Samba DC

Reken

Member


Messages: 31

FreeBSD 11.3
File system: ZFS
Samba411
Bind916

My actions:
1)
/usr/ports/dns/bind916/make install clean
/usr/ports/net/samba411/make install clean
(I selected the option "Use BIND 9.16")
(I added option NTVFS)

2)
samba-tool domain provision -–domain=DOMENFO –-host-name=DC1 –-host-ip=192.168.10.10 –-use-rfc2307 –-realm=domenfo.local –-server-role=dc –-dns-backend=BIND9_DLZ –-adminpass=******** —-use-ntvfs

3)
I changed the file named.conf
I added the lines

tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
minimal-responses yes;
include "/var/db/samba4/bind-dns/named.conf";

4)
cp /var/db/samba4/private/krb5.conf /usr/local/etc/krb5.conf

5)
My rights

-rwxrwxr-x 1 bind bind 21842 May 21 09:10 named.conf
-rwxrwxr-x 1 bind bind 250 May 21 07:55 localhost-forward.db
-rwxrwxr-x 1 bind bind 318 May 21 07:55 localhost-reverse.db
-rw-r--r-- 1 bind bind 94 May 21 08:42 krb5.conf
-rwxrwxr-x 2 bind bind 747 May 21 08:36 dns.keytab

6)
Verification successful

root@DC1:~ # smbclient //localhost/netlogon -UAdministrator -c 'ls'
Code:
Enter DOMENFO\Administrator's password:
  .                                   D        0  Thu May 21 08:36:03 2020
  ..                                  D        0  Thu May 21 08:36:08 2020

                39560476 blocks of size 1024. 37795404 blocks available
root@DC1:~ # host -t SRV _ldap._tcp.domenfo.local.
Code:
_ldap._tcp.domenfo.local has SRV record 0 100 389 dc1.domenfo.local.
root@DC1:~ # host -t SRV _kerberos._udp.domenfo.local.
Code:
_kerberos._udp.domenfo.local has SRV record 0 100 88 dc1.domenfo.local.
root@DC1:~ # host -t A domenfo.local.
Code:
domenfo.local has address 192.168.10.10
root@DC1:~ # kinit administrator@DOMENFO.LOCAL

root@DC1:~ # klist
Code:
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@DOMENFO.LOCAL

  Issued                Expires               Principal
May 21 09:41:01 2020  May 21 19:41:01 2020  krbtgt/DOMENFO.LOCAL@DOMENFO.LOCAL
7)
samba_dnsupdate --verbose --all-names
Code:
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
/usr/bin/nsupdate: cannot specify -g    or -o, program not linked with GSS API Library
Failed nsupdate: 1
Failed update of 34 entries
I changed the file smb4.conf
I added the lines
nsupdate command = /usr/local/sbin/samba_dnsupdate -g

samba_dnsupdate --verbose --all-names
Code:
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

samba_dnsupdate: error: no such option: -g
Failed nsupdate: 2
Failed update of 34 entries
Total:
Tell me what is the problem?

P.S.
My application configuration files:
/usr/local/etc/krb5.conf
/usr/local/etc/smb4.conf
/usr/local/etc/namedb/named.conf
/etc/resolv.conf
/var/db/samba4/bind-dns/named.conf
 

Attachments

mark_j

Well-Known Member

Reaction score: 124
Messages: 378

Good stuff.
You gave options for samba, how about bind916?
These can be found in /var/db/ports/dns_bind916/options and so on. It may be worth posting them.

WHY are you using a long deprecated back end in ntvfs?
 
