Samba4 Install Guide (Problems with Kerberos)

For the kerberos variables, edit /etc/login.conf and replace the line which reads
Code:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
with
Code:
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,KEYTAB_FILE=/var/db/samba4/private/dns.keytab,KRB5_KTNAME=/var/db/samba4/private/dns.keytab:\
and save the file, then execute cap_mkdb /etc/login.conf, you'll have to logout then login again (restart the named service).

The dns_update_list file should be writable by the BIND9 user, don't you agree? Perhaps samba_upgradedns --dns-backend=BIND9_DLZ should set those permissions correctly.

Debugging with truss is quite simple, for example, try truss -o output.log -p pid_of_named_process. After that, in another terminal, run /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names, then stop truss ^C and take a look at the output.log, or tail that file while running truss, your call.
 
herles said:
how can I read cap_mkdb files? Where is the db database?
Code:
[CMD=%]ls /etc/login*[/CMD]
/etc/login.access   /etc/login.conf     [HIGHLIGHT]/etc/login.conf.db[/HIGHLIGHT]
To actually read the database file, if for some reason you should want to, see dbopen(3).
 
FreeBSD 9.1-RELEASE (GENERIC) #0 r243826: Tue Dec 4 06:55:39 UTC 2012

root@fbsd:/root # ps ax | grep samba
Code:
1292 ??  Ss      0:00.70 /usr/local/samba/sbin/samba
1293 ??  I       0:00.01 samba: task[s3fs_parent] (samba)
1294 ??  S       0:00.69 samba: task[dcesrv] (samba)
1295 ??  S       0:51.20 samba: task[nbtd] (samba)
1296 ??  Is      0:04.16 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1297 ??  S       0:00.04 samba: task wrepl server_id[1297] (samba)
1298 ??  I       0:02.70 samba: task[ldapsrv] (samba)
1299 ??  S       0:00.04 samba: task[cldapd] (samba)
1300 ??  I       0:00.12 samba: task[kdc] (samba)
1301 ??  S       0:46.07 samba: task[dreplsrv] (samba)
1302 ??  I       0:00.23 samba: task[winbind] (samba)
1303 ??  S       0:00.04 samba: task[ntp_signd] (samba)
1304 ??  I       0:28.25 samba: task[kccsrv] (samba)
[B]1305 ??  I       0:01.93 samba: task[dnsupdate] (samba)[/B]
1308 ??  I       0:00.35 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
6608  0  S+      0:00.00 grep samba

root@fbsd:/root # /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
Code:
IPs: ['192.168.1.5']
Calling nsupdate for A acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme.internal.       900     IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A fbsd.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
fbsd.acme.internal.  900     IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.acme.internal. 900 IN      A       192.168.1.5

...

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal fbsd.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 fbsd.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries

root@fbsd:/root # truss -o output.log -p 1305

root@fbsd:/root # vi output.log
Code:
SIGNAL 17 (SIGSTOP)
gettimeofday({1379446115.604439 },0x0)           = 0 (0x0)
poll({19/POLLIN|POLLHUP 18/POLLIN|POLLHUP},2,1281) = 0 (0x0)
gettimeofday({1379446116.886368 },0x0)           = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe200)                    = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe254)                    = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2b0)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe344)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe090)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe124)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe230)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2c4)                    = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe210)                    = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe264)                    = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2c0)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe354)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe240)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2d4)                    = 0 (0x0)
open("/usr/local/samba/private/named.conf.update.static",O_RDONLY,00) ERR#2 'No such file or directory'
unlink("/usr/local/samba/private/named.conf.update.tmp") ERR#2 'No such file or directory'
open("/usr/local/samba/private/named.conf.update.tmp",O_WRONLY|O_CREAT|O_TRUNC,0444) = 20 (0x14)
write(20,"/* this file is auto-generated -"...,48) = 48 (0x30)
write(20,"update-policy {\n",16)                 = 16 (0x10)
write(20,"\tgrant acme.INTERNAL ms-self"...,42) = 42 (0x2a)
write(20,"\tgrant Administrator@acme.IN"...,67) = 67 (0x43)
write(20,"\tgrant FBSD$@acme.internal w"...,59) = 59 (0x3b)
write(20,"};\n",3)                               = 3 (0x3)
close(20)                                        = 0 (0x0)
open("/usr/local/samba/private/named.conf.update.tmp",O_RDONLY,00) = 20 (0x14)
fstat(20,{ mode=-r--r--r-- ,inode=803912,size=235,blksize=32768 }) = 0 (0x0)
read(20,"/* this file is auto-generated -"...,235) = 235 (0xeb)
close(20)                                        = 0 (0x0)
open("/usr/local/samba/private/named.conf.update",O_RDONLY,00) = 20 (0x14)
fstat(20,{ mode=-r--r--r-- ,inode=803909,size=235,blksize=32768 }) = 0 (0x0)
read(20,"/* this file is auto-generated -"...,235) = 235 (0xeb)
close(20)                                        = 0 (0x0)
unlink("/usr/local/samba/private/named.conf.update.tmp") = 0 (0x0)
gettimeofday({1379446116.888507 },0x0)           = 0 (0x0)
gettimeofday({1379446116.888535 },0x0)           = 0 (0x0)
 
truss produced a long file and I must admit most of it looks a little mysterious to me... Here is part of the log's tail:
Code:
...
fcntl(9,F_SETLKW,0x7fffff9fba90)                 = 0 (0x0)
fcntl(9,F_SETLKW,0x7fffff9fbab0)                 = 0 (0x0)
madvise(0x81c6be000,0xa000,0x5,0x2bd,0x7fffff9fb210,0x1) = 0 (0x0)
madvise(0x81c04e000,0xa000,0x5,0x4d,0x81c400000,0x7fffff9fb230) = 0 (0x0)
madvise(0x81c029000,0xa000,0x5,0x28,0x81c400000,0x7fffff9fb230) = 0 (0x0)
clock_gettime(13,{1379537150.000000000 })        = 0 (0x0)
getpid()                                         = 1189 (0x4a5)
sendto(3,"<30>Sep 18 23:45:50 named[1189]:"...,83,0x0,NULL,0x0) = 83 (0x53)
_umtx_op(0x803808258,0x15,0x1,0x0,0x0,0x0)       = 0 (0x0)
gettimeofday({1379537150.575968 },0x0)           = 0 (0x0)
gettimeofday({1379537150.576058 },0x0)           = 0 (0x0)
sendmsg(0x19,0x7fffff9fb840,0x0,0x0,0x2178a8,0x1) = 125 (0x7d)
recvmsg(0x19,0x7fffff9fcdd0,0x0,0x0,0x2c80,0x0)  ERR#35 'Resource temporarily unavailable'
write(7,"\^Y\0\0\0\M-}\M^?\M^?\M^?",8)           = 1 (0x1)
read(5,"\^Y\0\0\0\M-}\M^?\M^?\M^?",8)            = 8 (0x8)
kevent(8,{0x19,EVFILT_READ,EV_ADD,0,0x0,0x0},1,0x0,0,0x0) = 0 (0x0)
read(5,0x7fffff5faf60,8)                         ERR#35 'Resource temporarily unavailable'
gettimeofday({1379537150.576673 },0x0)           = 0 (0x0)
_umtx_op(0x803808258,0x15,0x1,0x0,0x0,0xf)       = 0 (0x0)
gettimeofday({1379537150.576812 },0x0)           = 0 (0x0)
clock_gettime(0,{1379537150.576897459 })         = 0 (0x0)
_umtx_op(0x80087f008,0xf,0x0,0x0,0x0,0x0)        = 1 (0x1)
_umtx_op(0x803808a58,0x15,0x1,0x0,0x0,0x0)       = 0 (0x0)
kevent(8,{0x19,EVFILT_READ,EV_DELETE,0,0x0,0x0},1,0x0,0,0x0) = 0 (0x0)
gettimeofday({1379537150.582205 },0x0)           = 0 (0x0)
recvmsg(0x19,0x7fffff9fcea0,0x0,0x0,0x2c80,0x803818060) = 0 (0x0)
write(7,"\^Y\0\0\0\M-{\M^?\M^?\M^?",8)           = 1 (0x1)
read(5,"\^Y\0\0\0\M-{\M^?\M^?\M^?",8)            = 8 (0x8)
kevent(8,{0x19,EVFILT_READ,EV_DELETE,0,0x0,0x0},1,0x0,0,0x0) ERR#2 'No such file or directory'
kevent(8,{0x19,EVFILT_WRITE,EV_DELETE,0,0x0,0x0},1,0x0,0,0x0) ERR#2 'No such file or directory'
_umtx_op(0x803808258,0x15,0x1,0x0,0x0,0x7fffff9fc0b0) = 0 (0x0)
read(5,0x7fffff5faf60,8)                         ERR#35 'Resource temporarily unavailable'
gettimeofday({1379537150.583706 },0x0)           = 0 (0x0)
clock_gettime(0,{1379537150.583866781 })         = 0 (0x0)
 
According to the truss results the samba: task[dnsupdate] isn't involved at all when doing samba_dnsupdate, as the Python script uses the nsupdate command directly. Currently I'm learning about /etc/gss/mech which describes the available Kerberos mechanisms: the OID used by nsupdate isn't the SPNEGO one, but maybe the log lines of named are a bit confusing.
 
Hi, everybody! I posted a video on YouTube on how to install Samba 4.0.8 on FreeBSD 9.1-RELEASE. On YouTube, if you search 'Samba4 FreeBSD', you will find it. Please watch it and if you have any questions, let me know. Also I cannot get rid of the warning
Code:
 [2013/09/24 18:06:49,  0] ../source3/smbd/server.c:1200(main)
  smbd version 4.0.8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/09/24 18:06:49.664147,  0] ../source3/smbd/server.c:1280(main)
  standard input is not a socket, assuming -D option
[2013/09/24 18:50:26.955916,  0] ../source3/smbd/trans2.c:3087(smbd_do_qfsinfo)
  smbd_do_qfsinfo: not an allowed info level (0x102) on IPC$.
[2013/09/24 18:50:27.777576,  0] ../source3/smbd/trans2.c:3087(smbd_do_qfsinfo)
  smbd_do_qfsinfo: not an allowed info level (0x102) on IPC$.
.......

Please help.

This is the cook book:

Frank Peng
PCCOM COMPUTERS INC.
47 Pannahill Drive, Brampton, ONTARIO, CANADA, L6P 3B3

Cell: 416-781-0496, email: pccom.frank@gmail.com

HOW TO INSTALL SAMBA4.0.8 ON FREEBSD 9.1 RELEASE--AN ALTERNATIVE FOR WINDOWS SERVER
  1. Install FreeBSD 9.1-RELEASE.
  2. Update ports: portsnap fetch && portsnap extract
  3. Port install Samba 4: cd /usr/ports/net/samba4 && make -DBATCH install clean && rehash
  4. Modify the file system:
    cp fstab fstab.orig
    sed -e "s/ufs.*rw.*1/ufs rw,acls 1 1/g" fstab.orig > tmp
    cat tmp
    mv tmp fstab
    rm tmp
    mount -o acls /
  5. Install CUPS: cd /usr/ports/print/cups && make -DBATCH install clean && rehash
  6. Check the hosts file. hostname to find out your computer's name.
  7. Check the resolv.com file, add a domain line and nameserver lines.
  8. Enable named (BIND98):
    echo 'named_enable="YES"' >> /etc/rc.conf
    echo 'named_chrootdir=""' >> /etc/rc.conf
    echo 'cupsd_enable="YES"' >> /etc/rc.conf
    echo 'samba4_enable="YES"' >> /etc/rc.conf
  9. Configure named:
    • Change listen to local to listen to world, comment out 127.0.0.1.
    • Change forwarder.
    • Add an option line (later).
    • Include a DLZ file.
    • Change the dns-keytab's file group and permission (necessary?).
  10. Samba4 domain provision: samba-tool domain provision --use-rfc2307 --interactive
    • default realm name
    • default domain name
    • Use the BIND9_DLZ DNS server.
    • Remember the administrator password.
    • Change the Samba4 configuration file: /usr/local/etc/smb4.conf. Add a line
      Code:
      nsupdate command = /usr/local/bin/samba-nsupdate -g
      cp /var/db/samba4/private/krb5.conf /etc
  11. Start named by /etc/rc.d/named start.
  12. Start samba4 by /usr/local/etc/rc.d/samba4 start.
  13. Check errors in /var/log/samba4/log.smdb.
  14. Change the Widows computer's DNS IP address to point to the Samba4 server IP address.
  15. Change computer to join the domain.
  16. Restart the Windows computer to join the domain.
  17. Download administrative tools from Microsoft to manage the domain controller.

