Prev: Multiple Workgroups and Subnets
Next: windows 7 professional Samba share access denied
From: Anton on 27 Jul 2010 17:40
On 28 July 2010 01:45, k.maksimov <k.maksimov(a)butb.by> wrote:
> I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0
> with netmask 255.255.254.0, when I join in domain in first network hostname
> registered successfully, but in second network:
>
> sudo net ads join -U admin
> Enter admin's password:
> Using short domain name -- BUTB
> Joined 'TH-2-011' to realm 'butb.by'
> DNS update failed!

As far as I can tell (I'm not entirely certain though) this is an
Active Directory / Windows Server configuration issue around loosening
permissions enough for the DHCP service to update the DNS records.

I don't know exactly what settings need to be configured though, as I
didn't manage to get it working either. In the end I decided to keep
the standard security and just use static IPs and DNS records for
winbind machines.

--
Cheers
Anton
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: k.maksimov on 28 Jul 2010 02:20
Anton wrote:
> On 28 July 2010 01:45, k.maksimov <k.maksimov(a)butb.by> wrote:
>
>> I have two networks: 192.168.1.0 with netmask 255.255.255.0 and 172.16.0.0
>> with netmask 255.255.254.0, when I join in domain in first network hostname
>> registered successfully, but in second network:
>>
>> sudo net ads join -U admin
>> Enter admin's password:
>> Using short domain name -- BUTB
>> Joined 'TH-2-011' to realm 'butb.by'
>> DNS update failed!
>>
>
> As far as I can tell (I'm not entirely certain though) this is an
> Active Directory / Windows Server configuration issue around loosening
> permissions enough for the DHCP service to update the DNS records.
>
> I don't know exactly what settings need to be configured though, as I
> didn't manage to get it working either. In the end I decided to keep
> the standard security and just use static IPs and DNS records for
> winbind machines.
>
>
I'm use static IP and I haven't DHCP. and this problem not an AD:
Windows machines successfully update DNS.

also I have ~200 machines and I can't add every DNS record manually.

