# Samba4 Install Guide (Problems with Kerberos)



## QuinRiva (Dec 4, 2012)

*Preface*
I have encountered great difficulty installing Samba4 on FreeBSD, and with a final release imminent I am documenting my install procedure along with a handful of relevant differences for FreedBSD.  From what I can tell, Samba4's internal Kerberos server does not start and as a result *Samba4 does not fully work* on FreeBSD.

Scroll to the end to get more information about the Kerberos problem.  I am hoping that this guide will help solve the Kerberos issue so that FreeBSD users can utilise Samba4. 

*System Configuration*
This is a fresh install of FreeBSD 9.0 with services: sshd; ntpd; and powerd enabled.

This is my server setup:
My server's IP is: 192.168.1.1
My server's name is: Vanity
My domain is: SIN
My realm is: sin.x
My default user is: test
When following this guide, remember to substitute for the appropriate values.

The version of Samba4 installed: 4.1.0pre1-GIT-99efe84

Samba4 Installation Guide for FreeBSD 9.0​
*Basic housekeeping*
The first thing I'll do is update the Ports Collection:

```
# portsnap fetch
# portsnap extract
# portsnap update
```

I need a text editor and I can't use vi, so I'm going to install nano:

```
# cd /usr/ports/editors/nano
# make install clean
```

I have selected the option [*] EXTRA_ENCODINGS as part of the libiconv 1.14 install (this is a dependency for nano)


```
#rehash
```
Until I discovered rehash, I had to reboot to use newly installed programmes.

*Enable ACL*
Samba4 requires that the filesystem be mounted with ACL.  Let's configure fstab to mount the filesystem correctly on startup:

```
# nano /etc/fstab
# Device        Mountpoint      FStype  Options Dump    Pass#
/dev/da0p2      /               ufs     rw,acls 1       1
/dev/da0p3      none            swap    sw      0       0
```
With nano, Ctrl+O saves the file, and Ctrl+X closes the file.
Let's mount the filesystem now:

```
# mount -o acls /
```

*Install Git*
To get the latest version of Samba4 we need to install git:

```
# pkg_add -r git
# rehash
```

*Install Samba4*
I'm going to download Samba to the home directory of the default user (_test_):

```
# cd /home/test
# git clone git://git.samba.org/samba.git samba-master
# cd samba-master
# ./configure --enable-debug --enable-selftest
# make
[color="SeaGreen"]'build' finished successfully (11m59.678s)[/color]
# make install
[color="SeaGreen"]'install' finished successfully (3m12.695s)[/color]
```

*Provision Samba4*
Provisioning Samba4 has changed recently and most documentation list the old way of doing it.

```
# /usr/local/samba/bin/samba-tool domain provision
 Realm [SIN.X]: SIN.X
 Domain [SIN]: SIN
 Server Role (dc, member, standalone) [dc]: dc
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: SAMBA_INTERNAL
 DNS forwarder IP address (write 'none' to disable forwarding) [192.168.1.1]: 192.168.1.1
 Administrator password: <password>
 Retype password: <password>
```
Most of the values have been populated automatically from DHCP (my router).  And this is the result I get:

```
[color="SeaGreen"]Looking up IPv4 addresses
Looking up IPv6 addresses
More than one IPv6 address found. Using fe80:1::223:aeff:fe63:d846
Setting up share.ldb
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=sin,DC=x
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
Adding DNS accounts
Creating CN=MicrosoftDNS,CN=System,DC=sin,DC=x
Creating DomainDnsZones and ForestDnsZones partitions
Populating DomainDnsZones and ForestDnsZones partitions
Setting up sam.ldb rootDSE marking as synchronized
Fixing provision GUIDs
A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf
Once the above files are installed, your Samba4 server will be ready to use
Server Role:           active directory domain controller
Hostname:              Vanity
NetBIOS Domain:        SIN
DNS Domain:            sin.x
DOMAIN SID:            S-1-5-21-3757277530-4222028134-2000681140[/color]
```

*Testing Samba4*
Existing documentation states that this is how you start Samba4:

```
#/usr/local/samba/sbin/samba
```
But I think on FreeBSD it should be: samba start

Now let's test:

```
# /usr/local/samba/bin/smbclient -L localhost -U%
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.1.0pre1-GIT-99efe84)
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
```

And yes, that is how the output is formatted.

```
# /usr/local/samba/bin/smbclient //localhost/netlogon -UAdministrator%'<password>' -c 'ls'
Domain=[SIN] OS=[Unix] Server=[Samba 4.1.0pre1-GIT-99efe84]
  .                                   D        0  Mon Dec  3 22:22:47 2012
  ..                                  D        0  Mon Dec  3 22:22:55 2012

                36535 blocks of size 4194304. 32702 blocks available
```

*Configuring DNS*
I am using â€“dns-backend=SAMBA_INTERNAL, so I only need to configure /etc/resolv.conf.

```
# nano /etc/resolv.conf
```


```
# Generated by resolvconf
search SIN.X
domain sin.x
nameserver 192.168.1.1
nameserver 192.168.1.254
```
I'm not sure if search is the same as domain?  Note that the second nameserver is my router, I donâ€™t want to be unable to connect to the net while Iâ€™m setting everything up.  I think this file will be overwritten by DHCP though (my router handles DHCP too).

*Testing DNS*
To test LDAP:

```
# host -t SRV _ldap._tcp.sin.x
Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)
```
At first this didn't work, even after rebooting I got the same problem.  I think that it is because Samba4 isn't starting automatically and must be started by:

```
# /usr/local/samba/sbin/samba start
```
Trying again:

```
# host -t SRV _ldap._tcp.sin.x
_ldap._tcp.sin.x has SRV record 0 100 389 vanity.sin.x.
```
Now testing Kerberos:

```
# host -t SRV _kerberos._udp.sin.x
_kerberos._udp.sin.x has SRV record 0 100 88 vanity.sin.x.
```
And finally the this server:

```
# host -t A vanity.sin.x
vanity.sin.x has address 192.168.1.1
```

*Testing Kerberos*
Samba4 uses an internal implementation of Kerberos, do not start the Heimdal Kerberos that comes with FreeBSD, this is a different service.
The HOWTO states to replace the existing krb.conf with the file located /usr/local/samba/share/setup/krb5.conf, but neither krb.conf nor krb5.conf existed on my system.

My guess was this:

```
# cp /usr/local/samba/share/setup/krb5.conf /etc/krb.conf
 # nano /etc/krb5.conf
```
And edit the file as such:

```
[libdefaults]
        default_realm = SIN.X
        dns_lookup_realm = false
        dns_lookup_kdc = true
```

Testing:

```
# kinit administrator@SIN.X
administrator@SIN.X's Password: <password>
kinit: krb5_get_init_creds: unable to reach any KDC in realm SIN.X
```

It appears that Kerberos is failing to start, so I'm not sure of where to go from here?

Someone far more knowledgeable than me indicated that nsupdate was not compiled with GSSAPI.  I have no idea how to go about fixing this, but surely Frank and I aren't the only people having this problem.


----------



## ziyanm (Dec 9, 2012)

Thanks for the howto. Did you have to install any dependencies by hand or does waf handle it?

Regarding your Kerberos issue, you can use `$ sockstat -l` and `$ pgrep` to verify that the necessary daemons are started.

If you suspect that the problem is with `$ nsupdate` check if a samba-specific version is installed under /usr/local/bin. If so, get samba to use that one instead of the system-provided one in /usr/bin. You can check GSSAPI support by doing `$ ldd /usr/local/bin/nsupdate` to check what libraries it links to.


----------



## mix_room (Dec 10, 2012)

I added the following to my /usr/local/samba/etc/smb.conf-file 


```
nsupdate command = /usr/local/samba/sbin/samba_dnsupdate
server services = smb,dnsupdate,dns,winbind,kdc
```

In particular I think the 
	
	



```
server services = ...,kdc
```
 portion was important. Before adding it I had the same issues as you, after adding they no longer appear. I have not compiled anything with GSSAPI.

EDIT: there are other issues that I run into though, so this may not be the full solution to the problem.


----------



## QuinRiva (Dec 11, 2012)

Waf handled everything, I didn't have to manually install any dependencies.


I made the changes that mix_room suggested, and I'm now getting the same error as before:

```
host -t SRV _ldap._tcp.sin.x
Host _ldap._tcp.sin.x not found: 3(NXDOMAIN)
```

So I think it is definitely a DNS issue.