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
http://www.samba.org/
http://forums.freebsd.org/showthread.php?t=36137&highlight=samba4
 
I followed @frankpeng's YouTube tutorial and I can confirm that I now have a working Samba4 DC on FreeBSD 9.2.

There are steps that are covered in the YouTube tutorial that are not covered in the post above. Also, a warning that it is painfully slow and difficult to follow (as in visually difficult to follow, he skips around the screen constantly requiring a lot a pausing and rewinding to figure out what it is that he is typing).

Expect to set aside 2-3 hours if you want to go through the YouTube tutorial. Frank seems to know his stuff, but it would be great if someone could refine the steps into an easy to follow guide with a few more references as to why certain steps are being taken.
 
Last edited by a moderator:
I have to admit my impatience to follow the whole guide. The exact configuration for Samba and BIND was unclear to me. I suppose the used BIND is version 9.8? I'll try to follow the guide step-by-step on a clear installation and see what was wrong with my previous tests. I'll gladly share my "new experiences".
 
Yeah, as I said , technically if you watch the whole video you can come out with everything working, but it is insanely difficult to follow. Obviously @frankpeng has put in a bit of effort to creating the YouTube video, but it's almost unbearable to watch and his cookbook omits about a dozen steps (don't follow his cookbook, the steps that are there aren't in order either).

I'll update the OP when I have a bit more time, thankfully a clean install is sped up a bit by the release of the samba4 package for 9.1 x64.
 
Last edited by a moderator:
Hey guys. Great information on this post. Unfortunately, I've got the exact same problem and even following the 'cookbook' I cannot get DNS updates to work. I'm running Samba 4 (from ports) and BIND 9.8 (ports).

Everything works for the most part. I can add new users, machines, and view users on the DC machine. Just can't get the DNS updates to work despite TSIG present, Kerberos working, etc. Were you guys able to isolate what you did to fix?

Thanks,
Don
 
Guys,

Thanks for all the great info in the post. I currently have a functioning domain with everything EXCEPT DNS updates. Here's some of my output:

[ nothing here -- Mod. ]

As you can see, dnsupdate is running successfully

However, when I run samba_dnsupdate --verbose --all-names
Code:
root@server1:~ # samba_dnsupdate --verbose --all-names
IPs: ['192.168.254.2']
ldb_wrap open of secrets.ldb
Calling nsupdate for A example.com 192.168.254.2
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
example.com.		900	IN	A	192.168.254.2

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for A server1.example.com 192.168.254.2
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
server1.example.com.	900	IN	A	192.168.254.2

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for A gc._msdcs.example.com 192.168.254.2
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.example.com. 900	IN	A	192.168.254.2

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for CNAME dfd9e627-803d-4a18-9d92-984bff22d60a._msdcs.example.com server1.example.com
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dfd9e627-803d-4a18-9d92-984bff22d60a._msdcs.example.com. 900	IN CNAME server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._tcp.example.com server1.example.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.example.com. 900 IN	SRV	0 100 464 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._udp.example.com server1.example.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.example.com. 900 IN	SRV	0 100 464 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.example.com. 900 IN	SRV	0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.example.com. 900 IN	SRV 0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com.	900 IN SRV 0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._udp.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.example.com. 900 IN	SRV	0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.example.com. 900	IN	SRV	0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.example.com. 900 IN SRV	0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.example.com. 900 IN SRV	0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.example.com. 900 IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com. 900	IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com. 900	IN SRV 0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.e9a190c3-a698-4700-8912-51ca0c647f23.domains._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.e9a190c3-a698-4700-8912-51ca0c647f23.domains._msdcs.example.com. 900 IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.example.com. 900	IN	SRV	0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.example.com.	900 IN SRV 0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Failed update of 21 entries

One thing I have noticed, when I run the above command with --use-file=/var/db/samba4/private/dns.keytab, it is successful.
Code:
oot@server1:~ # samba_dnsupdate --use-file=/var/db/samba4/private/dns.keytab --verbose --all-names
IPs: ['192.168.254.2']
ldb_wrap open of secrets.ldb
Calling nsupdate for A example.com 192.168.254.2
Calling nsupdate for A server1.example.com 192.168.254.2
Calling nsupdate for A gc._msdcs.example.com 192.168.254.2
Calling nsupdate for CNAME dfd9e627-803d-4a18-9d92-984bff22d60a._msdcs.example.com server1.example.com
Calling nsupdate for SRV _kpasswd._tcp.example.com server1.example.com 464
Calling nsupdate for SRV _kpasswd._udp.example.com server1.example.com 464
Calling nsupdate for SRV _kerberos._tcp.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._udp.example.com server1.example.com 88
Calling nsupdate for SRV _ldap._tcp.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.example.com server1.example.com 3268
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com server1.example.com 3268
Calling nsupdate for SRV _ldap._tcp.e9a190c3-a698-4700-8912-51ca0c647f23.domains._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _gc._tcp.example.com server1.example.com 3268
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.example.com server1.example.com 3268

Any recommendations would be appreciated.
 
Hi, Ogie!

What DNS server do you use? I have a complete success in integrating Samba 4 in Server 2003 AD as an additional domain controller. I plan to transfer FSMO roles to this server later. Since the server is connected to an internal network only without direct Internet access I've used Samba's internal DNS. If someone is interested I can share my "experience".
 
Hello, any idea if Samba4 will work with LDNS of FreeBSD 10 without BIND? I hope my question makes sense, I couldn't find the answer online. Thanks in advance.
 
von_Gaden said:
Hi, Ogie!

What DNS server do you use? I have a complete success in integrating Samba 4 in Server 2003 AD as an additional domain controller. I plan to transfer FSMO roles to this server later. Since the server is connected to an internal network only without direct Internet access I've used Samba's internal DNS. If someone is interested I can share my "experience".

I'm currently trying to get the BIND9_DLZ setup to work. I've tried BIND 9.9 and 9.8, as well as Samba 4.0.8 and Samba 4.0.12 all without success. Right now I'm stuck at the error:
Code:
Dec  2 09:02:39 server1 named[74095]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Dec  2 09:02:39 server1 named[74095]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Dec  2 09:02:39 server1 named[74095]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Dec  2 09:02:39 server1 named[74095]: samba_dlz: spnego update failed

When I run the command samba_dnsupdate --verbose --all-names I can do pretty much everything else in AD (user groups shares etc.) but dynamic updating will just NOT work. Is the internal DNS suitable for a production environment? Is this error across the DNS platform? Any tips would be appreciated.
 
Zucca said:
Hello, any idea if Samba4 will work with LDNS of FreeBSD 10 without BIND? I hope my question makes sense, I couldn't find the answer online. Thanks in advance.

