[global]
workgroup = TEST
realm = TEST.LAN
netbios name = SMBTEST
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
[netlogon]
path = /var/db/samba4/sysvol/test.lan/scripts
read only = No
[sysvol]
path = /var/db/samba4/sysvol
read only = No
[libdefaults]
default_realm = TEST.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
include "/var/db/samba4/private/named.conf";
dlz "AD DNS Zone" {
# For BIND 9.8.0
#database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so -d 3";
# For BIND 9.9.0
# database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
samba4_enable="YES"
#named_program="/usr/local/sbin/named"
named_enable="YES"
named_chrootdir=""
root@smbtest:/usr/ports/dns/bind99 # smbclient -L \\smbtest.test.lan -U administrator
Enter administrator's password:
Domain=[TEST] OS=[Unix] Server=[Samba 4.0.8]
Sharename Type Comment
--------- ---- -------
netlogon Disk
sysvol Disk
IPC$ IPC IPC Service (Samba 4.0.8)
Domain=[TEST] OS=[Unix] Server=[Samba 4.0.8]
Server Comment
--------- -------
Workgroup Master
--------- -------
root@smbtest:/usr/ports/dns/bind99 # kinit administrator@TEST.LAN
administrator@TEST.LAN's Password:
root@smbtest:/usr/ports/dns/bind99 # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: administrator@TEST.LAN
Issued Expires Principal
Aug 18 20:06:48 Aug 19 06:06:48 krbtgt/TEST.LAN@TEST.LAN
root@smbtest:/usr/ports/dns/bind99 # samba_dnsupdate --verbose --all-names
IPs: ['10.10.77.123']
Calling nsupdate for A test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test.lan. 900 IN A 10.10.77.123
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A smbtest.test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
smbtest.test.lan. 900 IN A 10.10.77.123
update failed: REFUSED
Failed nsupdate: 2
....
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: spnego update failed
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: spnego update failed
An unsupported mechanism was requested
root@smbtest:/usr/ports/dns/bind99 # named -V
BIND 9.9.3-P2 (Extended Support Version) <id:d8a6fe8b> built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--without-python' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-largefile' '--with-dlz-stub=yes' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd9.1' 'build_alias=x86_64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
using OpenSSL version: OpenSSL 0.9.8x 10 May 2012
using libxml2 version: 2.8.0
root@smbtest:/usr/ports/dns/bind99 # ldd /usr/sbin/named
/usr/sbin/named:
libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x800a74000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c8e000)
libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x80102f000)
libz.so.6 => /lib/libz.so.6 (0x801383000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801597000)
libm.so.5 => /lib/libm.so.5 (0x801893000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801ab4000)
libthr.so.3 => /lib/libthr.so.3 (0x801cc1000)
libc.so.7 => /lib/libc.so.7 (0x801ee3000)
libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x802236000)
libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x80243f000)
libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8026af000)
libroken.so.10 => /usr/lib/libroken.so.10 (0x8028ef000)
libasn1.so.10 => /usr/lib/libasn1.so.10 (0x802b01000)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x802d83000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x802f85000)
liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8031a4000)
root@smbtest:/usr/ports/dns/bind99 # ldd /usr/bin/nsupdate
/usr/bin/nsupdate:
libreadline.so.8 => /lib/libreadline.so.8 (0x8009f4000)
libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x800c34000)
libcrypto.so.6 => /lib/libcrypto.so.6 (0x800e4e000)
libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x8011ef000)