----------



## mix_room (Dec 11, 2012)

QuinRiva said:
			
		

> So I think it is definitely a DNS issue.



Also check which host you are using to resolve DNS-queries. Your samba server should be resolving DNS-queries, edit /etc/resolv.conf. 
If you are using your ISPs DNS server, they will not know what is going on, same thing with your modem-router-firewall-NAT-combo


----------



## ziyanm (Dec 13, 2012)

Can you do any DNS queries at all? 
	
	



```
host -l sin.x
```


----------



## tanked (Dec 14, 2012)

I just thought I'd chime in and say whilst reading the posts by the Samba developers on Slashdot, they say DNS replication is not quite reliable yet and neither is replication of the sysvol share (rsync can be used for this though). Apparently it is currently recommended to only use 1 domain controller with Samaba 4 at the moment.


----------



## QuinRiva (Dec 15, 2012)

Thanks for that tanked.  I'm only using one DC (the machine that Samba4 is on), so there shouldn't be any issues with replication.  I only have 5 machines connected to the domain, the FreeBSD Server (DC) and 4 client PC's.


----------



## QuinRiva (Dec 16, 2012)

I've gotten a bit further but I'm stuck again.  I've done a full reinstall of FreeBSD, and this time I'm going to try and use BIND9_DLZ.  However the issue that I come across is the _include_ statement (include "/usr/local/samba/private/named.conf";) in /etc/namedb/named.conf.
When I try to start named:

```
/etc/rc.d/named onestart
```

I get the following errors in the log file:

```
Dec 16 23:37:54 Vanity named[13638]: starting BIND 9.8.1-P1 -t /var/named -u bind
Dec 16 23:37:54 Vanity named[13638]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifad$
Dec 16 23:37:54 Vanity named[13638]: /etc/namedb/named.conf:296: open: /usr/local/samba/private/named.conf: file not found
Dec 16 23:37:54 Vanity named[13638]: loading configuration: file not found
Dec 16 23:37:54 Vanity named[13638]: exiting (due to fatal error)
Dec 16 23:37:54 Vanity test: /etc/rc.d/named: WARNING: failed to start named
```

I have confirmed that the user bind can read/write to:

```
Vanity# ls -lah /usr/local/samba/private/
total 11620
drwxr-xr-x   7 bind  wheel   1.0k Dec 16 23:56 .
drwxr-xr-x  10 root  wheel   512B Dec 16 22:06 ..
drwxrwx---   3 bind  wheel   512B Dec 16 22:06 dns
-rw-r-----   1 bind  wheel   657B Dec 16 22:06 dns.keytab
-rw-r--r--   1 bind  wheel   2.2k Dec 16 22:06 dns_update_list
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 hklm.ldb
-rw-------   1 bind  wheel   1.5M Dec 16 22:06 idmap.ldb
-rw-r--r--   1 bind  wheel    86B Dec 16 22:06 krb5.conf
drwxr-x---   2 bind  wheel   512B Dec 16 22:06 ldap_priv
srwxrwxrwx   1 bind  wheel     0B Dec 16 22:06 ldapi
-rwxrwxr-x   1 bind  wheel   615B Dec 16 23:54 named.conf
-rwxrwxr-x   1 bind  wheel   204B Dec 16 22:06 named.conf.update
-rwxrwxr-x   1 bind  wheel   2.2k Dec 16 22:06 named.txt
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 privilege.ldb
-rw-------   1 bind  wheel   696B Dec 16 22:06 randseed.tdb
-rw-------   1 bind  wheel   4.1M Dec 16 22:06 sam.ldb
drwxr-x---   2 bind  wheel   512B Dec 16 22:06 sam.ldb.d
-rw-------   1 bind  wheel   696B Dec 16 22:06 schannel_store.tdb
-rw-------   1 bind  wheel   967B Dec 16 22:06 secrets.keytab
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 secrets.ldb
-rw-------   1 bind  wheel   420k Dec 16 22:06 secrets.tdb
-rw-------   1 bind  wheel   1.2M Dec 16 22:06 share.ldb
drwxr-xr-x   3 bind  wheel   512B Dec 16 22:06 smbd.tmp
-rw-r--r--   1 bind  wheel   955B Dec 16 22:06 spn_update_list
drwxr-xr-x   2 bind  wheel   512B Dec 16 22:06 tls
Vanity#
```

and :

```
Vanity# ls -lah /usr/local/samba/lib/bind9
total 184
drwxr-xr-x   2 bind  wheel   512B Dec 16 22:04 .
drwxr-xr-x  15 root  wheel   2.5k Dec 16 22:04 ..
-rwxr-xr-x   1 bind  wheel    85k Dec 16 22:02 dlz_bind9.so
-rwxr-xr-x   1 bind  wheel    85k Dec 16 22:02 dlz_bind9_9.so
```

Any ideas why it can't find that file?  Am I chrooted?


----------



## kpa (Dec 16, 2012)

BIND runs chroot(8)ed in /var/named by default on FreeBSD. To turn off the chroot you have to add an option to rc.conf(5)


```
named_chrootdir=""
```


----------



## QuinRiva (Dec 17, 2012)

Thanks kpa, I finally have a DNS Server up and running but I get an error regarding BIND not being able to find managed-keys.bind?


```
Dec 17 21:48:24 Vanity named[4670]: starting BIND 9.8.1-P1 -u bind
Dec 17 21:48:24 Vanity named[4670]: built with '--prefix=/usr' '--infodir=/usr/share/info' '--mandir=/usr/share/man' '--enable-threads' '--enable-getifadd$
Dec 17 21:48:24 Vanity named[4670]: command channel listening on 127.0.0.1#953
Dec 17 21:48:24 Vanity named[4670]: command channel listening on ::1#953
Dec 17 21:48:24 Vanity named[4670]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Dec 17 21:48:24 Vanity named[4670]: running
Dec 17 21:59:55 Vanity named[4670]: client 192.168.1.2#60822: update 'sin.x/IN' denied
Dec 17 22:00:00 Vanity named[4670]: client 192.168.1.2#62005: update 'sin.x/IN' denied
```

You'll notice that for some reason, trying to connect from my main computer (192.168.1.2) fails.


----------



## spanglefox (Jan 4, 2013)

Hello,

Just a quick note to say I have a working Samba 4 installation. I initially wanted to use BIND as the DNS resolver but did have issues with it in the chroot environment and issues after I had removed it from such. 

It did have issues with Kerberos once I had removed BIND from the chroot.

I did chicken out and reprovision the domain using the samba backend DNS as I needed the system to be up and running asap. Everything worked fine from there.


----------



## heathen (Jan 7, 2013)

Glad to see that Samba 4 works for you, guys. I can't even build it from sources, there are few errors in source3/modules/vfs_zfsacl.c (too many\too few arguments in some functions). I have corrected this errors and can build samba 4 now.

But there is another challenge. Now I can't get result from 
	
	



```
samba-tool domain provision
```
If I run it without any parameters, I just get:

```
root@server:/usr/ports/shells # /usr/local/samba/bin/samba-tool domain provision
Realm []: wrkz.local
 Domain [wrkz]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE
Administrator password:
Retype password:
Looking up IPv4 addresses
More than one IPv4 address found. Using 192.168.3.252
Looking up IPv6 addresses
set_sys_acl_no_snum: SMB_VFS_SYS_ACL_SET_FILE returned zero.
ERROR(<class 'samba.provision.ProvisioningError'>): Provision failed - ProvisioningError: Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
    use_rfc2307=use_rfc2307, skip_sysvolacl=False)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1956, in provision
    raise ProvisioningError("Your filesystem or build does not support posix ACLs, which s3fs requires.  Try the mounting the filesystem with the 'acl' option.")
```

By the way, my FreeBSD's root is on the zfs pool.

