Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Samba ADDC and BIND9_DLZ - dns updates not working
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
spindles7
n00b
n00b


Joined: 27 Feb 2018
Posts: 1
Location: UK

PostPosted: Mon Mar 19, 2018 8:02 pm    Post subject: Samba ADDC and BIND9_DLZ - dns updates not working Reply with quote

Hi,
I have a test system with two DCs based on samba v 4.8.0 with BIND9_DLZ as the dns backend running on a fresh install of Gentoo. I can't get DNS Updates to work on both DCs. If I issue the command: samba_dnsupdate --verbose after the 2nd DC has joined the domain I get the errors (just showing the last entry):

Code:
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com gentoo-dc2.samba4p8.example.com 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com gentoo-dc2.samba4p8.example.com 389 (add)
Successfully obtained Kerberos ticket to DNS/gentoo-dc1.samba4p8.example.com as GENTOO-DC2$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samba4p8.example.com. 900 IN SRV 0 100 389 gentoo-dc2.samba4p8.example.com.

dns_tkey_gssnegotiate: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 26 entries

I have followed the samba Wiki (https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable ) for troubleshooting this error and all seems OK:

dns.keytabs:
Code:
gentoo-dc2 ~ # ktutil -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal                                                 Aliases
  2  des-cbc-crc              DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM 
  2  des-cbc-crc              dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       
  2  des-cbc-md5              DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM 
  2  des-cbc-md5              dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       
  2  arcfour-hmac-md5         DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM 
  2  arcfour-hmac-md5         dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       
  2  aes128-cts-hmac-sha1-96  DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM 
  2  aes128-cts-hmac-sha1-96  dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       
  2  aes256-cts-hmac-sha1-96  DNS/gentoo-dc2.samba4p8.example.com@SAMBA4P8.EXAMPLE.COM 
  2  aes256-cts-hmac-sha1-96  dns-GENTOO-DC2@SAMBA4P8.EXAMPLE.COM                       


dns user in AD:
Code:
gentoo-dc2 ~ # ldbsearch -H /var/lib/samba/private/sam.ldb 'cn=dns-gentoo-dc2' dn
# record 1
dn: CN=dns-GENTOO-DC2,CN=Users,DC=samba4p8,DC=example,DC=com

# Referral
ref: ldap://samba4p8.example.com/CN=Configuration,DC=samba4p8,DC=example,DC=com

# Referral
ref: ldap://samba4p8.example.com/DC=DomainDnsZones,DC=samba4p8,DC=example,DC=com

# Referral
ref: ldap://samba4p8.example.com/DC=ForestDnsZones,DC=samba4p8,DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals


named -V produces the relevant build options: '--with-dlopen' and '--with-gssapi'

I ran named with the debug option "-d 7" and it produced this log output:

