Как починить обновление Bind9_DLZ в SAMBA4?

Question

[nordz0r]

Добрый день. Сломалось обновление DNS через BIND9_DLZ (Samba4)

На клиенте:

Системе не удалось зарегистрировать записи ресурсов (RR) узла (А или АААА) для сетевого адаптера
с параметрами:

Имя адаптера : {53D000F3-7654-495D-A877-184C1B874972}
Имя узла : WS05
Суффикс основного домена: office.domain.ru
Список DNS-серверов:
10.10.31.200, 192.168.100.100
Отправка обновления на сервер: <?>
IP-адрес(адреса):
10.10.23.154

Системе не удалось зарегистрировать эти записи ресурсов в ходе выполнения запроса обновления из-за системной проблемы. Можно вручную повторить DNS-регистрацию сетевого адаптера и его параметров, введя в командной строке "ipconfig /registerdns". Если проблемы сохраняются, обратитесь к системному администратору DNS-сервера или сети. Сведения Код конкретной ошибки содержится в отображаемых ниже данных.

На сервере:

Oct 1 09:13:56 beluga named[21440]: samba_dlz: starting transaction on zone office.domain.ru
Oct 1 09:13:56 beluga named[21440]: client @0x7f34741ae9e0 10.10.23.154#59675: update 'office.domain.ru/IN' denied
Oct 1 09:13:56 beluga named[21440]: samba_dlz: cancelling transaction on zone office.domain.ru

На DNS_Internal Режиме работает. Но там не работают обратные зоны
Ошибка dns_tkey_gssnegotiate: TKEY is unacceptable - https://wiki.samba.org/index.php/Dns_tkey_negotiat... не помогает

Comments

[nordz0r]

27-Oct-2020 15:41:42.848 client @0x7f1b9c028ad0 (no-peer): create
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: using view '_default'
27-Oct-2020 15:41:42.848 client @0x7f1b9c028ad0 10.10.31.201#1024: read
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: request is not signed
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: recursion available
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: query
27-Oct-2020 15:41:42.849 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_110).
27-Oct-2020 15:41:42.849 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Key table entry not found.
27-Oct-2020 15:41:42.849 process_gsstkey(): dns_tsigerror_badkey

[nordz0r]

Поменял в named.conf.option
tkey–gssapi–keytab "/var/lib/samba/private/dns.keytab"; на tkey–gssapi–keytab "/var/lib/samba/bind–dns/dns.keytab";

Заработало

Answer 1

[nordz0r]

На samba_internal

samba_dnsupdate --verbose -d8

1 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 314
Received smb_krb5 packet of length 177
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism gssapi_krb5_sasl
Ticket in credentials cache for BELUGA$@domain.ru will expire in 36000 secs
Successfully obtained Kerberos ticket to DNS/Beluga.domain.ru as BELUGA$
update(nsupdate): SRV _ldap._tcp.dc._msdcs.domain.ru Beluga.domain.ru 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.domain.ru Beluga.domain.ru 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for BELUGA$@domain.ru will expire in 36000 secs
Successfully obtained Kerberos ticket to DNS/Beluga.domain.ru as BELUGA$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.domain.ru. 900 IN SRV 0 100 389 Beluga.domain.ru.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
Failed update of 1 entries

Comments

[nordz0r]

27-Oct-2020 15:41:42.848 client @0x7f1b9c028ad0 (no-peer): create
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: using view '_default'
27-Oct-2020 15:41:42.848 client @0x7f1b9c028ad0 10.10.31.201#1024: read
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: request is not signed
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: recursion available
27-Oct-2020 15:41:42.848 client @0x7f1bbc1d9c60 10.10.31.201#1024: query
27-Oct-2020 15:41:42.849 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_110).
27-Oct-2020 15:41:42.849 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Key table entry not found.
27-Oct-2020 15:41:42.849 process_gsstkey(): dns_tsigerror_badkey