If I change file server backend to ntvfs (just for test) then I get:

```
root@server:/usr/ports/shells # /usr/local/samba/bin/samba-tool domain provision --use-ntvfs --interactive --host-ip=192.168.3.252
Realm [WRKZ.RU]: wrkz.local
 Domain [wrkz]:
 Server Role (dc, member, standalone) [dc]:
 DNS backend (SAMBA_INTERNAL, BIND9_FLATFILE, BIND9_DLZ, NONE) [SAMBA_INTERNAL]: BIND9_FLATFILE
Administrator password:
Retype password:
Looking up IPv6 addresses
Setting up secrets.ldb
Setting up the registry
Setting up the privileges database
Setting up idmap db
Setting up SAM db
Setting up sam.ldb partitions and settings
Setting up sam.ldb rootDSE
Pre-loading the Samba 4 and AD schema
Adding DomainDN: DC=wrkz,DC=local
Adding configuration container
Setting up sam.ldb schema
Setting up sam.ldb configuration data
Setting up display specifiers
Adding users container
Modifying users container
Adding computers container
Modifying computers container
Setting up sam.ldb data
Setting up well known security principals
Setting up sam.ldb users and groups
Setting up self join
ERROR(ldb): uncaught exception - Empty RDN value on CN=,OU=Domain Controllers,DC=wrkz,DC=local not permitted!
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 398, in run
    use_rfc2307=use_rfc2307, skip_sysvolacl=False)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 2058, in provision
    skip_sysvolacl=skip_sysvolacl)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1661, in provision_fill
    next_rid=next_rid, dc_rid=dc_rid)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1364, in fill_samdb
    ntdsguid=ntdsguid)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/__init__.py", line 1003, in setup_self_join
    "RIDALLOCATIONEND": str(next_rid + 100 + 499)})
  File "/usr/local/samba/lib/python2.7/site-packages/samba/provision/common.py", line 50, in setup_add_ldif
    ldb.add_ldif(data, controls)
  File "/usr/local/samba/lib/python2.7/site-packages/samba/__init__.py", line 224, in add_ldif
    self.add(msg, controls)
```

As long as I know there is NFSv4\ZFS ACL module in the Samba, but how to get it works?..

Could anybody give me advice on this situation?

Thank you in advance!


----------



## spanglefox (Jan 7, 2013)

Ahhh yes. I found that Samba 4 did not play well with ZFS. Which,as you pointed out in your post is odd, given ZFS has ACLs at its heart (don't quote me on that). I was going to fire over to see if the Samba forums may have anything. 

I only got Samba 4 working with a UFS+S filesystem and SAMBA_ INTERNAL DNS. 

A slight bit of useless info but managed to add Windows XP, 7 and 8 along with Server 2008R2 and 2012 to my created domain. Windows 8 domain logon is just freaky! That is, however, another story on Windows 8. Just sharing that information if it helps with your deployment . 

Keep me updated on your progress!


----------



## von_Gaden (Jan 7, 2013)

I'm sure that Samba 4 will bring us the possibility of replacement and extending the scalability and reliability of AD controllers. I looked forward it's official version to come out.
But I'm a little bit conservative and I usually avoid installing development or not included in the Ports versions of software.
Is the New Samba 4 going to be included in the Ports soon?


----------



## spanglefox (Jan 17, 2013)

As far as I know the official version has been released.

That was what I was using. Samba-4.0.0 from http://www.samba.org. I believe the official production (stable??) release was in Dec. '12.

I too would be interested in when Samba-4.0.0 goes into ports (i.e. not rc/beta).


----------



## arez (Jan 25, 2013)

heathen said:
			
		

> As long as I know there is NFSv4\ZFS ACL module in the Samba, but how to get it works?..
> Could anybody give me advice on this situation?
> Thank you in advance!



ZFS Settings

You have to have at least zpool version 18, which was in FreeBSD 8.0 or newer.

Set the ACL Mode and Inheritance to passthrough:


```
$ zfs create -o mountpoint=/mydata zroot/mydata
$ zfs set aclmode=passthrough zroot/mydata
$ zfs set aclinherit=passthrough zroot/mydata
```

Now, you have ACLâ€™s:


```
# getfacl /mydata
# file: /mydata
# owner: root
# group: wheel
         everyone@:rwxpD-a-R-c--s:------:allow
       user:arez:r-x---a-R-c--s:fd----:allow
         user:foobar:r-x---a-R-c--s:fd----:allow
            owner@:rwxpD-aARWcCos:------:allow
            group@:rwxpD-a-R-c--s:------:allow
```

Now, unlike Solaris, which displays ZFS aclâ€™s though ls -Z, FreeBSD uses setfacl and getfacl to set and get ACLâ€™s.

P.S.
Excuse me for my bad English.


----------



## mix_room (Feb 20, 2013)

spanglefox said:
			
		

> I too would be interested in when Samba-4.0.0 goes into ports (i.e. not rc/beta).



It is there now. See net/samba4. It works nicely for me.


----------



## gaileys (Mar 17, 2013)

Everything worked fine but I'm struggling with Share permissions from Windows 7. Every time I use that to change perms I get: 
	
	



```
an error occurred while applying security information
```
 and 
	
	



```
the parameter is incorrect
```

I've been messing around with ACL's to try to resolve this but nothing seems to work. This is the last step for me and I'm defeated by it! Any ideas?


----------



## linuxhelp (Mar 19, 2013)

*SAMBA4+Kerberos as PDC*

Hi all,

I tried to set up Samba4 with Kerberos 5 and DNS-samba-internal (with howtos of 3+4) current on a clean freebsd FreeBSD 9.1 amd64, but *I* got trouble fÃ¼r with kdc connect, bind98 is installed with static zone  files. 


```
log.samba:
/usr/local/sbin/samba_dnsupdate: RuntimeError: kinit for FREEBSD$@HOME.LOCAL failed (Cannot contact any KDC for requested realm)

/etc/hosts #no errors
nslookup+dig recognize the server named FREEBSD.HOME.LOCAL # no errors

wbinfo -u / -g #shows users and groups successful

but:
smbclient -k -L //freebsd.home.local/netlogin -U domainuser  #fails cause no kerberos conn.

successful:
smbclient -L //freebsd.home.local/netlogin -U domainuser

kinit [email]administrator@HOME.LOCAL[/email] #success login
klist # shows ticket successful..
```

Basic question: does Samba4 configure and handle Kerberos on its own? *O*r must a Kerberos server be enabled? Samba4 opens *p*ort 88. Why does samba-tool not allow DOMAINNAME = HOME.LOCAL, only "HOME"?

I have seen that port 764 wasn't online?

- Windows 7 Test-Client (clean setup) does not connect either.

`sockstat -4`:

```
user1   sshd       3058  3  tcp4   192.168.178.205:22    192.168.178.73:35925
root     sshd       3056  3  tcp4   192.168.178.205:22    192.168.178.73:35925
bind     named      2656  20 tcp4   192.168.178.205:53    *:*
bind     named      2656  21 tcp4   127.0.0.1:53          *:*
bind     named      2656  22 tcp4   127.0.0.1:953         *:*
bind     named      2656  512 udp4  192.168.178.205:53    *:*
bind     named      2656  513 udp4  127.0.0.1:53          *:*
root     samba4     2211  19 tcp4   *:88                  *:*
root     samba4     2211  20 udp4   *:88                  *:*
root     samba4     2211  21 tcp4   *:464                 *:*
root     samba4     2211  22 udp4   *:464                 *:*
root     samba4     2211  23 udp4   192.168.178.205:88    *:*
root     samba4     2211  24 udp4   192.168.178.205:464   *:*
root     samba4     2210  19 udp4   *:389                 *:*
root     samba4     2210  20 udp4   192.168.178.205:389   *:*
root     samba4     2209  20 tcp4   *:389                 *:*
root     samba4     2209  21 tcp4   *:636                 *:*
root     samba4     2209  22 tcp4   *:3268                *:*
root     samba4     2209  23 tcp4   *:3269                *:*
root     samba4     2207  19 udp4   *:137                 *:*
root     samba4     2207  20 udp4   *:138                 *:*
root     samba4     2207  21 udp4   192.168.178.255:137   *:*
root     samba4     2207  22 udp4   192.168.178.205:137   *:*
root     samba4     2207  23 udp4   192.168.178.255:138   *:*
root     samba4     2207  24 udp4   192.168.178.205:138   *:*
root     smbd       2206  42 tcp4   *:445                 *:*
root     smbd       2206  43 tcp4   *:139                 *:*
root     samba4     2205  31 tcp4   *:1024                *:*
root     samba4     2205  34 tcp4   *:135                 *:*
www      httpd      1652  4  tcp4   *:80                  *:*
www      httpd      1652  6  tcp4   *:443                 *:*
www      httpd      1651  4  tcp4   *:80                  *:*
www      httpd      1651  6  tcp4   *:443                 *:*
www      httpd      1650  4  tcp4   *:80                  *:*
www      httpd      1650  6  tcp4   *:443                 *:*
www      httpd      1649  4  tcp4   *:80                  *:*
www      httpd      1649  6  tcp4   *:443                 *:*
www      httpd      1648  4  tcp4   *:80                  *:*
www      httpd      1648  6  tcp4   *:443                 *:*
root     httpd      1566  4  tcp4   *:80                  *:*
root     httpd      1566  6  tcp4   *:443                 *:*
root     sshd       1559  4  tcp4   *:22                  *:*
mysql    mysqld     1539  10 tcp4   *:3306                *:*
ldap     slapd      869   7  tcp4   192.168.178.205:389   *:*
ldap     slapd      869   8  tcp4   127.0.0.1:389         *:*
root     vsftpd     847   3  tcp4   *:21                  *:*
root     perl       838   6  tcp4   *:10000               *:*
root     perl       838   7  udp4   *:10000               *:*
root     syslogd    549   9  udp4   *:514                 *:*
```

krb5.conf

```
[libdefaults]
        default_realm = HOME.LOCAL
        dns_lookup_realm = false
        dns_lookup_kdc = true
```