Code:
15-Mar-2018 12:29:13.562 starting BIND 9.11.2-P1 <id:2c2bc60>
15-Mar-2018 12:29:13.563 running on Linux x86_64 4.9.76-gentoo-r1 #1 SMP Wed Mar 14 23:34:12 GMT 2018
15-Mar-2018 12:29:13.563 built with '--prefix=/usr' '--build=x86_64-pc-linux-gnu' '--host=x86_64-pc-linux-gnu' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--datadir=/usr/share' '--sysconfdir=/etc' '--localstatedir=/var/lib' '--libdir=/usr/lib64' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--with-libtool' '--enable-full-report' '--without-readline' '--enable-linux-caps' '--enable-filter-aaaa' '--disable-fixed-rrset' '--disable-ipv6' '--disable-rpz-nsdname' '--disable-rpz-nsip' '--disable-seccomp' '--enable-threads' '--without-dlz-bdb' '--with-dlopen' '--with-dlz-filesystem' '--with-dlz-stub' '--without-gost' '--with-gssapi' '--without-idn' '--without-libjson' '--without-dlz-ldap' '--without-dlz-mysql' '--without-dlz-odbc' '--without-dlz-postgres' '--without-lmdb' '--with-python' '--with-ecdsa' '--with-openssl=/usr' '--with-libxml2' '--with-zlib' '--with-randomdev=/dev/urandom' '--with-geoip' 'build_alias=x86_64-pc-linux-gnu' 'host_alias=x86_64-pc-linux-gnu' 'CFLAGS=-march=native -O2 -pipe' 'LDFLAGS=-Wl,-O1 -Wl,--as-needed'
15-Mar-2018 12:29:13.563 running as: named -u named -f -g
15-Mar-2018 12:29:13.563 ----------------------------------------------------
15-Mar-2018 12:29:13.563 BIND 9 is maintained by Internet Systems Consortium,
15-Mar-2018 12:29:13.563 Inc. (ISC), a non-profit 501(c)(3) public-benefit
15-Mar-2018 12:29:13.563 corporation.  Support and training for BIND 9 are
15-Mar-2018 12:29:13.563 available at https://www.isc.org/support
15-Mar-2018 12:29:13.563 ----------------------------------------------------
15-Mar-2018 12:29:13.563 adjusted limit on open files from 4096 to 1048576
15-Mar-2018 12:29:13.563 found 1 CPU, using 1 worker thread
15-Mar-2018 12:29:13.563 using 1 UDP listener per interface
15-Mar-2018 12:29:13.563 using up to 4096 sockets
15-Mar-2018 12:29:13.565 ./config.c: option 'lmdb-mapsize' was not enabled at compile time (ignored)
15-Mar-2018 12:29:13.565 loading configuration from '/etc/bind/named.conf'
15-Mar-2018 12:29:13.566 reading built-in trusted keys from file '/etc/bind/bind.keys'
15-Mar-2018 12:29:13.566 GeoIP Country (IPv4) (type 1) DB not available
15-Mar-2018 12:29:13.566 GeoIP Country (IPv6) (type 12) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 2) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv4) (type 6) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 30) DB not available
15-Mar-2018 12:29:13.566 GeoIP City (IPv6) (type 31) DB not available
15-Mar-2018 12:29:13.566 GeoIP Region (type 3) DB not available
15-Mar-2018 12:29:13.566 GeoIP Region (type 7) DB not available
15-Mar-2018 12:29:13.566 GeoIP ISP (type 4) DB not available
15-Mar-2018 12:29:13.566 GeoIP Org (type 5) DB not available
15-Mar-2018 12:29:13.566 GeoIP AS (type 9) DB not available
15-Mar-2018 12:29:13.566 GeoIP Domain (type 11) DB not available
15-Mar-2018 12:29:13.566 GeoIP NetSpeed (type 10) DB not available
15-Mar-2018 12:29:13.566 using default UDP/IPv4 port range: [32768, 60999]
15-Mar-2018 12:29:13.566 using default UDP/IPv6 port range: [32768, 60999]
15-Mar-2018 12:29:13.566 listening on IPv4 interface lo, 127.0.0.1#53
15-Mar-2018 12:29:13.567 listening on IPv4 interface enp0s3, 192.168.2.16#53
15-Mar-2018 12:29:13.567 generating session key for dynamic DNS
15-Mar-2018 12:29:13.567 sizing zone task pool based on 3 zones
15-Mar-2018 12:29:13.568 zone 'localhost' allows unsigned updates from remote hosts, which is insecure
15-Mar-2018 12:29:13.568 zone '0.0.127.in-addr.arpa' allows unsigned updates from remote hosts, which is insecure
15-Mar-2018 12:29:13.568 Loading 'AD DNS Zone' using driver dlopen
15-Mar-2018 12:29:13.580 samba_dlz: INFO: Current debug levels:
15-Mar-2018 12:29:13.580 samba_dlz:   all: 7
15-Mar-2018 12:29:13.580 samba_dlz:   tdb: 7
15-Mar-2018 12:29:13.580 samba_dlz:   printdrivers: 7
