Hello.
We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running on
Gentoo GNU/Linux
1) Is MS 1.2.840.113556.1.4.1941 operator support implemented (planned to be
implemented) in Samba 4 internal LDAP server? Please compare:
$ ldapsearch -h 192.168.1.32 -x -D
'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b
'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W
'(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))'
| tail -n2 # Windows 2003 R2 DC
Enter LDAP Password:
# numResponses: 2
# numEntries: 1
$ ldapsearch -h 192.168.1.31 -x -D
'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b
'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W
'(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))'
| tail -n2 # Samba DC
Enter LDAP Password:
# numResponses: 1
First command returns the correct mebership check result. Second - just silenty
returns nothing. Although not that widely used, this operator is quite useful
in some cases, when you just can't implement any loop-based logic. For example,
for us it breaks IEEE 802.1X VLAN assignment with FreeRADIUS.
Replication is working and this account's membership is correct on both DCs.
2) We have a problem with Samba refusing to update DNS records with Gentoo's
BIND 9.9.1_p3 (GSSAPI, DLZ)
BIND log says:
...
named[12365]: samba_dlz: configured writeable zone 'klin.kifato-mk.com'
named[12365]: samba_dlz: configured writeable zone '172.in-addr.arpa'
...
named[12365]: samba b9_putrr: unhandled record type 65281
named[12365]: samba_dlz: starting transaction on zone klin.kifato-mk.com
named[12365]: client 192.168.1.32#1039: view realdns: update
'klin.kifato-mk.com/IN' denied
named[12365]: samba_dlz: cancelling transaction on zone klin.kifato-mk.com
log.samba says:
../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
/usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is
unacceptable
Related parts of named.conf:
options {
...
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
...
};
view realdns {
...
dlz "AD DNS Zones" {
database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
};
...
};
Keytab is accessible by named process effective UID. Use of BIND's views
doesn't affect behaviour.
Maybe this is totally wrong, but we had to delete ..trustanchors zone, since
BIND refuses to start with it. By the way, this renders DNS unmanageable:
# bin/samba-tool dns zonelist dc0
Password for [[email protected]]:
ERROR(runtime): uncaught exception - (9717, 'WERR_DNS_ERROR_DS_UNAVAILABLE')
Any suggestions on getting updates to work?
--
Best regards,
Dmitry Khromov
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