----------



## mix_room (Mar 24, 2013)

Are you using the net/samba4 or are you pulling the sources from git? 
There might be some things that were patched away in the port, I would suggest using it.


----------



## spanglefox (Mar 25, 2013)

Well sadly at the moment our Samba 4 development is on pause (awaiting hardware to be purchased). I have not had the chance to tinker with the ports version of Samba 4. The only version I "know" as good and working was the original 4.0.0 release; which I installed by building the code downloaded directly from http://http://www.samba.org/.

As soon as I get back around to our Samba development I will help as I can.


----------



## von_Gaden (Apr 15, 2013)

Thank you all for sharing your experience with Samba 4!
Unlike our beloved FreeBSD, I think Samba lacks some exact and clear documentation so we must relay on each other.

I started to test it prior adopting for production use. And I found a strange problem: the server (AD Domain controller) is not visible when browsing the network (tested with Window 7 and Windows XP). Note that machines join the domain successfully and domain users and groups are visible from clients. DNS (Samba internal) works fine too and the server is browseable by its UNC name (\\name or \\name.domain.suffix).
Any ideas?

Since I've started asking - can someone advise me what is better - Samba internal DNS or connection to BIND? I have some installations with authoritative DNS servers where I'd never put Samba DNS on Internet or allow BIND to run out-of it's chroot environment. I think about an option to use both and bind them to different network interfaces but maybe there is a better solution.

And one more thing: I see only numerical UIDs in UFS ACLs, created by Samba. Should I worry about not seeing the real usernames? By default Samba4 uses internal LDAP and I've not seen directions how to bind it to systems NSSwitch for example nor I've tried to do that...

Thanks everybody one again and I'm looking forward your advices!


----------



## mix_room (Apr 16, 2013)

von_Gaden said:
			
		

> I started to test it prior adopting for production use. And I found a strange problem: the server (AD Domain controller) is not visible when browsing the network (tested with Window 7 and Windows XP). Note that machines join the domain successfully and domain users and groups are visible from clients. DNS (Samba internal) works fine too and the server is browseable by its UNC name (\\name or \\name.domain.suffix).
> Any ideas?


If I remember correctly this is not a bug but a feature(TM). I can't find any info on it right now, but I've read about others with the same issues somewhere.



> And one more thing: I see only numerical UIDs in UFS ACLs, created by Samba. Should I worry about not seeing the real usernames? By default Samba4 uses internal LDAP and I've not seen directions how to bind it to systems NSSwitch for example nor I've tried to do that...


I added the following to my /etc/nsswitch.conf, and it seems to work nicely.

```
group: files winbind
passwd: files winbind
```


----------



## igorino (Jul 8, 2013)

I had to elaborate a little more the /etc/krb5.conf file in order to enable _Kerberos_ authentication, adding the [realms] section in that file did the trick:

```
[libdefaults]
        default_realm = IFSC.EDU
        default_keytab_name = FILE:/var/db/samba4/private/dns.keytab
        dns_lookup_realm = false
        dns_lookup_kdc = true
[realms]
        IFSC.EDU = {
        kdc = samba4.ifsc.edu:88
        default_domain = ifsc.edu
}
```


----------



## igorino (Jul 8, 2013)

Oh! and explicitly setting the keytab file helped too... I cannot edit my own messages yet, sorry :/


----------



## Jimmy (Jul 25, 2013)

Will Samba 4 eventually work with FreeBSD's natively installed bind? If not, is there a workaround to make it work in this manner?


----------



## von_Gaden (Aug 18, 2013)

I don't think Samba4 will work with built-in BIND. But this shouldn't be a concern since we have BIND 9.8 and 9.9 from Ports.

And here is my problem: I can't set BIND 9 DLZ updates with Samba. Here are my details. I use /usr/ports/dns/bind99. In my test environment I found that it's much easier to set the REPLACE_BASE option during BIND installation. All files were generated by the Samba4 provision script:
/usr/local/etc/smb4.conf

```
[global]
        workgroup = TEST
        realm = TEST.LAN
        netbios name = SMBTEST
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate

[netlogon]
        path = /var/db/samba4/sysvol/test.lan/scripts
        read only = No

[sysvol]
        path = /var/db/samba4/sysvol
        read only = No
```

/etc/krb5.conf - a copy of /var/db/samba4/private/krb5.conf

```
[libdefaults]
        default_realm = TEST.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true
```

Additions to /etc/namedb/named.conf

in the options section:

```
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
```

At the bottom of the file:

```
include "/var/db/samba4/private/named.conf";
```

/var/db/samba4/private/named.conf

```
dlz "AD DNS Zone" {
    # For BIND 9.8.0
    #database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so -d 3";

    # For BIND 9.9.0
    # database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
```
You can see the debug option added to DLZ modues, I've tested with both BIND 9.8 and 9.9.

In /etc/rc.conf

```
samba4_enable="YES"
#named_program="/usr/local/sbin/named"
named_enable="YES"
named_chrootdir=""
```
Everything seems to work:

```
root@smbtest:/usr/ports/dns/bind99 # smbclient -L \\smbtest.test.lan -U administrator
Enter administrator's password:
Domain=[TEST] OS=[Unix] Server=[Samba 4.0.8]

        Sharename       Type      Comment
        ---------       ----      -------
        netlogon        Disk
        sysvol          Disk
        IPC$            IPC       IPC Service (Samba 4.0.8)
Domain=[TEST] OS=[Unix] Server=[Samba 4.0.8]

        Server               Comment
        ---------            -------

        Workgroup            Master
        ---------            -------
root@smbtest:/usr/ports/dns/bind99 # kinit administrator@TEST.LAN
administrator@TEST.LAN's Password:
root@smbtest:/usr/ports/dns/bind99 # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@TEST.LAN

  Issued           Expires          Principal
Aug 18 20:06:48  Aug 19 06:06:48  krbtgt/TEST.LAN@TEST.LAN
```
except dynamic DNS updates:

```
root@smbtest:/usr/ports/dns/bind99 # samba_dnsupdate --verbose --all-names
IPs: ['10.10.77.123']
Calling nsupdate for A test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test.lan.               900     IN      A       10.10.77.123

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A smbtest.test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
smbtest.test.lan.       900     IN      A       10.10.77.123

update failed: REFUSED
Failed nsupdate: 2
....
```
In /var/log/messages I get:

```
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: spnego update failed
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Aug 18 20:08:06 smbtest named[22937]: samba_dlz: spnego update failed
```
So I guess the problem is indicated by `An unsupported mechanism was requested`
I think I might have missed something in the BIND build process, so here is the output of ldd:

```
root@smbtest:/usr/ports/dns/bind99 # named -V
BIND 9.9.3-P2 (Extended Support Version) <id:d8a6fe8b> built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--without-python' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-largefile' '--with-dlz-stub=yes' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd9.1' 'build_alias=x86_64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
using OpenSSL version: OpenSSL 0.9.8x 10 May 2012
using libxml2 version: 2.8.0
root@smbtest:/usr/ports/dns/bind99 # ldd /usr/sbin/named
/usr/sbin/named:
        libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x800a74000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x800c8e000)
        libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x80102f000)
        libz.so.6 => /lib/libz.so.6 (0x801383000)
        libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801597000)
        libm.so.5 => /lib/libm.so.5 (0x801893000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801ab4000)
        libthr.so.3 => /lib/libthr.so.3 (0x801cc1000)
        libc.so.7 => /lib/libc.so.7 (0x801ee3000)
        libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x802236000)
        libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x80243f000)
        libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8026af000)
        libroken.so.10 => /usr/lib/libroken.so.10 (0x8028ef000)
        libasn1.so.10 => /usr/lib/libasn1.so.10 (0x802b01000)
        libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x802d83000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x802f85000)
        liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8031a4000)
root@smbtest:/usr/ports/dns/bind99 # ldd /usr/bin/nsupdate
/usr/bin/nsupdate:
        libreadline.so.8 => /lib/libreadline.so.8 (0x8009f4000)
        libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x800c34000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x800e4e000)
        libxml2.so.5 => /usr/local/lib/libxml2.so.5 (0x8011ef000)
        libz.so.6 => /lib/libz.so.6 (0x801543000)
        libiconv.so.3 => /usr/local/lib/libiconv.so.3 (0x801757000)
        libm.so.5 => /lib/libm.so.5 (0x801a53000)
        libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x801c74000)
        libthr.so.3 => /lib/libthr.so.3 (0x801e81000)
        libc.so.7 => /lib/libc.so.7 (0x8020a3000)
        libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x8023f6000)
        libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x8025ff000)
        libncurses.so.8 => /lib/libncurses.so.8 (0x80286f000)
        libhx509.so.10 => /usr/lib/libhx509.so.10 (0x802abd000)
        libroken.so.10 => /usr/lib/libroken.so.10 (0x802cfd000)
        libasn1.so.10 => /usr/lib/libasn1.so.10 (0x802f0f000)
        libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x803191000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x803393000)
        liblzma.so.5 => /usr/lib/liblzma.so.5 (0x8035b2000)
```