15-Mar-2018 12:29:13.580 samba_dlz:   lanman: 7
15-Mar-2018 12:29:13.580 samba_dlz:   smb: 7
15-Mar-2018 12:29:13.580 samba_dlz:   rpc_parse: 7
15-Mar-2018 12:29:13.580 samba_dlz:   rpc_srv: 7
15-Mar-2018 12:29:13.580 samba_dlz:   rpc_cli: 7
15-Mar-2018 12:29:13.581 samba_dlz:   passdb: 7
15-Mar-2018 12:29:13.581 samba_dlz:   sam: 7
15-Mar-2018 12:29:13.581 samba_dlz:   auth: 7
15-Mar-2018 12:29:13.581 samba_dlz:   winbind: 7
15-Mar-2018 12:29:13.581 samba_dlz:   vfs: 7
15-Mar-2018 12:29:13.581 samba_dlz:   idmap: 7
15-Mar-2018 12:29:13.581 samba_dlz:   quota: 7
15-Mar-2018 12:29:13.581 samba_dlz:   acls: 7
15-Mar-2018 12:29:13.581 samba_dlz:   locking: 7
15-Mar-2018 12:29:13.581 samba_dlz:   msdfs: 7
15-Mar-2018 12:29:13.581 samba_dlz:   dmapi: 7
15-Mar-2018 12:29:13.581 samba_dlz:   registry: 7
15-Mar-2018 12:29:13.582 samba_dlz:   scavenger: 7
15-Mar-2018 12:29:13.582 samba_dlz:   dns: 7
15-Mar-2018 12:29:13.582 samba_dlz:   ldb: 7
15-Mar-2018 12:29:13.582 samba_dlz:   tevent: 7
15-Mar-2018 12:29:13.582 samba_dlz:   auth_audit: 7
15-Mar-2018 12:29:13.582 samba_dlz:   auth_json_audit: 7
15-Mar-2018 12:29:13.582 samba_dlz:   kerberos: 7
15-Mar-2018 12:29:13.582 samba_dlz:   drs_repl: 7
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_spnego' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'spnego' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'schannel' registered
15-Mar-2018 12:29:13.583 samba_dlz: GENSEC backend 'naclrpc_as_system' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_basic' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_ntlm' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'http_negotiate' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'krb5' registered
15-Mar-2018 12:29:13.584 samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
15-Mar-2018 12:29:13.616 samba_dlz: ldb: No encrypted secrets key file. Secret attributes will not be encrypted or decrypted
15-Mar-2018 12:29:13.616 samba_dlz:
15-Mar-2018 12:29:13.653 samba_dlz: schema_fsmo_init: we are master[no] updates allowed[no]
15-Mar-2018 12:29:13.669 samba_dlz: started for DN DC=samba4p8,DC=example,DC=com
15-Mar-2018 12:29:13.669 samba_dlz: starting configure
15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone 'samba4p8.example.com'
15-Mar-2018 12:29:13.671 samba_dlz: configured writeable zone '2.168.192.in-addr.arpa'
15-Mar-2018 12:29:13.672 samba_dlz: configured writeable zone '_msdcs.samba4p8.example.com'
15-Mar-2018 12:29:13.672 none:103: 'max-cache-size 90%' - setting to 893MB (out of 992MB)
15-Mar-2018 12:29:13.673 obtaining root key for view _default from '/etc/bind/bind.keys'
15-Mar-2018 12:29:13.673 set up managed keys zone for view _default, file 'managed-keys.bind'
15-Mar-2018 12:29:13.673 zone 'version.bind' allows unsigned updates from remote hosts, which is insecure
15-Mar-2018 12:29:13.673 zone 'hostname.bind' allows unsigned updates from remote hosts, which is insecure
15-Mar-2018 12:29:13.673 zone 'authors.bind' allows unsigned updates from remote hosts, which is insecure
15-Mar-2018 12:29:13.674 zone 'id.server' allows unsigned updates from remote hosts, which is insecure
15-Mar-2018 12:29:13.674 none:103: 'max-cache-size 90%' - setting to 893MB (out of 992MB)
15-Mar-2018 12:29:13.675 command channel listening on 127.0.0.1#953
15-Mar-2018 12:29:13.675 not using config file logging statement for logging due to -g option
15-Mar-2018 12:29:13.675 managed-keys-zone: loaded serial 3
15-Mar-2018 12:29:13.676 zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101
15-Mar-2018 12:29:13.676 zone localhost/IN: loaded serial 2008122601
15-Mar-2018 12:29:13.676 all zones loaded
15-Mar-2018 12:29:13.676 running

Can anyone spot what I am missing or what I've done wrong? I have a similar system based on Debian Stretch which works fine. So I think it may be something to do with the USE flags in Gentoo. (I am new to Gentoo, so may have made simple errors!) Appreciate any help.

Many thanks,

Roy
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum