• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Samba4 Install Guide (Problems with Kerberos)

Keith Shellingfield

New Member

Thanks: 1
Messages: 3

#76
Hi,

Code:
Calling nsupdate for A ForestDnsZones.sub.mydomain.tld 192.168.103.1 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.sub.mydomain.tld. 900 IN A    192.168.103.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 47 entries
I think, TKEY is unacceptable means problem around Kerberos like Authentication failure. how about krb5 config or keytabs ?

and you can see logs related kerberos on /var/log/samba4/log.samba with log level 7
 

Leifur

New Member


Messages: 4

#77
log.samba (debug level 7) after running samba_dnsupdate:

Code:
[2016/06/29 10:00:58.158645,  4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Wed Jun 29 10:01:03 2016 CEST
[2016/06/29 10:00:58.184860,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.103.1:35991 for krbtgt/SUB.MYDOMAIN.TLD@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.186159,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.188276,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.188581,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.301655,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.100.40:60344 for krbtgt/SUB.MYDOMAIN.TLD@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.302790,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.303464,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.303875,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp
[2016/06/29 10:00:58.303894,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.303908,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304485,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- BSD10$@SUB.MYDOMAIN.TLD using aes256-cts-hmac-sha1-96
[2016/06/29 10:00:58.304509,  4] ../source4/auth/sam.c:182(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304526,  5] ../source4/auth/sam.c:116(logon_hours_ok)
  logon_hours_ok: No hours restrictions for user BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304542,  5] ../source4/auth/sam.c:820(authsam_logon_success_accounting)
  lastLogonTimestamp is 131109092047300850
[2016/06/29 10:00:58.304614,  5] ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
  sync interval is 14
[2016/06/29 10:00:58.304634,  5] ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
  randomised sync interval is 9 (-5)
[2016/06/29 10:00:58.304648,  5] ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
  old timestamp is 131109092047300850, threshold 131108832583045540, diff 259464255310
[2016/06/29 10:00:58.317278,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.317488,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2016-06-29T10:00:58 starttime: unset endtime: 2016-06-29T20:00:58 renew till: unset
[2016/06/29 10:00:58.317563,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2016/06/29 10:00:58.461218,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.461865,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.103.1:42627 for DNS/bsd10.sub.mydomain.tld@SUB.MYDOMAIN.TLD [canonicalize]
[2016/06/29 10:00:58.464367,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.464804,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.465508,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.466922,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.467697,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2016-06-29T10:00:58 starttime: 2016-06-29T10:00:58 endtime: 2016-06-29T20:00:58 renew till: unset
[2016/06/29 10:01:03.161596,  4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Wed Jun 29 10:01:08 2016 CEST
As already mentioned, the strange thing is, that it work's like a charm when running named as root. So my assumption is that there's something wrong with the privileges.
 

Keith Shellingfield

New Member

Thanks: 1
Messages: 3

#78
Hi,

my experience, execute "samba_dnsupdate --verbose --all-names" changed some file permissions, like dns.keytab.
since named running as root didn't encounter such a "TKEY is unacceptable" problem.

so I always use "nsupdate -g" to update dns record in test.

and please check permission in /var/db/samba4/private/ , I've changed for some files and directories to read/write bind user.


Code:
root@nono:~ # ls -la /var/db/samba4/private
total 12948
drwxrwx---  8 root  bind      1024 Aug  2 11:40 .
drwxr-xr-x  8 root  wheel     1024 Aug  2 09:56 ..
drwxrwx---  3 root  bind       512 Jun 14 13:44 dns
-rw-r-----  1 root  bind      6664 Jun 20 01:13 dns.keytab
-rw-r-----  1 root  bind      1943 Aug  2 01:07 dns_update_cache
-rw-rw-r--  1 root  bind      3183 Jun 14 13:44 dns_update_list
-rw-------  1 root  wheel  1286144 Jun 14 13:44 hklm.ldb
-rw-------  1 root  wheel  1609728 Jun 23 09:55 idmap.ldb
-rw-r--r--  1 root  wheel       96 Jun 14 13:44 krb5.conf
drwxr-x---  2 root  wheel      512 Aug  2 09:56 ldap_priv
srwxrwxrwx  1 root  bind         0 Aug  2 09:56 ldapi
drwx------  2 root  wheel      512 Aug  2 11:26 msg.sock
-rw-r--r--  1 root  wheel      682 Jun 20 18:15 named.conf
-r--r--r--  1 root  wheel      233 Jun 23 18:30 named.conf.update
-rw-r--r--  1 root  wheel     2090 Jun 14 13:44 named.txt
-rw-------  1 root  wheel      696 Aug  2 09:56 netlogon_creds_cli.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 privilege.ldb
-rw-------  1 root  wheel      696 Jun 14 14:49 randseed.tdb
-rw-------  1 root  wheel  4247552 Jun 14 13:44 sam.ldb
drwxrwx---  2 root  bind       512 Jun 14 13:44 sam.ldb.d
-rw-------  1 root  wheel      696 Aug  2 09:56 schannel_store.tdb
-rw-------  1 root  wheel     1152 Jun 14 13:44 secrets.keytab
-rw-------  1 root  wheel  1286144 Jun 14 13:44 secrets.ldb
-rw-------  1 root  wheel   430080 Jun 14 13:44 secrets.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 share.ldb
drwxr-xr-x  2 root  wheel      512 Jun 14 14:49 smbd.tmp
-rw-r--r--  1 root  wheel      955 Jun 14 13:44 spn_update_list
drwx------  2 root  wheel      512 Jun 14 14:49 tls
-rw-------  1 root  wheel  1286144 Aug  1 15:46 wins_config.ldb
the point is /var/db/samba4/private itself and some dns stuff, In think. these result came from ktrace/kdump and intuition,,, unfortunately lost my working memo..

however, this is just in my case.
 