I've checked everything at least three times, but probably I'm missing something... I'll be very thankful for any help.


----------



## Pepevel (Aug 23, 2013)

For what it is worth, I had to add a couple of options to BIND before building it:

In /usr/ports/dns/bind99/Makefile:


```
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
                --disable-symtable \
                --with-randomdev=/dev/random \
                [B]--without-python --with-dlopen=yes[/B] --with-gssapi=/usr/include/gssapi
```


----------



## von_Gaden (Sep 1, 2013)

Thank you very much for your reply!

I tried that but with no effect. To be sure I rebuilt all packages, bind99 with modified Makefile. But dynamic updates fail the same way:

```
root@smbtest:/usr/ports/misc/mc # samba_dnsupdate --verbose --all-names
IPs: ['10.10.77.123']
Calling nsupdate for A test.lan 10.10.77.123
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
test.lan.               900     IN      A       10.10.77.123

update failed: REFUSED
Failed nsupdate: 2
```

in /var/log/messages

```
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Sep  1 21:47:10 smbtest named[28925]: samba_dlz: spnego update failed
```

`named -V` shows:

```
BIND 9.9.3-P2 (Extended Support Version) <id:d8a6fe8b> built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--without-python' '--with-dlopen=yes' '--with-gssapi=/usr/include/gssapi' '--with-openssl=/usr' '--with-libxml2=/usr/local' '--without-idn' '--enable-threads' '--sysconfdir=/etc/namedb' '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info/' '--build=x86_64-portbld-freebsd9.1' 'build_alias=x86_64-portbld-freebsd9.1' 'CC=cc' 'CFLAGS=-O2 -pipe -fno-strict-aliasing' 'LDFLAGS= -Wl,-rpath=/usr/lib:/usr/local/lib' 'CPPFLAGS=' 'CPP=cpp'
using OpenSSL version: OpenSSL 0.9.8y 5 Feb 2013
using libxml2 version: 2.8.0
```

I surely have problem that probably is not common for most users of FreeBSD and Samba4. So here are my build options:
samba4

```
â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ samba4-4.0.8 â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”
         â”‚ â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â” â”‚
         â”‚ â”‚ [x] ACL_SUPPORT  File system ACL support                                 â”‚ â”‚
         â”‚ â”‚ [x] ADS          Active Directory support                                â”‚ â”‚
         â”‚ â”‚ [x] AIO_SUPPORT  Asyncronous IO support                                  â”‚ â”‚
         â”‚ â”‚ [ ] AVAHI        Zeroconf support via Avahi                              â”‚ â”‚
         â”‚ â”‚ [ ] CUPS         CUPS printing system support                            â”‚ â”‚
         â”‚ â”‚ [x] DEBUG        With debug information in the binaries                  â”‚ â”‚
         â”‚ â”‚ [ ] DEVELOPER    With development support                                â”‚ â”‚
         â”‚ â”‚ [x] DNSUPDATE    Dynamic DNS update(require ADS)                         â”‚ â”‚
         â”‚ â”‚ [ ] EXP_MODULES  Experimental modules                                    â”‚ â”‚
         â”‚ â”‚ [x] FAM_SUPPORT  File Alteration Monitor support                         â”‚ â”‚
         â”‚ â”‚ [ ] LDAP         LDAP support                                            â”‚ â”‚
         â”‚ â”‚ [ ] MANPAGES     Build and/or install manual pages                       â”‚ â”‚
         â”‚ â”‚ [x] PAM_SMBPASS  PAM authentication via passdb backends                  â”‚ â”‚
         â”‚ â”‚ [x] PTHREADPOOL  Pthread pool                                            â”‚ â”‚
         â”‚ â”‚ [ ] QUOTAS       Disk quota support                                      â”‚ â”‚
         â”‚ â”‚ [ ] SWAT         SWAT WebGUI                                             â”‚ â”‚
         â”‚ â”‚ [x] SYSLOG       Syslog support                                          â”‚ â”‚
         â”‚ â”‚ [ ] UTMP         UTMP accounting support                                 â”‚ â”‚
         â”‚ â”‚ [x] WINBIND      WinBIND support                                         â”‚ â”‚
         â”‚ â”‚â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ DNS â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”‚ â”‚
         â”‚ â”‚ ( ) NSUPDATE     Use internal DNS with NSUPDATE utility                  â”‚ â”‚
         â”‚ â”‚ ( ) BIND98       Use bind98 as a DNS server frontend                     â”‚ â”‚
         â”‚ â”‚ (*) BIND99       Use bind99 as a DNS server frontend                     â”‚ â”‚
         â”‚ â””â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜ â”‚
         â”œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”¤
```
bind99

```
â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ bind99-base-9.9.3.2 â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”
         â”‚ â”Œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â” â”‚
         â”‚ â”‚ [ ] FIXED_RRSET     Enable fixed rrset ordering                          â”‚ â”‚
         â”‚ â”‚ [ ] IDN             International Domain Names support                   â”‚ â”‚
         â”‚ â”‚ [ ] IPV6            IPv6 protocol support                                â”‚ â”‚
         â”‚ â”‚ [ ] LARGE_FILE      64-bit file support                                  â”‚ â”‚
         â”‚ â”‚ [x] LINKS           Create conf file symlinks in /usr                    â”‚ â”‚
         â”‚ â”‚ [x] REPLACE_BASE    Replace base BIND with this version                  â”‚ â”‚
         â”‚ â”‚ [ ] RPZRRL_PATCH    RPZ improvements + RRL patch (experimental)          â”‚ â”‚
         â”‚ â”‚ [ ] RPZ_NSDNAME     Enable RPZ NSDNAME policy records                    â”‚ â”‚
         â”‚ â”‚ [ ] RPZ_NSIP        Enable RPZ NSIP trigger rules                        â”‚ â”‚
         â”‚ â”‚ [ ] SIGCHASE        dig/host/nslookup will do DNSSEC validation          â”‚ â”‚
         â”‚ â”‚ [x] SSL             Build with OpenSSL (Required for DNSSEC)             â”‚ â”‚
         â”‚ â”‚ [x] THREADS         Threading support                                    â”‚ â”‚
         â”‚ â”‚ [x] XML             Support for xml statistics output                    â”‚ â”‚
         â”‚ â”‚â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€ Dynamically Loadable Zones â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”‚ â”‚
         â”‚ â”‚ [ ] DLZ_POSTGRESQL  DLZ Postgres driver                                  â”‚ â”‚
         â”‚ â”‚ [ ] DLZ_MYSQL       DLZ MySQL driver (no threading)                      â”‚ â”‚
         â”‚ â”‚ [ ] DLZ_BDB         DLZ BDB driver                                       â”‚ â”‚
         â”‚ â”‚ [ ] DLZ_LDAP        DLZ LDAP driver                                      â”‚ â”‚
         â”‚ â”‚ [ ] DLZ_FILESYSTEM  DLZ filesystem driver                                â”‚ â”‚
         â”‚ â”‚ [ ] DLZ_STUB        DLZ stub driver                                      â”‚ â”‚
         â”‚ â””â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”˜ â”‚
         â”œâ”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”¤
```
in /usr/ports/dns/bind99/Makefile I have:

```
CONFIGURE_ARGS= --localstatedir=/var --disable-linux-caps \
                --disable-symtable \
                --with-randomdev=/dev/random \
                --without-python --with-dlopen=yes --with-gssapi=/usr/include/gssapi
```