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Alexander R. Fahrutdinov on 28 Jul 2010 10:00
В сообщении от 28 июля 2010 10:15:25 автор k.maksimov написал:
> Anton wrote:
> > On 28 July 2010 01:45, k.maksimov <k.maksimov(a)butb.by> wrote:
> >> I have two networks: 192.168.1.0 with netmask 255.255.255.0 and
> >> 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first
> >> network hostname registered successfully, but in second network:
> >>
> >> sudo net ads join -U admin
> >> Enter admin's password:
> >> Using short domain name -- BUTB
> >> Joined 'TH-2-011' to realm 'butb.by'
> >> DNS update failed!
> >
> > As far as I can tell (I'm not entirely certain though) this is an
> > Active Directory / Windows Server configuration issue around loosening
> > permissions enough for the DHCP service to update the DNS records.
> >
> > I don't know exactly what settings need to be configured though, as I
> > didn't manage to get it working either. In the end I decided to keep
> > the standard security and just use static IPs and DNS records for
> > winbind machines.
>
> I'm use static IP and I haven't DHCP. and this problem not an AD:
> Windows machines successfully update DNS.
>
> also I have ~200 machines and I can't add every DNS record manually.
Please show output for command "net ads dns register -P -d 4". PC must be
already added to domain
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: k.maksimov on 28 Jul 2010 10:20
Alexander R. Fahrutdinov wrote:
> В сообщении от 28 июля 2010 10:15:25 автор k.maksimov написал:
>
>> Anton wrote:
>>
>>> On 28 July 2010 01:45, k.maksimov <k.maksimov(a)butb.by> wrote:
>>>
>>>> I have two networks: 192.168.1.0 with netmask 255.255.255.0 and
>>>> 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first
>>>> network hostname registered successfully, but in second network:
>>>>
>>>> sudo net ads join -U admin
>>>> Enter admin's password:
>>>> Using short domain name -- BUTB
>>>> Joined 'TH-2-011' to realm 'butb.by'
>>>> DNS update failed!
>>>>
>>> As far as I can tell (I'm not entirely certain though) this is an
>>> Active Directory / Windows Server configuration issue around loosening
>>> permissions enough for the DHCP service to update the DNS records.
>>>
>>> I don't know exactly what settings need to be configured though, as I
>>> didn't manage to get it working either. In the end I decided to keep
>>> the standard security and just use static IPs and DNS records for
>>> winbind machines.
>>>
>> I'm use static IP and I haven't DHCP. and this problem not an AD:
>> Windows machines successfully update DNS.
>>
>> also I have ~200 machines and I can't add every DNS record manually.
>>
> Please show output for command "net ads dns register -P -d 4". PC must be
> already added to domain
>
sudo net ads dns register -P -d 4
[2010/07/28 14:21:32, 3] param/loadparm.c:9039(lp_load_ex)
lp_load_ex: refreshing parameters
[2010/07/28 14:21:32, 3] param/loadparm.c:4848(init_globals)
Initialising global parameters
[2010/07/28 14:21:32, 2] param/loadparm.c:4707(max_open_files)
rlimit_max: rlimit_max (1024) below minimum Windows limit (16384)
[2010/07/28 14:21:32, 3] ../lib/util/params.c:550(pm_process)
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2010/07/28 14:21:32, 3] param/loadparm.c:7726(do_section)
Processing section "[global]"
doing parameter workgroup = BUTB
doing parameter netbios name = %h
[2010/07/28 14:21:32, 4] param/loadparm.c:7088(handle_netbios_name)
handle_netbios_name: set global_myname to: TH-3-059
doing parameter dos charset = cp866
doing parameter unix charset = UTF8
doing parameter server string = %h server (Samba, Linux)
doing parameter dns proxy = no
doing parameter name resolve order = lmhosts wins bcast host
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter syslog = 0
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter security = ADS
doing parameter encrypt passwords = true
doing parameter passdb backend = tdbsam
doing parameter obey pam restrictions = yes
doing parameter unix password sync = yes
doing parameter password server = ad, ad2
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
doing parameter pam password change = yes
doing parameter map to guest = bad user
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter winbind uid = 10000-20000
doing parameter winbind gid = 10000-20000
doing parameter template shell = /bin/bash
doing parameter template homedir = /home/%U
doing parameter winbind separator = /
doing parameter winbind offline logon = true
doing parameter winbind cache time = 86400
doing parameter passdb backend = tdbsam
doing parameter realm = butb.by
doing parameter winbind use default domain = yes
doing parameter usershare allow guests = yes
[2010/07/28 14:21:32, 4] param/loadparm.c:9074(lp_load_ex)
pm_process() returned Yes
[2010/07/28 14:21:32, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=fe80::201:2eff:fe2b:3ff6%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2010/07/28 14:21:32, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=172.16.0.101 bcast=172.16.1.255
netmask=255.255.254.0
[2010/07/28 14:21:32, 4] libsmb/namequery_dc.c:73(ads_dc_name)
ads_dc_name: domain=BUTB
[2010/07/28 14:21:32, 3] libsmb/namequery.c:1972(get_dc_list)
get_dc_list: preferred server list: "ad.butb.by, ad, ad2"
[2010/07/28 14:21:32, 4] libsmb/namequery.c:2105(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2010/07/28 14:21:32, 4] libsmb/namequery.c:2106(get_dc_list)
get_dc_list: 192.168.1.2:389 192.168.1.5:389
[2010/07/28 14:21:32, 3] libads/ldap.c:621(ads_connect)
Successfully contacted LDAP server 192.168.1.2
[2010/07/28 14:21:32, 3] libsmb/namequery.c:1972(get_dc_list)
get_dc_list: preferred server list: "ad.butb.by, ad, ad2"
[2010/07/28 14:21:32, 4] libsmb/namequery.c:2105(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2010/07/28 14:21:32, 4] libsmb/namequery.c:2106(get_dc_list)
get_dc_list: 192.168.1.2:389 192.168.1.5:389
[2010/07/28 14:21:32, 3] libsmb/namequery.c:1972(get_dc_list)
get_dc_list: preferred server list: "ad.butb.by, ad, ad2"
[2010/07/28 14:21:32, 4] libsmb/namequery.c:2105(get_dc_list)
get_dc_list: returning 2 ip addresses in an ordered list
[2010/07/28 14:21:32, 4] libsmb/namequery.c:2106(get_dc_list)
get_dc_list: 192.168.1.2:389 192.168.1.5:389
[2010/07/28 14:21:32, 4] libsmb/namequery_dc.c:143(ads_dc_name)
ads_dc_name: using server='AD.BUTB.BY' IP=192.168.1.2
[2010/07/28 14:21:32, 3] libads/ldap.c:621(ads_connect)
Successfully contacted LDAP server 192.168.1.2
[2010/07/28 14:21:32, 3] libads/ldap.c:675(ads_connect)
Connected to LDAP server ad.butb.by
[2010/07/28 14:21:32, 4] libads/ldap.c:2849(ads_current_time)
time offset is 0 seconds
[2010/07/28 14:21:32, 4] libads/sasl.c:1112(ads_sasl_bind)
Found SASL mechanism GSS-SPNEGO
[2010/07/28 14:21:32, 3] libads/sasl.c:780(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.48018.1.2.2
[2010/07/28 14:21:32, 3] libads/sasl.c:780(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2
[2010/07/28 14:21:32, 3] libads/sasl.c:780(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.2.840.113554.1.2.2.3
[2010/07/28 14:21:32, 3] libads/sasl.c:780(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got OID=1.3.6.1.4.1.311.2.2.10
[2010/07/28 14:21:32, 3] libads/sasl.c:789(ads_sasl_spnego_bind)
ads_sasl_spnego_bind: got server principal name = ad$@BUTB.BY
[2010/07/28 14:21:32, 3] libsmb/clikrb5.c:687(ads_krb5_mk_req)
ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
[2010/07/28 14:21:32, 3] libsmb/clikrb5.c:620(ads_cleanup_expired_creds)
ads_cleanup_expired_creds: Ticket in ccache[MEMORY:net_ads] expiration
Чтв, 29 Июл 2010 00:21:32 EEST
[2010/07/28 14:21:32, 3] libsmb/clikrb5.c:729(ads_krb5_mk_req)
ads_krb5_mk_req: server marked as OK to delegate to, building
forwardable TGT
[2010/07/28 14:21:32, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=fe80::201:2eff:fe2b:3ff6%eth0
bcast=fe80::ffff:ffff:ffff:ffff%eth0 netmask=ffff:ffff:ffff:ffff::
[2010/07/28 14:21:32, 2] lib/interface.c:340(add_interface)
added interface eth0 ip=172.16.0.101 bcast=172.16.1.255
netmask=255.255.254.0
[2010/07/28 14:21:32, 4] libads/dns.c:620(ads_dns_lookup_ns)
ads_dns_lookup_ns: 3 records returned in the answer section.
DNS update failed!
[2010/07/28 14:21:33, 2] utils/net.c:779(main)
return code = -1

