Samba4 Install Guide (Problems with Kerberos)

Keith Shellingfield

New Member

Thanks: 1
Messages: 4

#76
Hi,

Code:
Calling nsupdate for A ForestDnsZones.sub.mydomain.tld 192.168.103.1 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.sub.mydomain.tld. 900 IN A    192.168.103.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 47 entries
I think, TKEY is unacceptable means problem around Kerberos like Authentication failure. how about krb5 config or keytabs ?

and you can see logs related kerberos on /var/log/samba4/log.samba with log level 7
 

Leifur

New Member


Messages: 4

#77
log.samba (debug level 7) after running samba_dnsupdate:

Code:
[2016/06/29 10:00:58.158645,  4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Wed Jun 29 10:01:03 2016 CEST
[2016/06/29 10:00:58.184860,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.103.1:35991 for krbtgt/SUB.MYDOMAIN.TLD@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.186159,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.188276,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.188581,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.301655,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.100.40:60344 for krbtgt/SUB.MYDOMAIN.TLD@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.302790,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.303464,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.303875,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp
[2016/06/29 10:00:58.303894,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.303908,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304485,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- BSD10$@SUB.MYDOMAIN.TLD using aes256-cts-hmac-sha1-96
[2016/06/29 10:00:58.304509,  4] ../source4/auth/sam.c:182(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304526,  5] ../source4/auth/sam.c:116(logon_hours_ok)
  logon_hours_ok: No hours restrictions for user BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304542,  5] ../source4/auth/sam.c:820(authsam_logon_success_accounting)
  lastLogonTimestamp is 131109092047300850
[2016/06/29 10:00:58.304614,  5] ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
  sync interval is 14
[2016/06/29 10:00:58.304634,  5] ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
  randomised sync interval is 9 (-5)
[2016/06/29 10:00:58.304648,  5] ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
  old timestamp is 131109092047300850, threshold 131108832583045540, diff 259464255310
[2016/06/29 10:00:58.317278,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.317488,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2016-06-29T10:00:58 starttime: unset endtime: 2016-06-29T20:00:58 renew till: unset
[2016/06/29 10:00:58.317563,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2016/06/29 10:00:58.461218,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.461865,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.103.1:42627 for DNS/bsd10.sub.mydomain.tld@SUB.MYDOMAIN.TLD [canonicalize]
[2016/06/29 10:00:58.464367,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.464804,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.465508,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.466922,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.467697,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2016-06-29T10:00:58 starttime: 2016-06-29T10:00:58 endtime: 2016-06-29T20:00:58 renew till: unset
[2016/06/29 10:01:03.161596,  4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Wed Jun 29 10:01:08 2016 CEST
As already mentioned, the strange thing is, that it work's like a charm when running named as root. So my assumption is that there's something wrong with the privileges.
 

Keith Shellingfield

New Member

Thanks: 1
Messages: 4

#78
Hi,

my experience, execute "samba_dnsupdate --verbose --all-names" changed some file permissions, like dns.keytab.
since named running as root didn't encounter such a "TKEY is unacceptable" problem.

so I always use "nsupdate -g" to update dns record in test.

and please check permission in /var/db/samba4/private/ , I've changed for some files and directories to read/write bind user.


Code:
root@nono:~ # ls -la /var/db/samba4/private
total 12948
drwxrwx---  8 root  bind      1024 Aug  2 11:40 .
drwxr-xr-x  8 root  wheel     1024 Aug  2 09:56 ..
drwxrwx---  3 root  bind       512 Jun 14 13:44 dns
-rw-r-----  1 root  bind      6664 Jun 20 01:13 dns.keytab
-rw-r-----  1 root  bind      1943 Aug  2 01:07 dns_update_cache
-rw-rw-r--  1 root  bind      3183 Jun 14 13:44 dns_update_list
-rw-------  1 root  wheel  1286144 Jun 14 13:44 hklm.ldb
-rw-------  1 root  wheel  1609728 Jun 23 09:55 idmap.ldb
-rw-r--r--  1 root  wheel       96 Jun 14 13:44 krb5.conf
drwxr-x---  2 root  wheel      512 Aug  2 09:56 ldap_priv
srwxrwxrwx  1 root  bind         0 Aug  2 09:56 ldapi
drwx------  2 root  wheel      512 Aug  2 11:26 msg.sock
-rw-r--r--  1 root  wheel      682 Jun 20 18:15 named.conf
-r--r--r--  1 root  wheel      233 Jun 23 18:30 named.conf.update
-rw-r--r--  1 root  wheel     2090 Jun 14 13:44 named.txt
-rw-------  1 root  wheel      696 Aug  2 09:56 netlogon_creds_cli.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 privilege.ldb
-rw-------  1 root  wheel      696 Jun 14 14:49 randseed.tdb
-rw-------  1 root  wheel  4247552 Jun 14 13:44 sam.ldb
drwxrwx---  2 root  bind       512 Jun 14 13:44 sam.ldb.d
-rw-------  1 root  wheel      696 Aug  2 09:56 schannel_store.tdb
-rw-------  1 root  wheel     1152 Jun 14 13:44 secrets.keytab
-rw-------  1 root  wheel  1286144 Jun 14 13:44 secrets.ldb
-rw-------  1 root  wheel   430080 Jun 14 13:44 secrets.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 share.ldb
drwxr-xr-x  2 root  wheel      512 Jun 14 14:49 smbd.tmp
-rw-r--r--  1 root  wheel      955 Jun 14 13:44 spn_update_list
drwx------  2 root  wheel      512 Jun 14 14:49 tls
-rw-------  1 root  wheel  1286144 Aug  1 15:46 wins_config.ldb
the point is /var/db/samba4/private itself and some dns stuff, In think. these result came from ktrace/kdump and intuition,,, unfortunately lost my working memo..