libz.so.6 => /lib/libz.so.6 (0x801543000)
libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801757000)
libm.so.5 => /lib/libm.so.5 (0x801a53000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801c74000)
libthr.so.3 => /lib/libthr.so.3 (0x801e81000)
libc.so.7 => /lib/libc.so.7 (0x8020a3000)
libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x8023f6000)
libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x8025ff000)
libncurses.so.8 => /lib/libncurses.so.8 (0x80286f000)
libhx509.so.10 => /usr/lib/libhx509.so.10 (0x802abd000)
libroken.so.10 => /usr/lib/libroken.so.10 (0x802cfd000)
libasn1.so.10 => /usr/lib/libasn1.so.10 (0x802f0f000)
libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x803191000)
libcrypt.so.5 => /lib/libcrypt.so.5 (0x803393000)
liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8035b2000)
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
--disable-symtable \
--with-randomdev=/dev/random \
[B]--without-python --with-dlopen=yes[/B] --with-gssapi=/usr/include/gssapi
root@smbtest:/usr/ports/misc/mc # samba_dnsupdate --verbose --all-names
IPs: ['10.10.77.123']
Calling nsupdate for A test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test.lan. 900 IN A 10.10.77.123
update failed: REFUSED
Failed nsupdate: 2
Sep 1 21:47:10 smbtest named[28925]: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Sep 1 21:47:10 smbtest named[28925]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Sep 1 21:47:10 smbtest named[28925]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Sep 1 21:47:10 smbtest named[28925]: samba_dlz: spnego update failed
named -V
shows:BIND 9.9.3-P2 (Extended Support Version) <id:d8a6fe8b> built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--without-python' '--with-dlopen=yes' '--with-gssapi=/usr/include/gssapi' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd9.1' 'build_alias=x86_64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
using OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
using libxml2 version: 2.8.0
┌─────────────────────────────── samba4-4.0.8 ─────────────────────────────────â”
│ ┌──────────────────────────────────────────────────────────────────────────┠│
│ │ [x] ACL_SUPPORT File system ACL support │ │
│ │ [x] ADS Active Directory support │ │
│ │ [x] AIO_SUPPORT Asyncronous IO support │ │
│ │ [ ] AVAHI Zeroconf support via Avahi │ │
│ │ [ ] CUPS CUPS printing system support │ │
│ │ [x] DEBUG With debug information in the binaries │ │
│ │ [ ] DEVELOPER With development support │ │
│ │ [x] DNSUPDATE Dynamic DNS update(require ADS) │ │
│ │ [ ] EXP_MODULES Experimental modules │ │
│ │ [x] FAM_SUPPORT File Alteration Monitor support │ │
│ │ [ ] LDAP LDAP support │ │
│ │ [ ] MANPAGES Build and/or install manual pages │ │
│ │ [x] PAM_SMBPASS PAM authentication via passdb backends │ │
│ │ [x] PTHREADPOOL Pthread pool │ │
│ │ [ ] QUOTAS Disk quota support │ │
│ │ [ ] SWAT SWAT WebGUI │ │
│ │ [x] SYSLOG Syslog support │ │
│ │ [ ] UTMP UTMP accounting support │ │
│ │ [x] WINBIND WinBIND support │ │
│ │─────────────────────────────────── DNS ──────────────────────────────────│ │
│ │ ( ) NSUPDATE Use internal DNS with NSUPDATE utility │ │
│ │ ( ) BIND98 Use bind98 as a DNS server frontend │ │
│ │ (*) BIND99 Use bind99 as a DNS server frontend │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
┌─────────────────────────── bind99-base-9.9.3.2 ──────────────────────────────â”
│ ┌──────────────────────────────────────────────────────────────────────────┠│
│ │ [ ] FIXED_RRSET Enable fixed rrset ordering │ │
│ │ [ ] IDN International Domain Names support │ │
│ │ [ ] IPV6 IPv6 protocol support │ │
│ │ [ ] LARGE_FILE 64-bit file support │ │
│ │ [x] LINKS Create conf file symlinks in /usr │ │
│ │ [x] REPLACE_BASE Replace base BIND with this version │ │