And all installed packages on my test machine are:

```
root@smbtest:/usr/ports/dns/bind99 # pkg_version -v
autoconf-2.69                       =   up-to-date with port
autoconf-wrapper-20130530           =   up-to-date with port
bind99-base-9.9.3.2                 =   up-to-date with port
ca_root_nss-3.15.1_1                =   up-to-date with port
cyrus-sasl-2.1.26_2                 =   up-to-date with port
dialog4ports-0.1.5_1                =   up-to-date with port
gamin-0.1.10_6                      =   up-to-date with port
gettext-0.18.3                      =   up-to-date with port
glib-2.36.3                         =   up-to-date with port
gmake-3.82_1                        =   up-to-date with port
gmp-5.1.2                           =   up-to-date with port
gnutls-2.12.23_1                    =   up-to-date with port
help2man-1.43.3                     =   up-to-date with port
ldb-1.1.16                          =   up-to-date with port
libexecinfo-1.1_3                   =   up-to-date with port
libffi-3.0.13                       =   up-to-date with port
libgcrypt-1.5.3                     =   up-to-date with port
libgpg-error-1.12                   =   up-to-date with port
libiconv-1.14_1                     =   up-to-date with port
libinotify-20110829                 =   up-to-date with port
libssh2-1.4.3_1,2                   =   up-to-date with port
libsunacl-1.0                       =   up-to-date with port
libtasn1-2.14                       =   up-to-date with port
libtool-2.4.2_1                     =   up-to-date with port
libxml2-2.8.0_2                     =   up-to-date with port
m4-1.4.16_1,1                       =   up-to-date with port
mc-4.8.8                            =   up-to-date with port
nettle-2.7.1                        =   up-to-date with port
openldap-client-2.4.36              =   up-to-date with port
p11-kit-0.16.3                      =   up-to-date with port
p5-Locale-gettext-1.05_3            =   up-to-date with port
p5-Parse-Pidl-4.0.8                 =   up-to-date with port
p5-Parse-Yapp-1.05                  =   up-to-date with port
pcre-8.33                           =   up-to-date with port
perl-threaded-5.18.1                =   up-to-date with port
pkgconf-0.9.3                       =   up-to-date with port
popt-1.16                           =   up-to-date with port
python-2.7_1,2                      =   up-to-date with port
python2-2                           =   up-to-date with port
python27-2.7.5_2                    =   up-to-date with port
samba4-4.0.8                        =   up-to-date with port
talloc-2.0.8                        =   up-to-date with port
tdb-1.2.12,1                        =   up-to-date with port
tevent-0.9.18                       =   up-to-date with port
```

Do I have to install some version of Kerberos or I have an error in build options for BIND or Samba?

Thanks in advance for any help!


----------



## igorino (Sep 2, 2013)

@von_Gaden,

Do you have the tkey-gssapi-credential and tkey-domain options configured in your named.conf in the options section? What about the KEYTAB_FILE and KRB5_KTNAME variables, do they return your dns.keytab correctly?
By the way, you can `klist -k dns.keytab` to get those options.


----------



## von_Gaden (Sep 2, 2013)

Actually no. According to the Samba4 Wiki and on-screen instructions after provisioning I have only the following in the `options` section of /etc/namedb/named.conf

```
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
```
and at the end of that file:

```
include "/var/db/samba4/private/named.conf";
```
`klist -k dns.keytab` prints only usage information just as the command options are wrong.


----------



## igorino (Sep 3, 2013)

Oops, so sorry @von_Gaden.

I'm just a little confused with the tools, the correct command is `ktutil -k /var/db/samba4/private/dns.keytab list`, with that now you can get those values. Sorry again.


----------



## von_Gaden (Sep 3, 2013)

Thank you very much for your cooperation! I'm sorry that I'm currently unable to implement an essential part of my services as Samba4. I have some sites where internal Samba DNS is almost safe to use but on several others I have a direct Internet connection to the server and BIND with proper ACLs seems the only reasonable choice.

I must admit Kerberos is currently blurred in the dark for me. The triple headed dog of Hades is frightening, isn't it?

So, here is my output:

```
root@smbtest:/root # ktutil -k /var/db/samba4/private/dns.keytab list
/var/db/samba4/private/dns.keytab:

Vno  Type                     Principal
  1  des-cbc-crc              DNS/smbtest.test.lan@TEST.LAN
  1  des-cbc-crc              dns-smbtest@TEST.LAN
  1  des-cbc-md5              DNS/smbtest.test.lan@TEST.LAN
  1  des-cbc-md5              dns-smbtest@TEST.LAN
  1  arcfour-hmac-md5         DNS/smbtest.test.lan@TEST.LAN
  1  arcfour-hmac-md5         dns-smbtest@TEST.LAN
  1  aes128-cts-hmac-sha1-96  DNS/smbtest.test.lan@TEST.LAN
  1  aes128-cts-hmac-sha1-96  dns-smbtest@TEST.LAN
  1  aes256-cts-hmac-sha1-96  DNS/smbtest.test.lan@TEST.LAN
  1  aes256-cts-hmac-sha1-96  dns-smbtest@TEST.LAN
```
I don't know if this is completely OK but it doesn't seem so broken to me.


----------



## igorino (Sep 4, 2013)

Ok, make sure these lines are in your BIND9 named.conf: 
	
	



```
options {
...
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
tkey-domain "TEST.LAN";
...
}
```
Make a symlink of your /var/db/samba4/private/dns.keytab to the /etc/krb5.keytab file and a copy of /var/db/samba4/private/krb5.conf to /etc/krb5.conf just in case. Also, verify that in your /var/db/samba4/private/named.conf is configured to the correct BIND9 version.


----------



## von_Gaden (Sep 10, 2013)

Sorry for being away some days and thank you for your help. Sadly I couldn't succeed.

According to your instructions I have:

```
root@smbtest:/root # ls -l /etc/k*
-rw-r--r--  1 root  wheel  89 Aug 18 20:04 /etc/krb5.conf
lrwxr-xr-x  1 root  wheel  33 Sep 10 22:34 /etc/krb5.keytab -> /var/db/samba4/private/dns.keytab
```
/var/db/samba4/private/named.conf is configured for BIND 9.9 (as installed):

```
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
```
and in /etc/namedb/named.conf in options I have:

```
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
        tkey-domain "TEST.LAN";
```
*I* noticed that BIND starts much slower when tkey-gssapi-credential is not commented*.* *N*either way the message about the unsupported mechanism is the same:

```
smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
```


----------



## igorino (Sep 11, 2013)

Remember that BIND9 should not run in chroot. Maybe enabling DLZ_BDB, DLZ_FILESYSTEM and DLZ_STUB in your BIND9 should help too .


----------



## von_Gaden (Sep 12, 2013)

Yes, it's not chrooted and I use replace_base. I rebuilt BIND99 with recommended DLZ modules but with no success. Dynamic updates still fail with the same error.


