Discussion:
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Norbert Hanke
2016-07-17 23:02:32 UTC
Permalink
Hello,

I'm trying to join a samba 4 DC to an already existing samba 4 DC, both
with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1,
all brand new.

The existing DC runs fine, but the added DC refuses to update its local
bind database: every attempt to update the local DNS results in "update
failed: NOTAUTH". AD replication works perfectly.

Both systems are set up identically except for the provisioning/joining
command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ

Versions are the same, bind config is the same, I tried follow every
rule I could find.

# samba_dnsupdate --verbose -d 9
INFO: Current debug levels:
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ad.domain.tld. 900 IN A 192.168.1.9

update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
# 22:37:30 ***@dc2:/root/


In /var/log/syslog there are these equivalent 24 error message every 10
minutes:
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
Jul 17 22:52:06 dc2 samba[3960]: /usr/local/samba/sbin/samba_dnsupdate:
update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295:
Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES

smb.conf is minimalistic:

# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller

[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No

[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No

Maybe somebody has an idea what I did wrong?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-17 23:52:49 UTC
Permalink
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results in
"update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow every
rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message every
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Norbert Hanke
2016-07-18 09:45:18 UTC
Permalink
Post by Achim Gottinger
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results in
"update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow every
rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message every
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF

($ip is the local system, $otherip is the existing DC)

resulting in

# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9


Before joining I did

klist -e | grep administrator@$realm || kinit administrator

and looking at it right now half a day later I get

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@AD.DOMAIN.CH

Valid starting Expires Service principal
17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/***@AD.DOMAIN.CH
renew until 18/07/16 21:56:55, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

So it is expired right now, another kinit gets me a new tgt:
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Password for ***@AD.DOMAIN.CH:
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@AD.DOMAIN.CH

Valid starting Expires Service principal
18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/***@AD.DOMAIN.CH
renew until 19/07/16 09:34:58, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-18 20:48:37 UTC
Permalink
Post by Norbert Hanke
Post by Achim Gottinger
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results
in "update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow every
rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message every
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF
($ip is the local system, $otherip is the existing DC)
resulting in
# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9
Before joining I did
and looking at it right now half a day later I get
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.
You can try to run

***@dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ

and verify that bind has read rights on the dns.keytab

***@dc2:~# ls -l /var/lib/samba/private/dns.keytab
-rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab

Also check that the keytab contains such keys.

***@dc2:~# klist -Kek /var/lib/samba/private/dns.keytab
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/***@DOMAIN.LOCAL (des-cbc-crc) (...)
1 dns-***@DOMAIN.LOCAL (des-cbc-crc) (...)
1 DNS/***@DOMAIN.LOCAL (des-cbc-md5) (...)
1 dns-***@DOMAIN.LOCAL (des-cbc-md5) (...)
1 DNS/***@DOMAIN.LOCAL (arcfour-hmac) (...)
1 dns-***@DOMAIN.LOCAL (arcfour-hmac) (...)
1 DNS/***@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...
1 dns-***@DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...)
1 DNS/***@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
1 dns-***@DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Norbert Hanke
2016-07-18 21:31:38 UTC
Permalink
Post by Achim Gottinger
Post by Norbert Hanke
Post by Achim Gottinger
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results
in "update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow
every rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF
($ip is the local system, $otherip is the existing DC)
resulting in
# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9
Before joining I did
and looking at it right now half a day later I get
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.
You can try to run
and verify that bind has read rights on the dns.keytab
-rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab
Also check that the keytab contains such keys.
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
dns.keytab already exists:
# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 1 root bind 777 Jul 17 21:59
/usr/local/samba/private/dns.keytab

running the upgrade does not do too much:
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc2 account already exists
See /usr/local/samba/private/named.conf for an example configuration
include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Finished upgrading DNS

and the keytab file is unchanged. Contents looks fine:
# klist -Kek /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
1 DNS/***@AD.DOMAIN.CH (des-cbc-crc) (...)
1 dns-***@AD.DOMAIN.CH (des-cbc-crc) (...)
1 DNS/***@AD.DOMAIN.CH (des-cbc-md5) (...)
1 dns-***@AD.DOMAIN.CH (des-cbc-md5) (...)
1 DNS/***@AD.DOMAIN.CH (arcfour-hmac) (...)
1 dns-***@AD.DOMAIN.CH (arcfour-hmac) (...)
1 DNS/***@AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
1 dns-***@AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...)
1 DNS/***@AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)
1 dns-***@AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...)

