%%NO_GSSAPI_MIT%%lib/samba4/private/libheimbase-samba4.so.1                   
+%%NO_GSSAPI_MIT%%lib/samba4/private/libheimntlm-samba4.so.1                   
 lib/samba4/private/libhttp-samba4.so                                          
-lib/samba4/private/libhx509-samba4.so.5                                       
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhx509-samba4.so.5                      
 lib/samba4/private/libidmap-samba4.so                                         
 lib/samba4/private/libinterfaces-samba4.so                                    
 lib/samba4/private/libiov-buf-samba4.so                                       
-lib/samba4/private/libkdc-samba4.so.2                                         
-lib/samba4/private/libkrb5-samba4.so.26                                       
+%%NO_GSSAPI_MIT%%lib/samba4/private/libkdc-samba4.so.2                        
+%%NO_GSSAPI_MIT%%lib/samba4/private/libkrb5-samba4.so.26                      
 lib/samba4/private/libkrb5samba-samba4.so                                     
 lib/samba4/private/libldbsamba-samba4.so                                      
 lib/samba4/private/liblibcli-lsa3-samba4.so                                   
@@ -257,7 +257,7 @@                                                            
 lib/samba4/private/libprinting-migrate-samba4.so                              
 lib/samba4/private/libregistry-samba4.so                                      
 lib/samba4/private/libreplace-samba4.so                                       
-lib/samba4/private/libroken-samba4.so.19                                      
+%%NO_GSSAPI_MIT%%lib/samba4/private/libroken-samba4.so.19                     
 lib/samba4/private/libsamba-cluster-support-samba4.so                         
 lib/samba4/private/libsamba-debug-samba4.so                                   
 lib/samba4/private/libsamba-modules-samba4.so                                 
@@ -290,7 +290,7 @@                                                            
 lib/samba4/private/libutil-setid-samba4.so                                    
 lib/samba4/private/libutil-tdb-samba4.so                                      
 lib/samba4/private/libwinbind-client-samba4.so                                
-lib/samba4/private/libwind-samba4.so.0                                        
+%%NO_GSSAPI_MIT%%lib/samba4/private/libwind-samba4.so.0                       
 lib/samba4/private/libxattr-tdb-samba4.so                                     
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_10.so                             
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_11.so                             
@@ -297,6 +297,7 @@                                                            
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_9.so                              
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9.so                                
 %%AD_DC%%lib/shared-modules/gensec/krb5.so                                    
+%%GSSAPI_MIT%%%%AD_DC%%lib/shared-modules/krb5/plugins/kdb/samba.so           
 %%AD_DC%%lib/shared-modules/ldb/acl.so                                        
 %%AD_DC%%lib/shared-modules/ldb/aclread.so                                    
 %%AD_DC%%lib/shared-modules/ldb/anr.so

I'm building 4.7.3 again though, due to problems discussed earlier ;)
 
Little update: at least, joining worked now.

What I did:
  • patch net/samba48 with the patch from the post above
  • downgrade net/samba47 to version 4.7.3 (so domain provisioning works)
  • patch net/samba47 in a similar way to enable MIT kerberos
  • Add the patch from PR #220844 to both samba versions (deemed unsafe, but otherwise it wouldn't work in a jail)
  • Install samba47-4.7.3 on the DC jail, provision the domain (including configuring kerberos and named) and test basic functionality
  • Upgrade the DC to net/samba48
  • Execute samba_upgradedns --dns-backend=BIND9_DLZ, follow the hints to update the named configuration
After this procedure, I could finally join my domain with automatic DNS update:
Code:
# net ads join -U administrator
Enter administrator's password:
Using short domain name -- PALMEN
Joined 'FILES' to dns domain 'home.palmen-it.de'
# host files
files.home.palmen-it.de has address 192.168.42.103
#

Well, great so far, we will see whether this setup will actually work for clients ;)

I guess I'll mail this patch to the samba ports' maintainer, after all, it's probably a good idea to respect option GSSAPI_MIT when building samba.
 
Well, it really seems to work as intended! I meanwhile joined another jail as a file server (also serving home directories), and two workstations, running Windows 7 and Debian stable, seems all fine.

Great, but I hope this will improve in the future, so samba domain provisioning just works out of the box with ZFS and inside a jail ... and optionally with MIT kerberos. To at least help a little, I submitted PR #228365 -- anyone attempting to follow the insane procedure outlined above can find the required patches there for now :)
 
Back
Top