----------



## herles (Sep 13, 2013)

Hey @von_Gaden,  add `nsupdate command = nsupdate` in your smb.conf*.*


----------



## herles (Sep 13, 2013)

I have this issue: 

`#/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names`

```
update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.acme.internal. 900  IN      SRV     0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
root@acme-DC1:/root #
root@acme-DC1:/root # /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
IPs: ['192.168.1.5']
Calling nsupdate for A acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme.internal.       900     IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A acme-dc1.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme-dc1.acme.internal. 900 IN    A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.acme.internal. 900 IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for CNAME a3d07326-3068-4a13-b881-d802b427c479._msdcs.acme.internal acme-dc1.acme.internal
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a3d07326-3068-4a13-b881-d802b427c479._msdcs.acme.internal. 900 IN CNAME acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.acme.internal acme-dc1.acme.internal 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.acme.internal. 900 IN  SRV     0 100 464 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.acme.internal acme-dc1.acme.internal 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.acme.internal. 900 IN  SRV     0 100 464 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.acme.internal. 900 IN SRV     0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._udp.acme.internal acme-dc1.acme.internal 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.acme.internal. 900 IN SRV     0 100 88 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.acme.internal. 900 IN     SRV     0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal acme-dc1.acme.internal 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.74dad51c-fd6e-42f6-aee2-f04a58242149.domains._msdcs.acme.internal. 900 IN SRV 0 100 389 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.acme.internal. 900  IN      SRV     0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal acme-dc1.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 acme-dc1.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
root@acme-DC1:/root #
```


----------



## igorino (Sep 13, 2013)

Really odd, @von_Gaden. Could you post your named.conf?


----------



## von_Gaden (Sep 13, 2013)

I trimmed all zones pointing to /etc/namedb/master/empty.db to shorten the file.

/etc/namedb/named.conf

```
options {
        // All file and path names are relative to the chroot directory,
        // if any, and should be fully qualified.
        directory       "/etc/namedb/working";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";

        disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
        disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
        disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

        tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
        tkey-domain "TEST.LAN";
#        auth-nxdomain yes;
};

zone "." { type hint; file "/etc/namedb/named.root"; };
zone "localhost"        { type master; file "/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/etc/namedb/master/empty.db"; };
zone "0.ip6.arpa"       { type master; file "/etc/namedb/master/localhost-reverse.db"; };
zone "0.in-addr.arpa"   { type master; file "/etc/namedb/master/empty.db"; };

include "/var/db/samba4/private/named.conf";
```
No difference if auth_nxdomain is uncommented.

/var/db/samba4/private/named.conf

```
dlz "AD DNS Zone" {
    # For BIND 9.8.0
#    database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9.so";

    # For BIND 9.9.0
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
};
```
/var/db/samba4/private/krb5.conf and /etc/krb5.conf

```
[libdefaults]
        default_realm = TEST.LAN
        dns_lookup_realm = false
        dns_lookup_kdc = true
```


----------



## Muba (Sep 13, 2013)

Hello,

I've been monitoring this thread for some time as an unregistered user but I'd like to contribute my experience: I also get the REFUSED entries using `samba_dnsupdate` but `samba-tool` writes the correct DLZ information even on new and manually added hosts. I'm using BIND99 from ports without base replacement and adjusted smb4.conf:


```
nsupdate command = /usr/local/bin/nsupdate -g
```

However the error remains and I'd like to know if you have another idea debugging this issue? For an one-process debug a `truss` would help - but where to start in this case? The message indicates a problem with the Kerberos libraries or something in the back of BIND and Samba?

And thanks for your replies so far,
Muba


----------



## herles (Sep 13, 2013)

@von_Gaden, did you solve 
	
	



```
smbtest named[893]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
```
?


----------



## igorino (Sep 14, 2013)

Maybe some issue with DNSsec? Try disabling it, in named.conf put these lines inside the options section:


```
dnssec-enable no;
dnssec-lookaside auto;
```

What about setting explicitly 
	
	



```
auth-nxdomain no;
```
?


----------



## Muba (Sep 14, 2013)

Well, DNSsec is used to encrypt/sign the record answers to clients so DNS forgery gets prevented, right? So I don't think it will help here as well as auth-nxdomain for an authoritative answer to non-existent domains. (read RR vs. write RR)

I also read the Samba4 Wiki again and it seems you need

```
tkey-gssapi-credential "DNS/smbtest.test.lan@TEST.LAN";
        tkey-domain "TEST.LAN";
```
only for BIND98, the 9.9 version uses the keytab file to find it.


----------



## von_Gaden (Sep 14, 2013)

herles said:
			
		

> @von_Gaden, did you solve
> 
> 
> 
> ...



No, that's all my noise about.


----------



## von_Gaden (Sep 14, 2013)

igorino said:
			
		

> Maybe some issue with DNSSEC? Try disabling it, in named.conf put these lines inside the options section:
> 
> 
> ```
> ...



I'm so sorry that none of these changed anything. The "unsupported mechanism" is still failing my updates...


----------



## igorino (Sep 15, 2013)

Time to do some debug with truss or devel/strace then. Are you sure that your BIND9 user has the correct directory/file permissions and it can retrieve the correct Kerberos variables?


----------



## von_Gaden (Sep 15, 2013)

First of all thanks for your efforts to help me in solving such important problem!

As for the permissions:

```
root@smbtest:/root # ls -l /var/db/samba4/private/
total 12088
drwxrwx---  3 root  bind       512 Sep  1 21:29 dns
-rw-r-----  1 root  bind       712 Sep  1 21:29 dns.keytab
-rw-r--r--  1 root  wheel     2270 Sep  1 21:29 dns_update_list
-rw-------  1 root  wheel  1286144 Sep  1 21:29 hklm.ldb
-rw-------  1 root  wheel  1609728 Sep 15 15:19 idmap.ldb
-rw-r--r--  1 root  wheel       89 Sep  1 21:29 krb5.conf
.....
root@smbtest:/root # ls -l /var/db/samba4/private/dns
total 3012
-rw-rw----  1 root  bind  3018752 Sep  1 21:29 sam.ldb
drwxrwx---  2 root  bind      512 Sep  1 21:29 sam.ldb.d
```
I'm not sure about the Kerberos variables. I've never used debugging tools as truss or strace and I need some time to find out how to use them. If you can recommend me a good HowTo source I'll be very grateful.


----------



## igorino (Sep 16, 2013)

For the kerberos variables, edit /etc/login.conf and replace the line which reads 
	
	



```
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K:\
```
 with 
	
	



```
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,KEYTAB_FILE=/var/db/samba4/private/dns.keytab,KRB5_KTNAME=/var/db/samba4/private/dns.keytab:\
```
 and save the file, then execute `cap_mkdb /etc/login.conf`, you'll have to logout then login again (restart the named service).

The dns_update_list file should be writable by the BIND9 user, don't you agree? Perhaps `samba_upgradedns --dns-backend=BIND9_DLZ` should set those permissions correctly.

Debugging with truss is quite simple, for example, try `truss -o output.log -p pid_of_named_process`. After that, in another terminal, run `/usr/local/samba/sbin/samba_dnsupdate --verbose --all-names`, then stop truss `^C` and take a look at the output.log, or tail that file while running truss, your call.


----------



## herles (Sep 16, 2013)

Hey @igorino, how can *I* read cap_mkdb files? Where is the db database?

Regards.


----------



## fonz (Sep 16, 2013)

herles said:
			
		

> how can *I* read cap_mkdb files? Where is the db database?




```
[CMD=%]ls /etc/login*[/CMD]
/etc/login.access   /etc/login.conf     [HIGHLIGHT]/etc/login.conf.db[/HIGHLIGHT]
```
To actually read the database file, if for some reason you should want to, see dbopen(3).