Samba has only two DNS back-ends in general - built-in (all-working, well integrated with AD) and BIND9 (files and DLZ). I'm sure (even without research) you can't tell Samba to use any other.
 
ogie said:
....
When I run the command samba_dnsupdate --verbose --all-names I can do pretty much everything else in AD (user groups shares etc.) but dynamic updating will just NOT work. Is the internal DNS suitable for a production environment? Is this error across the DNS platform? Any tips would be appreciated.

I'm not sure why the errors for unsuccessful login occur but giving you advises is pointless since I have no success with BIND9_DLZ either. As for internal DNS I think it is completely useful in internal networks - it works very well for me. I have only security concerns if the server is directly connected to the Internet - DNS is (or at least was) one of mostly attacked services. Currently I couldn't limit Samba 4 interface binding or listening without stopping its work at all (Samba refuses to start). The internal DNS has no known ACL capabilities and you can't limit it. Even more complicated is if you need to serve AD zones and some "real" DNS zones.

My opinion is: if your server is connected in an internal network (ex. behind NAT) and its DNS is not used for Internet accessible zones you can safely use Samba's internal DNS. I have such servers in production, one of them is an AD domain controller with a Server 2003 master.
 
von_Gaden said:
ogie said:
....
When I run the command samba_dnsupdate --verbose --all-names I can do pretty much everything else in AD (user groups shares etc.) but dynamic updating will just NOT work. Is the internal DNS suitable for a production environment? Is this error across the DNS platform? Any tips would be appreciated.

I'm not sure why the errors for unsuccessful login occur but giving you advises is pointless since I have no success with BIND9_DLZ either. As for internal DNS I think it is completely useful in internal networks - it works very well for me. I have only security concerns if the server is directly connected to the Internet - DNS is (or at least was) one of mostly attacked services. Currently I couldn't limit Samba 4 interface binding or listening without stopping its work at all (Samba refuses to start). The internal DNS has no known ACL capabilities and you can't limit it. Even more complicated is if you need to serve AD zones and some "real" DNS zones.

My opinion is: if your server is connected in an internal network (ex. behind NAT) and its DNS is not used for Internet accessible zones you can safely use Samba's internal DNS. I have such servers in production, one of them is an AD domain controller with a Server 2003 master.

Yeah, I wasn't sure how secure the DNS server was/is so that was my main concern when I started with BIND. I guess for the production server I'll just have to leave it on the internal DNS. Did it work out of the box with DNS updates for you? Or was there anything special that you had to do? Thanks in advance.
 
Nothing special, Samba internal DNS was OK just out-of-the box. Note that if you add the server to an existing AD domain you should check if both domain and forest functional levels are 2003, not 2000-compatible. Otherwise some of the replications aren't working.
 
Hi. I've been following this thread too since yesterday. The
Code:
nsupdate command = samba-nsupdate -g
that needs to be put in the global section of /usr/local/etc/smb4.conf was helpful for example (thanks all!).

I've now also managed to make it work with the BIND9_DLZ DNS-backend. I just had to change my hostname to the FQDN hostname, and then I needed to execute the samba-tool again for the domain provisioning. No more "refused" or "spnego" errors. It just works :D

Using FreeBSD 9.2, Samba 4.0.8 and BIND 9.8 (I read something about BIND 9.9 not working with Samba 4.0.8? Don't know for sure though because the Samba wiki mentions BIND 9.9 as an option).

Also, if you install another BIND version than the base BIND, you can have them both installed, but use the newer version, with the following line in /etc/rc.conf:
Code:
named_program="/usr/local/sbin/named"

Anyway. I'm going to try to set this up again, from scratch, hoping it's not magic that I have encountered. ;-)

Edit:
It stopped working... Hm...
 
any update?

okay,still same here like
Code:
24-Jun-2016 02:14:11.418 database: info: samba_dlz: starting transaction on zone sambadomain.local
24-Jun-2016 02:14:11.421 database: error: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
24-Jun-2016 02:14:11.421 database: error: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
24-Jun-2016 02:14:11.421 database: warning: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
24-Jun-2016 02:14:11.421 database: error: samba_dlz: spnego update failed
24-Jun-2016 02:14:11.421 database: info: samba_dlz: cancelling transaction on zone sambadomain.local
from named log

on FreeBSD 10.3-STABLE (r301741) with samba43-4.3.9 and bind99-9.9.9P1 via ports. of course build with --with-dlopen=yes --with-gssapi

then, just inspired from log "An unsupported mechanism was requested"...

