t looks as though I have a bad key in my dns.keytab. I see the following messages in /var/named/data/named.run:
process_gsstkey(): dns_tsigerror_badkey If I manually trigger replication from the Linux/samba server, I see denied messages for dynamic dns updates coming from the windows server in /var/log/messages: # samba-tool drs replicate server.domain.com windowsserver.domain.com dc=domain,dc=com named[24467]: samba_dlz: starting transaction on zone _msdcs.domain.com named[24467]: client 192.168.0.2#62937: update '_msdcs.domain.com/IN' denied named[24467]: samba_dlz: cancelling transaction on zone _msdcs.domain.com If I manually trigger replication from the Windows server via Active Directory Sites and Services, I get an error dialog about DomainDnsZones.domain.com naming context in the process of being removed or is not replicated from the specified server. named.conf has the following line: tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; I have tried manually recreating dns.keytab: # samba-tool domain exportkeytab --principal=DNS/server.domain.com /var/lib/samba/private/dns.keytab # samba-tool domain exportkeytab --principal=DNS/windowsserver.domain.com /var/lib/samba/private/dns.keytab The contents of dns.keytab are as follows: # ktutil ktutil: read_kt /var/lib/samba/private/dns.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 1 DNS/server.domain....@domain.com 2 1 DNS/server.domain....@domain.com 3 1 DNS/server.domain....@domain.com 4 31 DNS/windowsserver.domain....@domain.com 5 31 DNS/windowsserver.domain....@domain.com 6 31 DNS/windowsserver.domain....@domain.com 7 31 DNS/windowsserver.domain....@domain.com The problem persists after recreating dns.keytab and restarting Samba and Bind daemons. Is this the correct way to generate the dns.keytab? Is there anything I'm missing? Thanks, Pete On Sep 1, 2013, at 4:14 PM, Pete Storkey <pstor...@shaw.ca> wrote: > > Hi all, > > I am having trouble with DNS replication between a Linux/Samba 4.0.9 box and > Windows Server 2012 domain controller, as well as administering the Linux DNS > from the Windows DNS Manager snap-in. > > First a little background. I am trying to integrate a Samba 4.0.9 server as a > domain controller in an existing Windows Active Directory domain. The domain > and forest are at Windows 2008R2 functional level with a single domain > controller which was upgraded from Windows Server 2008 R2 to Windows Server > 2012. > > I am running CentOS 6.4 x64, patched to current levels. I downloaded and > installed the Sernet binaries for Samba 4.0.9 but ran into problems joining > the domain. It failed with the following error: > > ERROR: no subClassOf 'top' for 'samDomain' > I found a bug report for this error at > https://bugzilla.samba.org/show_bug.cgi?id=8680 and rebuilt the Sernet RPMs > with the patches implemented. This time I was able to successfully join the > domain. Replication seems to be working but I do get a warning from > samba-tool drs showrepl: > > ==== KCC CONNECTION OBJECTS ==== > > Connection -- > Connection name: 3c20a62a-ad94-40ef-b346-ba8b15f829f8 > Enabled : TRUE > Server DNS name : server.example.com > Server DN name : CN=NTDS > Settings,CN=server,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com > TransportType: RPC > options: 0x00000001 > Warning: No NC replicated for Connection! > > The inbound and outbound neighbors all appear to be ok. > > I started out with internal DNS but when I was unable to get it working > correctly, I switched to bind (Centos package > bind-9.8.2-0.17.rc1.el6_4.6.x86_64). > > The problem is that when I try to administer DNS through the Windows DNS > Manager snap-in, my forward domain fails to load, with an error indicating > zone data may be corrupt (it opens fine on the Windows DNS server). > Additionally, my reverse zone does not appear to have replicated to the Linux > server. > > When I click on the forward zone in DNS Manager, I see the following in > /var/log/messages: > > smbd[24043]: [2013/09/01 15:30:21.091035, 0] > ../source3/rpc_server/svcctl/srv_svcctl_nt.c:326(_svcctl_OpenServiceW) > smbd[24043]: _svcctl_OpenServiceW: Failed to get a valid security > descriptorfree_pipe_context: destroying talloc pool of size 275 > samba[19596]: [2013/09/01 15:30:25.505483, 0] > ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1068(dnsserver_query_zone) > samba[19596]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid > zone operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: > Found Unhandled DNS record type=49dnsserver: Found Unhandled DNS record > type=49dnsserver: Found Unhandled DNS record type=49dnsserver: Found > Unhandled DNS record type=49ndr_push_error(2): Bad switch value 49 at > default/librpc/gen_ndr/ndr_dnsserver.c:544 > samba[19596]: [2013/09/01 15:30:26.272723, 0] > ../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy) > samba[19596]: dnsserver: Found Unhandled DNS record type=49dnsserver: Found > Unhandled DNS record type=49dnsserver: Found Unhandled DNS record > type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad > switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544 > > Querying DNS via nslookup/dig/host works fine but querying through samba-tool > gives an error: > > # samba-tool dns query server.domain.com domain.com @ ALL > GENSEC backend 'gssapi_spnego' registered > GENSEC backend 'gssapi_krb5' registered > GENSEC backend 'gssapi_krb5_sasl' registered > GENSEC backend 'sasl-DIGEST-MD5' registered > GENSEC backend 'schannel' registered > GENSEC backend 'spnego' registered > GENSEC backend 'ntlmssp' registered > GENSEC backend 'krb5' registered > GENSEC backend 'fake_gssapi_krb5' registered > Using binding ncacn_ip_tcp:server.example.com[,sign] > ERROR(runtime): uncaught exception - (-1073545204, > 'NT_STATUS_RPC_BAD_STUB_DATA') > File "/usr/lib64/python2.6/site-packages/samba/netcmd/__init__.py", line > 175, in _run > return self.run(*args, **kwargs) > File "/usr/lib64/python2.6/site-packages/samba/netcmd/dns.py", line 974, in > run > None, record_type, select_flags, None, None) > > and I see the following in /var/log/messages: > > samba[19596]: [2013/09/01 15:31:55.207112, 0] > ../source4/rpc_server/dnsserver/dnsdata.c:354(dnsp_to_dns_copy) > samba[19596]: dnsserver: Found Unhandled DNS record type=49dnsserver: Found > Unhandled DNS record type=49dnsserver: Found Unhandled DNS record > type=49dnsserver: Found Unhandled DNS record type=49ndr_push_error(2): Bad > switch value 49 at default/librpc/gen_ndr/ndr_dnsserver.c:544 > > Any help would be much appreciated. > > Thanks, > > Pete -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
