Samba4 Install Guide (Problems with Kerberos)

Will Samba 4 eventually work with FreeBSD's natively installed bind? If not, is there a workaround to make it work in this manner?
 
I don't think Samba4 will work with built-in BIND. But this shouldn't be a concern since we have BIND 9.8 and 9.9 from Ports.

And here is my problem: I can't set BIND 9 DLZ updates with Samba. Here are my details. I use /usr/ports/dns/bind99. In my test environment I found that it's much easier to set the REPLACE_BASE option during BIND installation. All files were generated by the Samba4 provision script:
/usr/local/etc/smb4.conf
Code:
[global]
        workgroup = TEST
        realm = TEST.LAN
        netbios name = SMBTEST
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate

[netlogon]
        path = /var/db/samba4/sysvol/test.lan/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No

/etc/krb5.conf - a copy of /var/db/samba4/private/krb5.conf
Code:
[libdefaults]
        default_realm = TEST.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true

Additions to /etc/namedb/named.conf
  1. in the options section:
    Code:
            tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
  2. At the bottom of the file:
    Code:
    include "/var/db/samba4/private/named.conf";
/var/db/samba4/private/named.conf
Code:
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    #database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so -d 3";

    # For BIND 9.9.0
    # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
You can see the debug option added to DLZ modues, I've tested with both BIND 9.8 and 9.9.

In /etc/rc.conf
Code:
samba4_enable="YES"
#named_program="/usr/local/sbin/named"
named_enable="YES"
named_chrootdir=""
Everything seems to work:
Code:
root@smbtest:/usr/ports/dns/bind99 # smbclient -L \\smbtest.test.lan -U administrator
Enter administrator's password:
Domain=[TEST] OS=[Unix] Server=[Samba 4.0.8]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.0.8)
Domain=[TEST] OS=[Unix] Server=[Samba 4.0.8]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@smbtest:/usr/ports/dns/bind99 # kinit administrator@TEST.LAN
administrator@TEST.LAN's Password:
root@smbtest:/usr/ports/dns/bind99 # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@TEST.LAN

  Issued           Expires          Principal
Aug 18 20:06:48  Aug 19 06:06:48  krbtgt/TEST.LAN@TEST.LAN
except dynamic DNS updates:
Code:
root@smbtest:/usr/ports/dns/bind99 # samba_dnsupdate --verbose --all-names
IPs: ['10.10.77.123']
Calling nsupdate for A test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test.lan.               900     IN      A       10.10.77.123

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A smbtest.test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
smbtest.test.lan.       900     IN      A       10.10.77.123

update failed: REFUSED
Failed nsupdate: 2
....
In /var/log/messages I get:
Code:
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: spnego update failed
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: spnego update failed
So I guess the problem is indicated by An unsupported mechanism was requested
I think I might have missed something in the BIND build process, so here is the output of ldd:
Code:
root@smbtest:/usr/ports/dns/bind99 # named -V
BIND 9.9.3-P2 (Extended Support Version) <id:d8a6fe8b> built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--without-python' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-largefile' '--with-dlz-stub=yes' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd9.1' 'build_alias=x86_64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
using OpenSSL version: OpenSSL 0.9.8x 10 May 2012
using libxml2 version: 2.8.0
root@smbtest:/usr/ports/dns/bind99 # ldd /usr/sbin/named
/usr/sbin/named:
        libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x800a74000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c8e000)
        libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x80102f000)
        libz.so.6 => /lib/libz.so.6 (0x801383000)
        libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801597000)
        libm.so.5 => /lib/libm.so.5 (0x801893000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801ab4000)
        libthr.so.3 => /lib/libthr.so.3 (0x801cc1000)
        libc.so.7 => /lib/libc.so.7 (0x801ee3000)
        libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x802236000)
        libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x80243f000)
        libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8026af000)
        libroken.so.10 => /usr/lib/libroken.so.10 (0x8028ef000)
        libasn1.so.10 => /usr/lib/libasn1.so.10 (0x802b01000)
        libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x802d83000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x802f85000)
        liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8031a4000)
root@smbtest:/usr/ports/dns/bind99 # ldd /usr/bin/nsupdate
/usr/bin/nsupdate:
        libreadline.so.8 => /lib/libreadline.so.8 (0x8009f4000)
        libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x800c34000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x800e4e000)
        libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x8011ef000)
        libz.so.6 => /lib/libz.so.6 (0x801543000)
        libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801757000)
        libm.so.5 => /lib/libm.so.5 (0x801a53000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801c74000)
        libthr.so.3 => /lib/libthr.so.3 (0x801e81000)
        libc.so.7 => /lib/libc.so.7 (0x8020a3000)
        libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x8023f6000)
        libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x8025ff000)
        libncurses.so.8 => /lib/libncurses.so.8 (0x80286f000)
        libhx509.so.10 => /usr/lib/libhx509.so.10 (0x802abd000)
        libroken.so.10 => /usr/lib/libroken.so.10 (0x802cfd000)
        libasn1.so.10 => /usr/lib/libasn1.so.10 (0x802f0f000)
        libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x803191000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x803393000)
        liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8035b2000)