I've built dns/bind99 with GSSAPI_BASE, means use heimdal in base. however ports also have security/heimdal, GSSAPI_HEIMDAL option in dns/bind99
I have not investigated about how difference between base and ports, but no big separation about version I think

consequently, this was an answer for me. no changing any configuration about named.conf, DNS update from nsupdate -g or Windows that Domain Member have done.
(need krb5.conf or so on /usr/local/etc, symlink are ok)

Code:
24-Jun-2016 02:19:11.463 database: info: samba_dlz: starting transaction on zone sambadomain.local
24-Jun-2016 02:19:11.466 database: info: samba_dlz: cancelling transaction on zone sambadomain.local
24-Jun-2016 02:19:11.474 database: info: samba_dlz: starting transaction on zone sambadomain.local
24-Jun-2016 02:19:11.478 database: info: samba_dlz: allowing update of signer=NONO\$\@SMBADOMAIN.LOCAL name=nono.sambadomain.local tcpaddr= type=AAAA key=XXXX-ms-X.XX-XXXXXX.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/XXX/X
24-Jun-2016 02:19:11.481 database: info: samba_dlz: allowing update of signer=NONO\$\@SMBADOMAIN.LOCAL name=nono.sambadomain.local tcpaddr= type=A key=XXXX-ms-X.XX-XXXXXX.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/XXX/X
24-Jun-2016 02:19:11.484 database: info: samba_dlz: allowing update of signer=NONO\$\@SMBADOMAIN.LOCAL name=nono.sambadomain.local tcpaddr= type=A key=XXXX-ms-X.XX-XXXXXX.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/XXX/X
24-Jun-2016 02:19:11.497 database: info: samba_dlz: added rdataset nono.sambadomain.local 'nono.sambadomain.local.      1200    IN      A       192.168.16.120'
24-Jun-2016 02:19:11.502 database: info: samba_dlz: subtracted rdataset sambadomain.local 'sambadomain.local.       3600    IN      SOA     dc.sambadomain.local. hostmaster.sambadomain.local. 8 900 600 86400 3600'
24-Jun-2016 02:19:11.504 database: info: samba_dlz: added rdataset sambadomain.local 'sambadomain.local.    3600    IN      SOA     dc.sambadomain.local. hostmaster.sambadomain.local. 9 900 600 86400 3600'
24-Jun-2016 02:19:11.512 database: info: samba_dlz: committed transaction on zone sambadomain.local

there are still small question like why first transaction was failed, why no PTR,,, anyway one step further

just for information and reminder.
 
First of all, I have been messing around with Samba, DNS and Kerberos configuration for quite a while now, but I have been completly new to this topic.
Thank you very much for the idea of using the "GSSAPI_HEIMDAL"-Flag. Now I got the DNS update at least partial running (by executing named -g, as root user; samba_dnsupdate --verbose --all-names doesn't return any errors). When starting named (Bind 9.9) as service I still get messages like
Code:
"Jun 26 13:50:03 bsd10 named[43747]: client 192.168.100.82#50165: update 'sub.mydomain.tld/IN' denied".

samba_dnsupdate --verbose --all-names returns:
Code:
...

Calling nsupdate for A ForestDnsZones.sub.mydomain.tld 192.168.103.1 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.sub.mydomain.tld. 900 IN A    192.168.103.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 47 entries

What am I doing wrong?

I am running FreeBSD 10.2, Samba 4.3.9, Bind 9.9.9-P1.

Best Regards,
Leifur
 
Back
Top