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Alexander R. Fahrutdinov on 29 Jul 2010 01:10
В сообщении от 28 июля 2010 18:10:29 автор k.maksimov написал:
> Alexander R. Fahrutdinov wrote:
> > В сообщении от 28 июля 2010 10:15:25 автор k.maksimov написал:
> >> Anton wrote:
> >>> On 28 July 2010 01:45, k.maksimov <k.maksimov(a)butb.by> wrote:
> >>>> I have two networks: 192.168.1.0 with netmask 255.255.255.0 and
> >>>> 172.16.0.0 with netmask 255.255.254.0, when I join in domain in first
> >>>> network hostname registered successfully, but in second network:
> >>>>
> >>>> sudo net ads join -U admin
> >>>> Enter admin's password:
> >>>> Using short domain name -- BUTB
> >>>> Joined 'TH-2-011' to realm 'butb.by'
> >>>> DNS update failed!
> >>>
> >>> As far as I can tell (I'm not entirely certain though) this is an
> >>> Active Directory / Windows Server configuration issue around loosening
> >>> permissions enough for the DHCP service to update the DNS records.
> >>>
> >>> I don't know exactly what settings need to be configured though, as I
> >>> didn't manage to get it working either. In the end I decided to keep
> >>> the standard security and just use static IPs and DNS records for
> >>> winbind machines.
> >>
> >> I'm use static IP and I haven't DHCP. and this problem not an AD:
> >> Windows machines successfully update DNS.
> >>
> >> also I have ~200 machines and I can't add every DNS record manually.
> >

It seems, secure DNS update has broken in samba. I tried to use different
versions of samba (3.2.4, 3.4.4, 3.5.4, etc), but always got an error during
DNS update, in spite of "wbinfo -t" and "net ads info" commands output was OK.

Secure DNS update via nss-update script has sucssefully completed, but it
requires a domain admin creditionals.
Guys from http://rc.quest.com/topics/ddns/old.php create a patch for nss-
update and GSSAPI library to use machine account instead admin one, but I
don't try this.

So, I don't promise to disable the secure DNS update, because it decrease AD
security.

Perghaps, somebody tell us, what we doing wrong?
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 |  Next  |  Last
Pages: 1 2
Prev: Multiple Workgroups and Subnets
Next: windows 7 professional Samba share access denied