# FreeBSD 11.0, samba45, DLZ, BIND9.11.2, no auto DNS update



## da1 (Nov 3, 2017)

The following has been driving me crazy.

I have a 11.0-RELEASE-p12, samba45 from pkg, BIND-9.11.2_2 from ports with GSSAPI_BASE, DLZ_FILESYSTEM and no PYTHON support and the following config files (relevant bits only):

BIND is running outside chroot!

/etc/krb5.conf

```
[logging]
        default = FILE:/var/log/krb5libs.log
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmind.log

[libdefaults]
        default_realm = SAMDOM.EXAMPLE.COM
        dns_lookup_realm = false
        dns_lookup_kdc = true
        ticket_lifetime = 48h
        renew_lifetime = 7d
        forwardable = true
#        default_keytab_name = FILE:/var/db/samba4/private/dns.keytab

[realms]
        SAMDOM.EXAMPLE.COM = {
        kdc = samdom.example.com
        admin_server = samdom.example.com
}

[domain_realm]
        .samdom.example.com = SAMDOM.EXAMPLE.COM
        samdom.example.com = SAMDOM.EXAMPLE.COM
```

/var/named/etc/named.conf

```
tkey-gssapi-keytab "/etc/krb5.keytab";
        tkey-domain "SAMDOM.EXAMPLE.COM";

dlz "AD DNS Zone" {
        database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_11.so -d 3";
};
```

/etc/krb5.keytab is a copy of /var/db/samba4/private/dns.keytab and has perm 640 and root:bind ownership.

/usr/local/etc/smb4.conf

```
[global]
        netbios name = SAMBA
        realm = SAMDOM.EXAMPLE.COM
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
        workgroup = MYWRKGRP
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        nsupdate command = /usr/local/bin/samba_dnsupdate -g
        interfaces = 192.168.x.1
        bind interfaces only = yes
        ea support = yes
        domain master = yes
        preferred master = yes

        tkey-gssapi-credential "DNS/samdom.example.com@SAMDOM.EXAMPLE.COM";
        tkey-domain "SAMDOM.EXAMPLE.COM";
```


```
[root@samba.xxx 1:40am] /usr/ports/dns/bind911/>klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@SAMDOM.EXAMPLE.COM

  Issued                Expires               Principal
Nov  4 01:02:54 2017  Nov  4 11:02:54 2017  krbtgt/SAMDOM.EXAMPLE.COM@SAMDOM.EXAMPLE.COM
```

Now, *the problem*:
Samba will not update BIND when I join a new PC to the domain and I get is this:

```
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238: using view '_default'
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238: request has valid signature: administrator\@SAMDOM.EXAMPLE.COM
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: recursion available
04-Nov-2017 01:10:39.220 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: update
04-Nov-2017 01:10:39.220 samba_dlz: starting transaction on zone samdom.example.com
04-Nov-2017 01:10:39.229 samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.229 samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
04-Nov-2017 01:10:39.230 samba_dlz: spnego update failed
04-Nov-2017 01:10:39.230 client @0x29104000 192.168.7.1#36238/key administrator\@SAMDOM.EXAMPLE.COM: updating zone 'samdom.example.com/NONE': update failed: rejected by secure update (REFUSED)
04-Nov-2017 01:10:39.230 samba_dlz: cancelling transaction on zone samdom.example.com
```

I was only able to find the same issue on FreeBSD and not any Linux distro. Is this something specific to samba and the OS or am I missing something?

LE:
The following work perfectly fine and so do the shares and net join

```
smbclient -L \\samdom.example.com -U userX
smbclient //samdom.example.com/netlogon -Uadministrator
```

The only issue is the auto (or lack thereof) DNS creation.


----------