Daniel_BH

New Member


Messages: 1

#79
Hi,

my experience, execute "samba_dnsupdate --verbose --all-names" changed some file permissions, like dns.keytab.
since named running as root didn't encounter such a "TKEY is unacceptable" problem.

so I always use "nsupdate -g" to update dns record in test.

and please check permission in /var/db/samba4/private/ , I've changed for some files and directories to read/write bind user.


Code:
root@nono:~ # ls -la /var/db/samba4/private
total 12948
drwxrwx---  8 root  bind      1024 Aug  2 11:40 .
drwxr-xr-x  8 root  wheel     1024 Aug  2 09:56 ..
drwxrwx---  3 root  bind       512 Jun 14 13:44 dns
-rw-r-----  1 root  bind      6664 Jun 20 01:13 dns.keytab
-rw-r-----  1 root  bind      1943 Aug  2 01:07 dns_update_cache
-rw-rw-r--  1 root  bind      3183 Jun 14 13:44 dns_update_list
-rw-------  1 root  wheel  1286144 Jun 14 13:44 hklm.ldb
-rw-------  1 root  wheel  1609728 Jun 23 09:55 idmap.ldb
-rw-r--r--  1 root  wheel       96 Jun 14 13:44 krb5.conf
drwxr-x---  2 root  wheel      512 Aug  2 09:56 ldap_priv
srwxrwxrwx  1 root  bind         0 Aug  2 09:56 ldapi
drwx------  2 root  wheel      512 Aug  2 11:26 msg.sock
-rw-r--r--  1 root  wheel      682 Jun 20 18:15 named.conf
-r--r--r--  1 root  wheel      233 Jun 23 18:30 named.conf.update
-rw-r--r--  1 root  wheel     2090 Jun 14 13:44 named.txt
-rw-------  1 root  wheel      696 Aug  2 09:56 netlogon_creds_cli.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 privilege.ldb
-rw-------  1 root  wheel      696 Jun 14 14:49 randseed.tdb
-rw-------  1 root  wheel  4247552 Jun 14 13:44 sam.ldb
drwxrwx---  2 root  bind       512 Jun 14 13:44 sam.ldb.d
-rw-------  1 root  wheel      696 Aug  2 09:56 schannel_store.tdb
-rw-------  1 root  wheel     1152 Jun 14 13:44 secrets.keytab
-rw-------  1 root  wheel  1286144 Jun 14 13:44 secrets.ldb
-rw-------  1 root  wheel   430080 Jun 14 13:44 secrets.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 share.ldb
drwxr-xr-x  2 root  wheel      512 Jun 14 14:49 smbd.tmp
-rw-r--r--  1 root  wheel      955 Jun 14 13:44 spn_update_list
drwx------  2 root  wheel      512 Jun 14 14:49 tls
-rw-------  1 root  wheel  1286144 Aug  1 15:46 wins_config.ldb
the point is /var/db/samba4/private itself and some dns stuff, In think. these result came from ktrace/kdump and intuition,,, unfortunately lost my working memo..

however, this is just in my case.
Hi, Keith

Do you could solve the problem update the forward zone?
The error: samba_dlz: spnego update failed

I'm having the same problem.

My enviroment: CentOS 6.8 / I tried Bind with 9.8, 9.9 and 9.10

Tks!
 

JOAO BATISTA

New Member


Messages: 11

#80
Greetings

First of all I would like to thank you for having responded and saying that I did the tests as they passed me, but it did not work. Although it did not work out, I got new ideas and re-created the whole process.

That done, it worked 99%.

My problem now is dynamic DNS update by host windows.

For example, when I put the computer running windows 7 in the domain, it usually comes in, but it does not appear in the DNS table.

I will put the settings used for the configuration of the Domain Controller and then put the errors.



Follow txt with step-by-step running to get started.

It also follows images with the errors.
 

Attachments

JOAO BATISTA

New Member


Messages: 11

#81
I will now proceed with the error.

the clearest way I could find to demonstrate the error was as follows:

I turned on the virtual machine that was running windows 7, put it in the domain and rebooted, and when I rebooted it presented the error as below:

Code:
root@ad:~ # tail -f /var/log/messages
Jan 21 19:49:07 ad smbd[611]: [2018/01/21 19:49:07.343869,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jan 21 19:49:07 ad smbd[611]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#56544: update 'estudo.local/IN' denied
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#50618: update 'estudo.local/IN' denied
Jan 21 19:51:25 ad su: joaobrn to root on /dev/pts/0
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#63239: update 'estudo.local/IN' denied
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#52497: update 'estudo.local/IN' denied
Jan 21 20:52:11 ad su: joaobrn to root on /dev/pts/0
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#62097: update 'estudo.local/IN' denied
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#63298: update 'estudo.local/IN' denied
Thank you for the support!!
 

Attachments