I've checked everything at least three times, but probably I'm missing something... I'll be very thankful for any help.
 
For what it is worth, I had to add a couple of options to BIND before building it:

In /usr/ports/dns/bind99/Makefile:

Code:
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
                --disable-symtable \
                --with-randomdev=/dev/random \
                [B]--without-python --with-dlopen=yes[/B] --with-gssapi=/usr/include/gssapi
 
Thank you very much for your reply!

I tried that but with no effect. To be sure I rebuilt all packages, bind99 with modified Makefile. But dynamic updates fail the same way:
Code:
root@smbtest:/usr/ports/misc/mc # samba_dnsupdate --verbose --all-names
IPs: ['10.10.77.123']
Calling nsupdate for A test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test.lan.               900     IN      A       10.10.77.123

update failed: REFUSED
Failed nsupdate: 2

in /var/log/messages
Code:
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: spnego update failed

named -V shows:
Code:
BIND 9.9.3-P2 (Extended Support Version) <id:d8a6fe8b> built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--without-python' '--with-dlopen=yes' '--with-gssapi=/usr/include/gssapi' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd9.1' 'build_alias=x86_64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
using OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
using libxml2 version: 2.8.0

I surely have problem that probably is not common for most users of FreeBSD and Samba4. So here are my build options:
samba4
Code:
         ┌─────────────────────────────── samba4-4.0.8 ─────────────────────────────────┐
         │ ┌──────────────────────────────────────────────────────────────────────────┐ │
         │ │ [x] ACL_SUPPORT  File system ACL support                                 │ │
         │ │ [x] ADS          Active Directory support                                │ │
         │ │ [x] AIO_SUPPORT  Asyncronous IO support                                  │ │
         │ │ [ ] AVAHI        Zeroconf support via Avahi                              │ │
         │ │ [ ] CUPS         CUPS printing system support                            │ │
         │ │ [x] DEBUG        With debug information in the binaries                  │ │
         │ │ [ ] DEVELOPER    With development support                                │ │
         │ │ [x] DNSUPDATE    Dynamic DNS update(require ADS)                         │ │
         │ │ [ ] EXP_MODULES  Experimental modules                                    │ │
         │ │ [x] FAM_SUPPORT  File Alteration Monitor support                         │ │
         │ │ [ ] LDAP         LDAP support                                            │ │
         │ │ [ ] MANPAGES     Build and/or install manual pages                       │ │
         │ │ [x] PAM_SMBPASS  PAM authentication via passdb backends                  │ │
         │ │ [x] PTHREADPOOL  Pthread pool                                            │ │
         │ │ [ ] QUOTAS       Disk quota support                                      │ │
         │ │ [ ] SWAT         SWAT WebGUI                                             │ │
         │ │ [x] SYSLOG       Syslog support                                          │ │
         │ │ [ ] UTMP         UTMP accounting support                                 │ │
         │ │ [x] WINBIND      WinBIND support                                         │ │
         │ │─────────────────────────────────── DNS ──────────────────────────────────│ │
         │ │ ( ) NSUPDATE     Use internal DNS with NSUPDATE utility                  │ │
         │ │ ( ) BIND98       Use bind98 as a DNS server frontend                     │ │
         │ │ (*) BIND99       Use bind99 as a DNS server frontend                     │ │
         │ └──────────────────────────────────────────────────────────────────────────┘ │
         ├──────────────────────────────────────────────────────────────────────────────┤
bind99
Code:
         ┌─────────────────────────── bind99-base-9.9.3.2 ──────────────────────────────┐
         │ ┌──────────────────────────────────────────────────────────────────────────┐ │
         │ │ [ ] FIXED_RRSET     Enable fixed rrset ordering                          │ │
         │ │ [ ] IDN             International Domain Names support                   │ │
         │ │ [ ] IPV6            IPv6 protocol support                                │ │
         │ │ [ ] LARGE_FILE      64-bit file support                                  │ │
         │ │ [x] LINKS           Create conf file symlinks in /usr                    │ │
         │ │ [x] REPLACE_BASE    Replace base BIND with this version                  │ │
         │ │ [ ] RPZRRL_PATCH    RPZ improvements + RRL patch (experimental)          │ │
         │ │ [ ] RPZ_NSDNAME     Enable RPZ NSDNAME policy records                    │ │
         │ │ [ ] RPZ_NSIP        Enable RPZ NSIP trigger rules                        │ │
         │ │ [ ] SIGCHASE        dig/host/nslookup will do DNSSEC validation          │ │
         │ │ [x] SSL             Build with OpenSSL (Required for DNSSEC)             │ │
         │ │ [x] THREADS         Threading support                                    │ │
         │ │ [x] XML             Support for xml statistics output                    │ │
         │ │──────────────────────── Dynamically Loadable Zones ──────────────────────│ │
         │ │ [ ] DLZ_POSTGRESQL  DLZ Postgres driver                                  │ │
         │ │ [ ] DLZ_MYSQL       DLZ MySQL driver (no threading)                      │ │
         │ │ [ ] DLZ_BDB         DLZ BDB driver                                       │ │
         │ │ [ ] DLZ_LDAP        DLZ LDAP driver                                      │ │
         │ │ [ ] DLZ_FILESYSTEM  DLZ filesystem driver                                │ │
         │ │ [ ] DLZ_STUB        DLZ stub driver                                      │ │
         │ └──────────────────────────────────────────────────────────────────────────┘ │
         ├──────────────────────────────────────────────────────────────────────────────┤
in /usr/ports/dns/bind99/Makefile I have:
Code:
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
                --disable-symtable \
                --with-randomdev=/dev/random \
                --without-python --with-dlopen=yes --with-gssapi=/usr/include/gssapi