The missing zone file is also not present on the working dc1 system.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-18 21:44:32 UTC
Permalink
Post by Norbert Hanke
Post by Achim Gottinger
Post by Norbert Hanke
Post by Achim Gottinger
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results
in "update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow
every rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF
($ip is the local system, $otherip is the existing DC)
resulting in
# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9
Before joining I did
and looking at it right now half a day later I get
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
17/07/16 21:56:59 18/07/16 07:56:59
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
18/07/16 09:35:01 18/07/16 19:35:01
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.
You can try to run
and verify that bind has read rights on the dns.keytab
-rw-r----- 1 root bind 732 Jun 28 16:08
/var/lib/samba/private/dns.keytab
Also check that the keytab contains such keys.
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 1 root bind 777 Jul 17 21:59
/usr/local/samba/private/dns.keytab
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc2 account already exists
See /usr/local/samba/private/named.conf for an example
configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Finished upgrading DNS
# klist -Kek /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
(...)
(...)
The missing zone file is also not present on the working dc1 system.
samba_dnsupdate uses nsupdate to modify dns records the NOAUTH response
is comming from such an nsupdate call.

The samba wiki recommends these settings

kerberos method = system keytab
client ldap sasl wrapping = sign
allow dns updates = nonsecure and secure
nsupdate command = /usr/bin/nsupdate -g
server services = -dns

You can keep your server services line i think.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Achim Gottinger
2016-07-18 22:06:55 UTC
Permalink
Post by Norbert Hanke
Post by Achim Gottinger
Post by Norbert Hanke
Post by Achim Gottinger
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4
DC, both with BIND9_DLZ. Samba is at version 4.4.5, bind is
version 9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS
results in "update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow
every rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap,
kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path =
/usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?
Yes, I did
cat <<EOF >/etc/resolv.conf
domain $domain
nameserver $otherip
nameserver $ip
EOF
($ip is the local system, $otherip is the existing DC)
resulting in
# cat /etc/resolv.conf
domain ad.domain.ch
nameserver 192.168.1.8
nameserver 192.168.1.9
Before joining I did
and looking at it right now half a day later I get
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
17/07/16 21:56:59 18/07/16 07:56:59
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
# kinit -R
kinit: Ticket expired while renewing credentials
# kinit
Warning: Your password will expire in 32 days on Sat 20 Aug 2016
08:27:10 UTC
# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
18/07/16 09:35:01 18/07/16 19:35:01
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.
You can try to run
and verify that bind has read rights on the dns.keytab
-rw-r----- 1 root bind 732 Jun 28 16:08
/var/lib/samba/private/dns.keytab
Also check that the keytab contains such keys.
Keytab name: FILE:/var/lib/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
# ls -l /usr/local/samba/private/dns.keytab
-rw-r----- 1 root bind 777 Jul 17 21:59
/usr/local/samba/private/dns.keytab
# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc2 account already exists
See /usr/local/samba/private/named.conf for an example
configuration include file for BIND
and /usr/local/samba/private/named.txt for further documentation
required for secure DNS updates
Finished upgrading DNS
# klist -Kek /usr/local/samba/private/dns.keytab
Keytab name: FILE:/usr/local/samba/private/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
(...)
(...)
The missing zone file is also not present on the working dc1 system.
Upgrading to bind9 doesn't work at the moment, you need to upgrade to
the internal DNS server, then upgrade again to Bind9.
When it says 'DNS accounts already exists', it isn't actually
referring to the <DCname>-dns user, it is referring to the dnsadmins
group.
Thank you for clarification, was wondering because in my test setup
dns-dc2 is missing and did not be created even with switching between
backends like you described.
So i did it similar to the dovecot kerberos steps.