│ │ [ ] RPZRRL_PATCH RPZ improvements + RRL patch (experimental) │ │
│ │ [ ] RPZ_NSDNAME Enable RPZ NSDNAME policy records │ │
│ │ [ ] RPZ_NSIP Enable RPZ NSIP trigger rules │ │
│ │ [ ] SIGCHASE dig/host/nslookup will do DNSSEC validation │ │
│ │ [x] SSL Build with OpenSSL (Required for DNSSEC) │ │
│ │ [x] THREADS Threading support │ │
│ │ [x] XML Support for xml statistics output │ │
│ │──────────────────────── Dynamically Loadable Zones ──────────────────────│ │
│ │ [ ] DLZ_POSTGRESQL DLZ Postgres driver │ │
│ │ [ ] DLZ_MYSQL DLZ MySQL driver (no threading) │ │
│ │ [ ] DLZ_BDB DLZ BDB driver │ │
│ │ [ ] DLZ_LDAP DLZ LDAP driver │ │
│ │ [ ] DLZ_FILESYSTEM DLZ filesystem driver │ │
│ │ [ ] DLZ_STUB DLZ stub driver │ │
│ └──────────────────────────────────────────────────────────────────────────┘ │
├──────────────────────────────────────────────────────────────────────────────┤
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
--disable-symtable \
--with-randomdev=/dev/random \
--without-python --with-dlopen=yes --with-gssapi=/usr/include/gssapi
root@smbtest:/usr/ports/dns/bind99 # pkg_version -v
autoconf-2.69 = up-to-date with port
autoconf-wrapper-20130530 = up-to-date with port
bind99-base-9.9.3.2 = up-to-date with port
ca_root_nss-3.15.1_1 = up-to-date with port
cyrus-sasl-2.1.26_2 = up-to-date with port
dialog4ports-0.1.5_1 = up-to-date with port
gamin-0.1.10_6 = up-to-date with port
gettext-0.18.3 = up-to-date with port
glib-2.36.3 = up-to-date with port
gmake-3.82_1 = up-to-date with port
gmp-5.1.2 = up-to-date with port
gnutls-2.12.23_1 = up-to-date with port
help2man-1.43.3 = up-to-date with port
ldb-1.1.16 = up-to-date with port
libexecinfo-1.1_3 = up-to-date with port
libffi-3.0.13 = up-to-date with port
libgcrypt-1.5.3 = up-to-date with port
libgpg-error-1.12 = up-to-date with port
libiconv-1.14_1 = up-to-date with port
libinotify-20110829 = up-to-date with port
libssh2-1.4.3_1,2 = up-to-date with port
libsunacl-1.0 = up-to-date with port
libtasn1-2.14 = up-to-date with port
libtool-2.4.2_1 = up-to-date with port
libxml2-2.8.0_2 = up-to-date with port
m4-1.4.16_1,1 = up-to-date with port
mc-4.8.8 = up-to-date with port
nettle-2.7.1 = up-to-date with port
openldap-client-2.4.36 = up-to-date with port
p11-kit-0.16.3 = up-to-date with port
p5-Locale-gettext-1.05_3 = up-to-date with port
p5-Parse-Pidl-4.0.8 = up-to-date with port
p5-Parse-Yapp-1.05 = up-to-date with port
pcre-8.33 = up-to-date with port
perl-threaded-5.18.1 = up-to-date with port
pkgconf-0.9.3 = up-to-date with port
popt-1.16 = up-to-date with port
python-2.7_1,2 = up-to-date with port
python2-2 = up-to-date with port
python27-2.7.5_2 = up-to-date with port
samba4-4.0.8 = up-to-date with port
talloc-2.0.8 = up-to-date with port
tdb-1.2.12,1 = up-to-date with port
tevent-0.9.18 = up-to-date with port
klist -k dns.keytab
to get those options. options
section of /etc/namedb/named.conf tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
include "/var/db/samba4/private/named.conf";
klist -k dns.keytab
prints only usage information just as the command options are wrong. ktutil -k /var/db/samba4/private/dns.keytab list
, with that now you can get those values. Sorry again.root@smbtest:/root # ktutil -k /var/db/samba4/private/dns.keytab list
/var/db/samba4/private/dns.keytab:
Vno Type Principal
1 des-cbc-crc DNS/smbtest.test.lan@TEST.LAN
1 des-cbc-crc dns-smbtest@TEST.LAN
1 des-cbc-md5 DNS/smbtest.test.lan@TEST.LAN
1 des-cbc-md5 dns-smbtest@TEST.LAN
1 arcfour-hmac-md5 DNS/smbtest.test.lan@TEST.LAN
1 arcfour-hmac-md5 dns-smbtest@TEST.LAN
1 aes128-cts-hmac-sha1-96 DNS/smbtest.test.lan@TEST.LAN
1 aes128-cts-hmac-sha1-96 dns-smbtest@TEST.LAN
1 aes256-cts-hmac-sha1-96 DNS/smbtest.test.lan@TEST.LAN
1 aes256-cts-hmac-sha1-96 dns-smbtest@TEST.LAN
options {
...