And all installed packages on my test machine are:
Code:
root@smbtest:/usr/ports/dns/bind99 # pkg_version -v
autoconf-2.69                       =   up-to-date with port
autoconf-wrapper-20130530           =   up-to-date with port
bind99-base-9.9.3.2                 =   up-to-date with port
ca_root_nss-3.15.1_1                =   up-to-date with port
cyrus-sasl-2.1.26_2                 =   up-to-date with port
dialog4ports-0.1.5_1                =   up-to-date with port
gamin-0.1.10_6                      =   up-to-date with port
gettext-0.18.3                      =   up-to-date with port
glib-2.36.3                         =   up-to-date with port
gmake-3.82_1                        =   up-to-date with port
gmp-5.1.2                           =   up-to-date with port
gnutls-2.12.23_1                    =   up-to-date with port
help2man-1.43.3                     =   up-to-date with port
ldb-1.1.16                          =   up-to-date with port
libexecinfo-1.1_3                   =   up-to-date with port
libffi-3.0.13                       =   up-to-date with port
libgcrypt-1.5.3                     =   up-to-date with port
libgpg-error-1.12                   =   up-to-date with port
libiconv-1.14_1                     =   up-to-date with port
libinotify-20110829                 =   up-to-date with port
libssh2-1.4.3_1,2                   =   up-to-date with port
libsunacl-1.0                       =   up-to-date with port
libtasn1-2.14                       =   up-to-date with port
libtool-2.4.2_1                     =   up-to-date with port
libxml2-2.8.0_2                     =   up-to-date with port
m4-1.4.16_1,1                       =   up-to-date with port
mc-4.8.8                            =   up-to-date with port
nettle-2.7.1                        =   up-to-date with port
openldap-client-2.4.36              =   up-to-date with port
p11-kit-0.16.3                      =   up-to-date with port
p5-Locale-gettext-1.05_3            =   up-to-date with port
p5-Parse-Pidl-4.0.8                 =   up-to-date with port
p5-Parse-Yapp-1.05                  =   up-to-date with port
pcre-8.33                           =   up-to-date with port
perl-threaded-5.18.1                =   up-to-date with port
pkgconf-0.9.3                       =   up-to-date with port
popt-1.16                           =   up-to-date with port
python-2.7_1,2                      =   up-to-date with port
python2-2                           =   up-to-date with port
python27-2.7.5_2                    =   up-to-date with port
samba4-4.0.8                        =   up-to-date with port
talloc-2.0.8                        =   up-to-date with port
tdb-1.2.12,1                        =   up-to-date with port
tevent-0.9.18                       =   up-to-date with port

Do I have to install some version of Kerberos or I have an error in build options for BIND or Samba?