samba-tool user create dns-dc2 --random-password
samba-tool spn add DNS/dc2.domain.local dns-dc2
mv /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
samba-tool domain exportkeytab --principal dns-dc2
/var/lib/samba/private/dns.keytab
samba-tool domain exportkeytab --principal DNS/dc2.domain.local
/var/lib/samba/private/dns.keytab

I restarted bind9 and this works

kinit Administrator
nsupdate -g
update add test.domain.local. 0 A 192.168.100.123
send
Without the dns-dc2 account that fails.
Must prod Samba-technical about my patch.
What zone file is missing ?
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Tim
2016-07-18 17:15:06 UTC
Permalink
Hi Norbert,

I never used Bind as samba dns backend. But this sounds like a permission problem so that your samba process isn't allowed to update Bind.

Possibly you should take a look at the permissions.

Regards
Tim
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC, both
with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1,
all brand new.
The existing DC runs fine, but the added DC refuses to update its local
bind database: every attempt to update the local DNS results in "update
failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the provisioning/joining
command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow every
rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message every 10
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Norbert Hanke
2016-07-18 20:31:54 UTC
Permalink
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results in
"update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow every
rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message every
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
Rowland
Yes I did that from the begining. The entries were indeed missing and
added them.

I also tried adding with a lower-case dc2 instead of DC2. It did not
make a difference.

But now it surprises me that adding worked at all. Isn't a "*samba-tool
dns add ..." about the same as what **samba_dnsupdate does when adding
entries?*

*And I just checked: the two added entries are still there and are
resolvable through both DNS servers.* It's a mystery to me.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Norbert Hanke
2016-07-18 21:55:32 UTC
Permalink
Post by Norbert Hanke
Post by Norbert Hanke
Hello,
I'm trying to join a samba 4 DC to an already existing samba 4 DC,
both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
9.10.4-P1, all brand new.
The existing DC runs fine, but the added DC refuses to update its
local bind database: every attempt to update the local DNS results
in "update failed: NOTAUTH". AD replication works perfectly.
Both systems are set up identically except for the
provisioning/joining command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain
--server-role=dc --dns-backend=BIND9_DLZ \
--realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm
--dns-backend=BIND9_DLZ
Versions are the same, bind config is the same, I tried follow
every rule I could find.
# samba_dnsupdate --verbose -d 9
all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
ad.domain.tld. 900 IN A 192.168.1.9
update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
In /var/log/syslog there are these equivalent 24 error message
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
../source4/dsdb/dns/dns_update.c:295: Failed DNS update -
NT_STATUS_TOO_MANY_OPENED_FILES
# Global parameters
[global]
netbios name = DC2
realm = AD.DOMAIN.TLD
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
server role = active directory domain controller
[netlogon]
path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Maybe somebody has an idea what I did wrong?
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
Rowland
Yes I did that from the begining. The entries were indeed missing and
added them.
I also tried adding with a lower-case dc2 instead of DC2. It did not
make a difference.
But now it surprises me that adding worked at all. Isn't a
"*samba-tool dns add ..." about the same as what **samba_dnsupdate
does when adding entries?*
*And I just checked: the two added entries are still there and are
resolvable through both DNS servers.* It's a mystery to me.
Try adding 'allow dns updates = nonsecure and secure' to your smb.conf
files.
I would also check that it isn't something like apparmor or selinux
blocking the updates.
If I run the same command on my second DC, at the point it goes wrong
Looking for DNS entry A dc2.samdom.example.com 192.168.0.6 as
dc2.samdom.example.com.
Looking for DNS entry A samdom.example.com 192.168.0.6 as
samdom.example.com.
Looking for DNS entry SRV _ldap._tcp.samdom.example.com
dc2.samdom.example.com 389 as _ldap._tcp.samdom.example.com.
From your output, it looks as if it cannot find the 'A' record for
your second DC.
Rowland
I added the smb.conf entry , rebooted: no change. This is on a plain
vanilla raspberry pi system without apparmor or selinux configured. The
first DC dc1 is on an indentical setup and works.

I check dc2: The A record of dc2 is known to both DNS servers.

But the A record for the domain alone (without the dc2) and the SRV
record for _ldap... both point to the IP of dc1, on both DNS servers.
Could that be the problem?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...