OP
R

Reken

Member


Messages: 31

bind916
Code:
OPTIONS_FILE_UNSET+=DNSTAP
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_UNSET+=FIXED_RRSET
OPTIONS_FILE_UNSET+=GEOIP
OPTIONS_FILE_SET+=IDN
OPTIONS_FILE_SET+=JSON
OPTIONS_FILE_UNSET+=LARGE_FILE
OPTIONS_FILE_SET+=LMDB
OPTIONS_FILE_UNSET+=OVERRIDECACHE
OPTIONS_FILE_UNSET+=PORTREVISION
OPTIONS_FILE_UNSET+=QUERYTRACE
OPTIONS_FILE_SET+=SIGCHASE
OPTIONS_FILE_UNSET+=START_LATE
OPTIONS_FILE_SET+=TCP_FASTOPEN
OPTIONS_FILE_UNSET+=TUNING_LARGE
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_SET+=GSSAPI_NONE
OPTIONS_FILE_UNSET+=NATIVE_PKCS11
OPTIONS_FILE_UNSET+=DLZ_BDB
OPTIONS_FILE_SET+=DLZ_FILESYSTEM
OPTIONS_FILE_UNSET+=DLZ_LDAP
OPTIONS_FILE_UNSET+=DLZ_MYSQL
OPTIONS_FILE_UNSET+=DLZ_POSTGRESQL
OPTIONS_FILE_UNSET+=DLZ_STUB
samba411
Code:
OPTIONS_FILE_SET+=ADS
OPTIONS_FILE_SET+=AD_DC
OPTIONS_FILE_SET+=AESNI
OPTIONS_FILE_UNSET+=CLUSTER
OPTIONS_FILE_UNSET+=CUPS
OPTIONS_FILE_UNSET+=DEVELOPER
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=FAM
OPTIONS_FILE_UNSET+=GPGME
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=MANDOC
OPTIONS_FILE_SET+=NTVFS
OPTIONS_FILE_SET+=PROFILE
OPTIONS_FILE_SET+=QUOTAS
OPTIONS_FILE_UNSET+=SPOTLIGHT
OPTIONS_FILE_SET+=SYSLOG
OPTIONS_FILE_SET+=UTMP
OPTIONS_FILE_SET+=GSSAPI_BUILTIN
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_UNSET+=ZEROCONF_NONE
OPTIONS_FILE_SET+=AVAHI
OPTIONS_FILE_UNSET+=MDNSRESPONDER
OPTIONS_FILE_UNSET+=NSUPDATE
OPTIONS_FILE_UNSET+=BIND911
OPTIONS_FILE_SET+=BIND916
OPTIONS_FILE_SET+=FRUIT
OPTIONS_FILE_UNSET+=GLUSTERFS
If I do not use —-use-ntvfs
I see an error:
Code:
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER
P.S.
Fragment of log.samba
Code:
  dnsupdate_nameupdate_done: Failed DNS update with exit code 5
[2020/05/22 10:52:48.216401,  0] ../../source4/smbd/server.c:624(binary_smbd_main)
  samba version 4.11.8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2019
[2020/05/22 10:52:49.327451,  0] ../../source4/smbd/server.c:865(binary_smbd_main)
  binary_smbd_main: samba: using 'prefork' process model
[2020/05/22 10:52:52.670018,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'samba' finished starting up and ready to serve connections
[2020/05/22 07:52:58.771762,  0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 5
 

mark_j

Well-Known Member

Reaction score: 124
Messages: 378

If I do not use —-use-ntvfs
I see an error:
Code:
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER
So how are both of these tied together? (Regardless I don't see this as your issue anyway, it's DNS oriented)

Have you read and understood this:

(not the migrating part but why ntvfs is not used?)


Also your problem with samba_dnsupdate is -g is not an command option. Why is it there, and what was it supposed to achieve?
 
OP
R

Reken

Member


Messages: 31

I understood my problem:
bind cannot update dynamically

Now it can be clearly seen from the logs:
named.log
Code:
26-May-2020 15:09:59.337 update-security: error: client @0x801b20f68 192.168.10.10#49770: update 'domenfo.com/IN' denied
26-May-2020 15:09:59.337 database: info: samba_dlz: cancelling transaction on zone domenfo.com
I think the problem is rights...

What do you think?

P.S.
samba_dnsupdate –verbose –all-names
Code:
update(nsupdate): A ForestDnsZones.domenfo.com 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.com 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.com as DC1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.domenfo.com. 900 IN A 192.168.10.10
update failed: REFUSED

Failed nsupdate: 2
Failed update of 34 entries
 
Top