Thanks in advance for any help!
 
@von_Gaden,

Do you have the tkey-gssapi-credential and tkey-domain options configured in your named.conf in the options section? What about the KEYTAB_FILE and KRB5_KTNAME variables, do they return your dns.keytab correctly?
By the way, you can klist -k dns.keytab to get those options.
 
Last edited by a moderator:
Actually no. According to the Samba4 Wiki and on-screen instructions after provisioning I have only the following in the options section of /etc/namedb/named.conf
Code:
        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
and at the end of that file:
Code:
include "/var/db/samba4/private/named.conf";
klist -k dns.keytab prints only usage information just as the command options are wrong.
 
Oops, so sorry @von_Gaden.

I'm just a little confused with the tools, the correct command is ktutil -k /var/db/samba4/private/dns.keytab list, with that now you can get those values. Sorry again.
 
Last edited by a moderator:
Thank you very much for your cooperation! I'm sorry that I'm currently unable to implement an essential part of my services as Samba4. I have some sites where internal Samba DNS is almost safe to use but on several others I have a direct Internet connection to the server and BIND with proper ACLs seems the only reasonable choice.

I must admit Kerberos is currently blurred in the dark for me. The triple headed dog of Hades is frightening, isn't it?

So, here is my output:
Code:
root@smbtest:/root # ktutil -k /var/db/samba4/private/dns.keytab list
/var/db/samba4/private/dns.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              DNS/smbtest.test.lan@TEST.LAN
  1  des-cbc-crc              dns-smbtest@TEST.LAN
  1  des-cbc-md5              DNS/smbtest.test.lan@TEST.LAN
  1  des-cbc-md5              dns-smbtest@TEST.LAN
  1  arcfour-hmac-md5         DNS/smbtest.test.lan@TEST.LAN
  1  arcfour-hmac-md5         dns-smbtest@TEST.LAN
  1  aes128-cts-hmac-sha1-96  DNS/smbtest.test.lan@TEST.LAN
  1  aes128-cts-hmac-sha1-96  dns-smbtest@TEST.LAN
  1  aes256-cts-hmac-sha1-96  DNS/smbtest.test.lan@TEST.LAN
  1  aes256-cts-hmac-sha1-96  dns-smbtest@TEST.LAN
I don't know if this is completely OK but it doesn't seem so broken to me.
 
Ok, make sure these lines are in your BIND9 named.conf:
Code:
options {
...
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
tkey-domain "TEST.LAN";
...
}
Make a symlink of your /var/db/samba4/private/dns.keytab to the /etc/krb5.keytab file and a copy of /var/db/samba4/private/krb5.conf to /etc/krb5.conf just in case. Also, verify that in your /var/db/samba4/private/named.conf is configured to the correct BIND9 version.
 
Sorry for being away some days and thank you for your help. Sadly I couldn't succeed.

According to your instructions I have:
Code:
root@smbtest:/root # ls -l /etc/k*
-rw-r--r--  1 root  wheel  89 Aug 18 20:04 /etc/krb5.conf
lrwxr-xr-x  1 root  wheel  33 Sep 10 22:34 /etc/krb5.keytab -> /var/db/samba4/private/dns.keytab
/var/db/samba4/private/named.conf is configured for BIND 9.9 (as installed):
Code:
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
and in /etc/namedb/named.conf in options I have:
Code:
        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
        tkey-domain "TEST.LAN";
I noticed that BIND starts much slower when tkey-gssapi-credential is not commented. Neither way the message about the unsupported mechanism is the same:
Code:
smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
 
Remember that BIND9 should not run in chroot. Maybe enabling DLZ_BDB, DLZ_FILESYSTEM and DLZ_STUB in your BIND9 should help too :).
 
Yes, it's not chrooted and I use replace_base. I rebuilt BIND99 with recommended DLZ modules but with no success. Dynamic updates still fail with the same error.
 