however, this is just in my case.
 

Daniel_BH

New Member


Messages: 1

#79
Hi,

my experience, execute "samba_dnsupdate --verbose --all-names" changed some file permissions, like dns.keytab.
since named running as root didn't encounter such a "TKEY is unacceptable" problem.

so I always use "nsupdate -g" to update dns record in test.

and please check permission in /var/db/samba4/private/ , I've changed for some files and directories to read/write bind user.


Code:
root@nono:~ # ls -la /var/db/samba4/private
total 12948
drwxrwx---  8 root  bind      1024 Aug  2 11:40 .
drwxr-xr-x  8 root  wheel     1024 Aug  2 09:56 ..
drwxrwx---  3 root  bind       512 Jun 14 13:44 dns
-rw-r-----  1 root  bind      6664 Jun 20 01:13 dns.keytab
-rw-r-----  1 root  bind      1943 Aug  2 01:07 dns_update_cache
-rw-rw-r--  1 root  bind      3183 Jun 14 13:44 dns_update_list
-rw-------  1 root  wheel  1286144 Jun 14 13:44 hklm.ldb
-rw-------  1 root  wheel  1609728 Jun 23 09:55 idmap.ldb
-rw-r--r--  1 root  wheel       96 Jun 14 13:44 krb5.conf
drwxr-x---  2 root  wheel      512 Aug  2 09:56 ldap_priv
srwxrwxrwx  1 root  bind         0 Aug  2 09:56 ldapi
drwx------  2 root  wheel      512 Aug  2 11:26 msg.sock
-rw-r--r--  1 root  wheel      682 Jun 20 18:15 named.conf
-r--r--r--  1 root  wheel      233 Jun 23 18:30 named.conf.update
-rw-r--r--  1 root  wheel     2090 Jun 14 13:44 named.txt
-rw-------  1 root  wheel      696 Aug  2 09:56 netlogon_creds_cli.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 privilege.ldb
-rw-------  1 root  wheel      696 Jun 14 14:49 randseed.tdb
-rw-------  1 root  wheel  4247552 Jun 14 13:44 sam.ldb
drwxrwx---  2 root  bind       512 Jun 14 13:44 sam.ldb.d
-rw-------  1 root  wheel      696 Aug  2 09:56 schannel_store.tdb
-rw-------  1 root  wheel     1152 Jun 14 13:44 secrets.keytab
-rw-------  1 root  wheel  1286144 Jun 14 13:44 secrets.ldb
-rw-------  1 root  wheel   430080 Jun 14 13:44 secrets.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 share.ldb
drwxr-xr-x  2 root  wheel      512 Jun 14 14:49 smbd.tmp
-rw-r--r--  1 root  wheel      955 Jun 14 13:44 spn_update_list
drwx------  2 root  wheel      512 Jun 14 14:49 tls
-rw-------  1 root  wheel  1286144 Aug  1 15:46 wins_config.ldb
the point is /var/db/samba4/private itself and some dns stuff, In think. these result came from ktrace/kdump and intuition,,, unfortunately lost my working memo..

however, this is just in my case.
Hi, Keith

Do you could solve the problem update the forward zone?
The error: samba_dlz: spnego update failed

I'm having the same problem.

My enviroment: CentOS 6.8 / I tried Bind with 9.8, 9.9 and 9.10

Tks!
 

