Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

1,885 views
Skip to first unread message

Norbert Hanke

unread,
Jul 17, 2016, 7:20:04 PM7/17/16
to
Hello,

I'm trying to join a samba 4 DC to an already existing samba 4 DC, both
with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1,
all brand new.

The existing DC runs fine, but the added DC refuses to update its local
bind database: every attempt to update the local DNS results in "update
failed: NOTAUTH". AD replication works perfectly.

Both systems are set up identically except for the provisioning/joining
command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ

Versions are the same, bind config is the same, I tried follow every
rule I could find.

# samba_dnsupdate --verbose -d 9
INFO: Current debug levels:
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ad.domain.tld. 900 IN A 192.168.1.9

update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
# 22:37:30 root@dc2:/root/


In /var/log/syslog there are these equivalent 24 error message every 10
minutes:
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
Jul 17 22:52:06 dc2 samba[3960]: /usr/local/samba/sbin/samba_dnsupdate:
update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295:
Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES

smb.conf is minimalistic:

# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller

[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

Maybe somebody has an idea what I did wrong?



--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Achim Gottinger

unread,
Jul 17, 2016, 8:00:03 PM7/17/16
to
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?

Norbert Hanke

unread,
Jul 18, 2016, 6:10:07 AM7/18/16
to
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF

($ip is the local system, $otherip is the existing DC)

resulting in

# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9


Before joining I did

klist -e | grep administrator@$realm || kinit administrator

and looking at it right now half a day later I get

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@AD.DOMAIN.CH

Valid starting Expires Service principal
17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOM...@AD.DOMAIN.CH
renew until 18/07/16 21:56:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

So it is expired right now, another kinit gets me a new tgt:
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Password for admini...@AD.DOMAIN.CH:
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admini...@AD.DOMAIN.CH

Valid starting Expires Service principal
18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOM...@AD.DOMAIN.CH
renew until 19/07/16 09:34:58, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.

Tim

unread,
Jul 18, 2016, 1:20:03 PM7/18/16
to
Hi Norbert,

I never used Bind as samba dns backend. But this sounds like a permission problem so that your samba process isn't allowed to update Bind.

Possibly you should take a look at the permissions.

Regards
Tim

Rowland penny

unread,
Jul 18, 2016, 2:20:03 PM7/18/16
to
Try reading this wiki page, it may help:

https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins

Rowland

Norbert Hanke

unread,
Jul 18, 2016, 4:40:04 PM7/18/16
to
Yes I did that from the begining. The entries were indeed missing and
added them.

I also tried adding with a lower-case dc2 instead of DC2. It did not
make a difference.

But now it surprises me that adding worked at all. Isn't a "*samba-tool
dns add ..." about the same as what **samba_dnsupdate does when adding
entries?*

*And I just checked: the two added entries are still there and are
resolvable through both DNS servers.* It's a mystery to me.

Achim Gottinger

unread,
Jul 18, 2016, 5:00:02 PM7/18/16
to
You can try to run

root@dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ

and verify that bind has read rights on the dns.keytab

root@dc2:~# ls -l /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab

Also check that the keytab contains such keys.

root@dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/dc2.doma...@DOMAIN.LOCAL (des-cbc-crc) (...)
1 dns...@DOMAIN.LOCAL (des-cbc-crc) (...)
1 DNS/dc2.doma...@DOMAIN.LOCAL (des-cbc-md5) (...)
1 dns...@DOMAIN.LOCAL (des-cbc-md5) (...)
1 DNS/dc2.doma...@DOMAIN.LOCAL (arcfour-hmac) (...)
1 dns...@DOMAIN.LOCAL (arcfour-hmac) (...)
1 DNS/dc2.doma...@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
1 dns...@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...)
1 DNS/dc2.doma...@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
1 dns...@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)

Rowland penny

unread,
Jul 18, 2016, 5:20:03 PM7/18/16
to
Try adding 'allow dns updates = nonsecure and secure' to your smb.conf
files.
I would also check that it isn't something like apparmor or selinux
blocking the updates.