I have this issue:

#/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
Code:
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.acme.internal. 900  IN      SRV     0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
root@acme-DC1:/root #
root@acme-DC1:/root # /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
IPs: ['192.168.1.5']
Calling nsupdate for A acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme.internal.       900     IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A acme-dc1.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme-dc1.acme.internal. 900 IN    A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.acme.internal. 900 IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for CNAME a3d07326-3068-4a13-b881-d802b427c479._msdcs.acme.internal acme-dc1.acme.internal
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a3d07326-3068-4a13-b881-d802b427c479._msdcs.acme.internal. 900 IN CNAME acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.acme.internal acme-dc1.acme.internal 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.acme.internal. 900 IN  SRV     0 100 464 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.acme.internal acme-dc1.acme.internal 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.acme.internal. 900 IN  SRV     0 100 464 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.acme.internal. 900 IN SRV     0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._udp.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.acme.internal. 900 IN SRV     0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.acme.internal. 900 IN     SRV     0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.acme.internal. 900  IN      SRV     0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
root@acme-DC1:/root #
 
I trimmed all zones pointing to /etc/namedb/master/empty.db to shorten the file.

/etc/namedb/named.conf
Code:
options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
        tkey-domain "TEST.LAN";
#        auth-nxdomain yes;
};

zone "." { type hint; file "/etc/namedb/named.root"; };
zone "localhost"        { type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "0.ip6.arpa"       { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "0.in-addr.arpa"   { type master; file "/etc/namedb/master/empty.db"; };

include "/var/db/samba4/private/named.conf";
No difference if auth_nxdomain is uncommented.

/var/db/samba4/private/named.conf
Code:
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
/var/db/samba4/private/krb5.conf and /etc/krb5.conf
Code:
[libdefaults]
        default_realm = TEST.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true
 
Hello,

I've been monitoring this thread for some time as an unregistered user but I'd like to contribute my experience: I also get the REFUSED entries using samba_dnsupdate but samba-tool writes the correct DLZ information even on new and manually added hosts. I'm using BIND99 from ports without base replacement and adjusted smb4.conf:

Code:
nsupdate command = /usr/local/bin/nsupdate -g

However the error remains and I'd like to know if you have another idea debugging this issue? For an one-process debug a truss would help - but where to start in this case? The message indicates a problem with the Kerberos libraries or something in the back of BIND and Samba?

And thanks for your replies so far,
Muba
 
@von_Gaden, did you solve
Code:
smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
?
 
Last edited by a moderator:
Maybe some issue with DNSsec? Try disabling it, in named.conf put these lines inside the options section:

Code:
dnssec-enable no;
dnssec-lookaside auto;

What about setting explicitly
Code:
auth-nxdomain no;
?
 
Well, DNSsec is used to encrypt/sign the record answers to clients so DNS forgery gets prevented, right? So I don't think it will help here as well as auth-nxdomain for an authoritative answer to non-existent domains. (read RR vs. write RR)

I also read the Samba4 Wiki again and it seems you need
Code:
        tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
        tkey-domain "TEST.LAN";
only for BIND98, the 9.9 version uses the keytab file to find it.
 
herles said:
@von_Gaden, did you solve
Code:
smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
?

No, that's all my noise about.
 
Last edited by a moderator:
igorino said:
Maybe some issue with DNSSEC? Try disabling it, in named.conf put these lines inside the options section:

Code:
dnssec-enable no;
dnssec-lookaside auto;

What about setting explicitly
Code:
auth-nxdomain no;
?

I'm so sorry that none of these changed anything. The "unsupported mechanism" is still failing my updates...
 
Time to do some debug with truss or devel/strace then. Are you sure that your BIND9 user has the correct directory/file permissions and it can retrieve the correct Kerberos variables?
 
First of all thanks for your efforts to help me in solving such important problem!

As for the permissions:
Code:
root@smbtest:/root # ls -l /var/db/samba4/private/
total 12088
drwxrwx---  3 root  bind       512 Sep  1 21:29 dns
-rw-r-----  1 root  bind       712 Sep  1 21:29 dns.keytab
-rw-r--r--  1 root  wheel     2270 Sep  1 21:29 dns_update_list
-rw-------  1 root  wheel  1286144 Sep  1 21:29 hklm.ldb
-rw-------  1 root  wheel  1609728 Sep 15 15:19 idmap.ldb
-rw-r--r--  1 root  wheel       89 Sep  1 21:29 krb5.conf
.....
root@smbtest:/root # ls -l /var/db/samba4/private/dns
total 3012
-rw-rw----  1 root  bind  3018752 Sep  1 21:29 sam.ldb
drwxrwx---  2 root  bind      512 Sep  1 21:29 sam.ldb.d
I'm not sure about the Kerberos variables. I've never used debugging tools as truss or strace and I need some time to find out how to use them. If you can recommend me a good HowTo source I'll be very grateful.
 
Back
Top