JOAO BATISTA

New Member


Messages: 11

#80
Greetings

First of all I would like to thank you for having responded and saying that I did the tests as they passed me, but it did not work. Although it did not work out, I got new ideas and re-created the whole process.

That done, it worked 99%.

My problem now is dynamic DNS update by host windows.

For example, when I put the computer running windows 7 in the domain, it usually comes in, but it does not appear in the DNS table.

I will put the settings used for the configuration of the Domain Controller and then put the errors.



Follow txt with step-by-step running to get started.

It also follows images with the errors.
 

Attachments

JOAO BATISTA

New Member


Messages: 11

#81
I will now proceed with the error.

the clearest way I could find to demonstrate the error was as follows:

I turned on the virtual machine that was running windows 7, put it in the domain and rebooted, and when I rebooted it presented the error as below:

Code:
root@ad:~ # tail -f /var/log/messages
Jan 21 19:49:07 ad smbd[611]: [2018/01/21 19:49:07.343869,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jan 21 19:49:07 ad smbd[611]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#56544: update 'estudo.local/IN' denied
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#50618: update 'estudo.local/IN' denied
Jan 21 19:51:25 ad su: joaobrn to root on /dev/pts/0
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#63239: update 'estudo.local/IN' denied
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#52497: update 'estudo.local/IN' denied
Jan 21 20:52:11 ad su: joaobrn to root on /dev/pts/0
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#62097: update 'estudo.local/IN' denied
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#63298: update 'estudo.local/IN' denied
Thank you for the support!!
 

Attachments

Keith Shellingfield

New Member

Thanks: 1
Messages: 4

#82
Hi,

I'm using FreeBSD 10.4-Stable w/ samba46-4.6.14 and bind911-9.11.3_1(build GSSAPI_HEIMDAL: see my post above) now.

Could you try
Code:
    # For BIND 9.9.x
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
on /var/db/samba4/private/named.conf to get verbose log of named, and run dnsupdate manually like below

Code:
root@nono:~ # klist
klist: No ticket file: /tmp/krb5cc_0
root@nono:~ # kinit Administrator
Administrator@AD.SMBDOMAIN.CC's Password:
root@nono:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@AD.SMBDOMAIN.CC

  Issued                Expires               Principal
Aug 28 17:01:31 2018  Aug 29 03:01:31 2018  krbtgt/AD.SMBDOMAIN.CC@AD.SMBDOMAIN.CC
root@nono:~ # nsupdate -g
> update add testws.ad.smbdomain.cc 100 in a 192.168.16.240
> send
> quit
then check named log of "channel log_database / log_update" (my result are below)
Code:
root@nono:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@AD.SMBDOMAIN.CC

  Issued                Expires               Principal
Aug 28 17:01:31 2018  Aug 29 03:01:31 2018  krbtgt/AD.SMBDOMAIN.CC@AD.SMBDOMAIN.CC
Aug 28 17:09:34 2018  Aug 29 03:01:31 2018  DNS/nono.ad.smbdomain.cc@AD.SMBDOMAIN.CC
Code:
28-Aug-2018 17:09:34.427 update: info: client @0x805469400 192.168.16.18#41560/key Administrator\@AD.SMBDOMAIN.CC: updating zone 'ad.smbdomain.cc/NONE': adding an RR at 'testws.ad.smbdomain.cc' A 192.168.16.240

28-Aug-2018 17:09:34.420 database: info: samba_dlz: starting transaction on zone ad.smbdomain.cc
28-Aug-2018 17:09:34.426 database: info: samba_dlz: allowing update of signer=Administrator\@AD.SMBDOMAIN.CC name=testws.ad.smbdomain.cc tcpaddr=192.168.16.18 type=A key=1071743018.sig-nono.ad.smbdomain.cc/160/0
28-Aug-2018 17:09:34.434 database: info: samba_dlz: added rdataset testws.ad.smbdomain.cc 'testws.ad.smbdomain.cc.  100      IN      A       192.168.16.240'
28-Aug-2018 17:09:34.439 database: info: samba_dlz: subtracted rdataset ad.smbdomain.cc 'ad.smbdomain.cc.       3600  IN       SOA     nono.ad.smbdomain.cc. hostmaster.ad.smbdomain.cc. 76 900 600 86400 3600'
28-Aug-2018 17:09:34.441 database: info: samba_dlz: added rdataset ad.smbdomain.cc 'ad.smbdomain.cc.    3600    IN    SOA      nono.ad.smbdomain.cc. hostmaster.ad.smbdomain.cc. 77 900 600 86400 3600'
28-Aug-2018 17:09:34.449 database: info: samba_dlz: committed transaction on zone ad.smbdomain.cc
 
Top