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
tkey-domain "TEST.LAN";
...
}
root@smbtest:/root # ls -l /etc/k*
-rw-r--r-- 1 root wheel 89 Aug 18 20:04 /etc/krb5.conf
lrwxr-xr-x 1 root wheel 33 Sep 10 22:34 /etc/krb5.keytab -> /var/db/samba4/private/dns.keytab
dlz "AD DNS Zone" {
# For BIND 9.8.0
# database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
tkey-domain "TEST.LAN";
smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
#/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
root@acme-DC1:/root #
root@acme-DC1:/root # /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
IPs: ['192.168.1.5']
Calling nsupdate for A acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme.internal. 900 IN A 192.168.1.5
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A acme-dc1.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme-dc1.acme.internal. 900 IN A 192.168.1.5
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.acme.internal. 900 IN A 192.168.1.5
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for CNAME a3d07326-3068-4a13-b881-d802b427c479._msdcs.acme.internal acme-dc1.acme.internal
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a3d07326-3068-4a13-b881-d802b427c479._msdcs.acme.internal. 900 IN CNAME acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.acme.internal acme-dc1.acme.internal 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.acme.internal. 900 IN SRV 0 100 464 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.acme.internal acme-dc1.acme.internal 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.acme.internal. 900 IN SRV 0 100 464 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._udp.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.
update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
root@acme-DC1:/root #
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
tkey-domain "TEST.LAN";
# auth-nxdomain yes;
};
zone "." { type hint; file "/etc/namedb/named.root"; };
zone "localhost" { type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "0.ip6.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "0.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
include "/var/db/samba4/private/named.conf";
dlz "AD DNS Zone" {
# For BIND 9.8.0
# database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";
# For BIND 9.9.0
database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
[libdefaults]
default_realm = TEST.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
samba_dnsupdate
but samba-tool
writes the correct DLZ information even on new and manually added hosts. I'm using BIND99 from ports without base replacement and adjusted smb4.conf:nsupdate command = /usr/local/bin/nsupdate -g
truss
would help - but where to start in this case? The message indicates a problem with the Kerberos libraries or something in the back of BIND and Samba?smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
tkey-domain "TEST.LAN";
herles said:@von_Gaden, did you solve?Code:smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
igorino said:Maybe some issue with DNSSEC? Try disabling it, in named.conf put these lines inside the options section:
Code:dnssec-enable no; dnssec-lookaside auto;
What about setting explicitly?Code:auth-nxdomain no;
root@smbtest:/root # ls -l /var/db/samba4/private/
total 12088
drwxrwx--- 3 root bind 512 Sep 1 21:29 dns
-rw-r----- 1 root bind 712 Sep 1 21:29 dns.keytab
-rw-r--r-- 1 root wheel 2270 Sep 1 21:29 dns_update_list
-rw------- 1 root wheel 1286144 Sep 1 21:29 hklm.ldb
-rw------- 1 root wheel 1609728 Sep 15 15:19 idmap.ldb
-rw-r--r-- 1 root wheel 89 Sep 1 21:29 krb5.conf
.....
root@smbtest:/root # ls -l /var/db/samba4/private/dns
total 3012
-rw-rw---- 1 root bind 3018752 Sep 1 21:29 sam.ldb
drwxrwx--- 2 root bind 512 Sep 1 21:29 sam.ldb.d