If I run the same command on my second DC, at the point it goes wrong
for you, I get:

Looking for DNS entry A dc2.samdom.example.com 192.168.0.6 as
dc2.samdom.example.com.
Looking for DNS entry A samdom.example.com 192.168.0.6 as
samdom.example.com.
Looking for DNS entry SRV _ldap._tcp.samdom.example.com
dc2.samdom.example.com 389 as _ldap._tcp.samdom.example.com.

From your output, it looks as if it cannot find the 'A' record for your
second DC.

Rowland

Norbert Hanke

unread,
Jul 18, 2016, 5:40:02 PM7/18/16
to
dns.keytab already exists:
# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 1 root bind 777 Jul 17 21:59
/usr/local/samba/private/dns.keytab

running the upgrade does not do too much:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc2 account already exists
See /usr/local/samba/private/named.conf for an example configuration
include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Finished upgrading DNS

and the keytab file is unchanged. Contents looks fine:
# klist -Kek /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/dc2.ad.d...@AD.DOMAIN.CH (des-cbc-crc) (...)
1 dns...@AD.DOMAIN.CH (des-cbc-crc) (...)
1 DNS/dc2.ad.d...@AD.DOMAIN.CH (des-cbc-md5) (...)
1 dns...@AD.DOMAIN.CH (des-cbc-md5) (...)
1 DNS/dc2.ad.d...@AD.DOMAIN.CH (arcfour-hmac) (...)
1 dns...@AD.DOMAIN.CH (arcfour-hmac) (...)
1 DNS/dc2.ad.d...@AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
1 dns...@AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
1 DNS/dc2.ad.d...@AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)
1 dns...@AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)

The missing zone file is also not present on the working dc1 system.

Rowland penny

unread,
Jul 18, 2016, 5:50:03 PM7/18/16
to
Upgrading to bind9 doesn't work at the moment, you need to upgrade to
the internal DNS server, then upgrade again to Bind9.
When it says 'DNS accounts already exists', it isn't actually referring
to the <DCname>-dns user, it is referring to the dnsadmins group.

Must prod Samba-technical about my patch.

What zone file is missing ?

Rowland

Achim Gottinger

unread,
Jul 18, 2016, 5:50:03 PM7/18/16
to
samba_dnsupdate uses nsupdate to modify dns records the NOAUTH response
is comming from such an nsupdate call.

The samba wiki recommends these settings

kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
server services = -dns

You can keep your server services line i think.

Norbert Hanke

unread,
Jul 18, 2016, 6:00:03 PM7/18/16
to
I added the smb.conf entry , rebooted: no change. This is on a plain
vanilla raspberry pi system without apparmor or selinux configured. The
first DC dc1 is on an indentical setup and works.

I check dc2: The A record of dc2 is known to both DNS servers.

But the A record for the domain alone (without the dc2) and the SRV
record for _ldap... both point to the IP of dc1, on both DNS servers.
Could that be the problem?

Achim Gottinger

unread,
Jul 18, 2016, 6:20:03 PM7/18/16
to
Thank you for clarification, was wondering because in my test setup
dns-dc2 is missing and did not be created even with switching between
backends like you described.
So i did it similar to the dovecot kerberos steps.

samba-tool user create dns-dc2 --random-password
samba-tool spn add DNS/dc2.domain.local dns-dc2
mv /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
samba-tool domain exportkeytab --principal dns-dc2
/var/lib/samba/private/dns.keytab
samba-tool domain exportkeytab --principal DNS/dc2.domain.local
/var/lib/samba/private/dns.keytab

I restarted bind9 and this works

kinit Administrator
nsupdate -g
>update add test.domain.local. 0 A 192.168.100.123
>send

Without the dns-dc2 account that fails.
0 new messages