----------



## herles (Sep 17, 2013)

FreeBSD 9.1-RELEASE (GENERIC) #0 r243826: Tue Dec  4 06:55:39 UTC 2012

`root@fbsd:/root # ps ax | grep samba`

```
1292 ??  Ss      0:00.70 /usr/local/samba/sbin/samba
1293 ??  I       0:00.01 samba: task[s3fs_parent] (samba)
1294 ??  S       0:00.69 samba: task[dcesrv] (samba)
1295 ??  S       0:51.20 samba: task[nbtd] (samba)
1296 ??  Is      0:04.16 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
1297 ??  S       0:00.04 samba: task wrepl server_id[1297] (samba)
1298 ??  I       0:02.70 samba: task[ldapsrv] (samba)
1299 ??  S       0:00.04 samba: task[cldapd] (samba)
1300 ??  I       0:00.12 samba: task[kdc] (samba)
1301 ??  S       0:46.07 samba: task[dreplsrv] (samba)
1302 ??  I       0:00.23 samba: task[winbind] (samba)
1303 ??  S       0:00.04 samba: task[ntp_signd] (samba)
1304 ??  I       0:28.25 samba: task[kccsrv] (samba)
[B]1305 ??  I       0:01.93 samba: task[dnsupdate] (samba)[/B]
1308 ??  I       0:00.35 /usr/local/samba/sbin/smbd -D --option=server role check:inhibit=yes --foreground
6608  0  S+      0:00.00 grep samba
```

`root@fbsd:/root # /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names`

```
IPs: ['192.168.1.5']
Calling nsupdate for A acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
acme.internal.       900     IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A fbsd.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
fbsd.acme.internal.  900     IN      A       192.168.1.5

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.acme.internal 192.168.1.5
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.acme.internal. 900 IN      A       192.168.1.5

...

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.acme.internal fbsd.acme.internal 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.acme.internal. 900 IN SRV 0 100 3268 fbsd.acme.internal.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 21 entries
```

`root@fbsd:/root # truss -o output.log -p 1305`

`root@fbsd:/root # vi output.log`

```
SIGNAL 17 (SIGSTOP)
gettimeofday({1379446115.604439 },0x0)           = 0 (0x0)
poll({19/POLLIN|POLLHUP 18/POLLIN|POLLHUP},2,1281) = 0 (0x0)
gettimeofday({1379446116.886368 },0x0)           = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe200)                    = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe254)                    = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2b0)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe344)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe090)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe124)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe230)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2c4)                    = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe210)                    = 0 (0x0)
fcntl(15,F_SETLKW,0xbfbfe264)                    = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
clock_gettime(13,{1379446116.000000000 })        = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2c0)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe354)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe240)                    = 0 (0x0)
fcntl(11,F_SETLKW,0xbfbfe2d4)                    = 0 (0x0)
open("/usr/local/samba/private/named.conf.update.static",O_RDONLY,00) ERR#2 'No such file or directory'
unlink("/usr/local/samba/private/named.conf.update.tmp") ERR#2 'No such file or directory'
open("/usr/local/samba/private/named.conf.update.tmp",O_WRONLY|O_CREAT|O_TRUNC,0444) = 20 (0x14)
write(20,"/* this file is auto-generated -"...,48) = 48 (0x30)
write(20,"update-policy {\n",16)                 = 16 (0x10)
write(20,"\tgrant acme.INTERNAL ms-self"...,42) = 42 (0x2a)
write(20,"\tgrant Administrator@acme.IN"...,67) = 67 (0x43)
write(20,"\tgrant FBSD$@acme.internal w"...,59) = 59 (0x3b)
write(20,"};\n",3)                               = 3 (0x3)
close(20)                                        = 0 (0x0)
open("/usr/local/samba/private/named.conf.update.tmp",O_RDONLY,00) = 20 (0x14)
fstat(20,{ mode=-r--r--r-- ,inode=803912,size=235,blksize=32768 }) = 0 (0x0)
read(20,"/* this file is auto-generated -"...,235) = 235 (0xeb)
close(20)                                        = 0 (0x0)
open("/usr/local/samba/private/named.conf.update",O_RDONLY,00) = 20 (0x14)
fstat(20,{ mode=-r--r--r-- ,inode=803909,size=235,blksize=32768 }) = 0 (0x0)
read(20,"/* this file is auto-generated -"...,235) = 235 (0xeb)
close(20)                                        = 0 (0x0)
unlink("/usr/local/samba/private/named.conf.update.tmp") = 0 (0x0)
gettimeofday({1379446116.888507 },0x0)           = 0 (0x0)
gettimeofday({1379446116.888535 },0x0)           = 0 (0x0)
```


----------



## von_Gaden (Sep 18, 2013)

truss produced a long file and I must admit most of it looks a little mysterious to me... Here is part of the log's `tail`:

```
...
fcntl(9,F_SETLKW,0x7fffff9fba90)                 = 0 (0x0)
fcntl(9,F_SETLKW,0x7fffff9fbab0)                 = 0 (0x0)
madvise(0x81c6be000,0xa000,0x5,0x2bd,0x7fffff9fb210,0x1) = 0 (0x0)
madvise(0x81c04e000,0xa000,0x5,0x4d,0x81c400000,0x7fffff9fb230) = 0 (0x0)
madvise(0x81c029000,0xa000,0x5,0x28,0x81c400000,0x7fffff9fb230) = 0 (0x0)
clock_gettime(13,{1379537150.000000000 })        = 0 (0x0)
getpid()                                         = 1189 (0x4a5)
sendto(3,"<30>Sep 18 23:45:50 named[1189]:"...,83,0x0,NULL,0x0) = 83 (0x53)
_umtx_op(0x803808258,0x15,0x1,0x0,0x0,0x0)       = 0 (0x0)
gettimeofday({1379537150.575968 },0x0)           = 0 (0x0)
gettimeofday({1379537150.576058 },0x0)           = 0 (0x0)
sendmsg(0x19,0x7fffff9fb840,0x0,0x0,0x2178a8,0x1) = 125 (0x7d)
recvmsg(0x19,0x7fffff9fcdd0,0x0,0x0,0x2c80,0x0)  ERR#35 'Resource temporarily unavailable'
write(7,"\^Y\0\0\0\M-}\M^?\M^?\M^?",8)           = 1 (0x1)
read(5,"\^Y\0\0\0\M-}\M^?\M^?\M^?",8)            = 8 (0x8)
kevent(8,{0x19,EVFILT_READ,EV_ADD,0,0x0,0x0},1,0x0,0,0x0) = 0 (0x0)
read(5,0x7fffff5faf60,8)                         ERR#35 'Resource temporarily unavailable'
gettimeofday({1379537150.576673 },0x0)           = 0 (0x0)
_umtx_op(0x803808258,0x15,0x1,0x0,0x0,0xf)       = 0 (0x0)
gettimeofday({1379537150.576812 },0x0)           = 0 (0x0)
clock_gettime(0,{1379537150.576897459 })         = 0 (0x0)
_umtx_op(0x80087f008,0xf,0x0,0x0,0x0,0x0)        = 1 (0x1)
_umtx_op(0x803808a58,0x15,0x1,0x0,0x0,0x0)       = 0 (0x0)
kevent(8,{0x19,EVFILT_READ,EV_DELETE,0,0x0,0x0},1,0x0,0,0x0) = 0 (0x0)
gettimeofday({1379537150.582205 },0x0)           = 0 (0x0)
recvmsg(0x19,0x7fffff9fcea0,0x0,0x0,0x2c80,0x803818060) = 0 (0x0)
write(7,"\^Y\0\0\0\M-{\M^?\M^?\M^?",8)           = 1 (0x1)
read(5,"\^Y\0\0\0\M-{\M^?\M^?\M^?",8)            = 8 (0x8)
kevent(8,{0x19,EVFILT_READ,EV_DELETE,0,0x0,0x0},1,0x0,0,0x0) ERR#2 'No such file or directory'
kevent(8,{0x19,EVFILT_WRITE,EV_DELETE,0,0x0,0x0},1,0x0,0,0x0) ERR#2 'No such file or directory'
_umtx_op(0x803808258,0x15,0x1,0x0,0x0,0x7fffff9fc0b0) = 0 (0x0)
read(5,0x7fffff5faf60,8)                         ERR#35 'Resource temporarily unavailable'
gettimeofday({1379537150.583706 },0x0)           = 0 (0x0)
clock_gettime(0,{1379537150.583866781 })         = 0 (0x0)
```


----------



## Muba (Sep 19, 2013)

According to the truss results the samba: task[dnsupdate] isn't involved at all when doing `samba_dnsupdate`, as the Python script uses the `nsupdate` command directly. Currently I'm learning about /etc/gss/mech which describes the available Kerberos mechanisms: the OID used by `nsupdate` isn't the SPNEGO one, but maybe the log lines of named are a bit confusing.


----------



## von_Gaden (Sep 22, 2013)

Sorry, I forgot to mention: my truss output above is for bind, not for samba: task[dnsupdate]


----------



## frankpeng (Sep 28, 2013)

Hi, everybody! I posted a video on YouTube on how to install Samba 4.0.8 on FreeBSD 9.1-RELEASE. On YouTube, if you search 'Samba4 FreeBSD', you will find it. Please watch it and if you have any questions, let me know. Also I cannot get rid of the warning 
	
	



```
[2013/09/24 18:06:49,  0] ../source3/smbd/server.c:1200(main)
  smbd version 4.0.8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2012
[2013/09/24 18:06:49.664147,  0] ../source3/smbd/server.c:1280(main)
  standard input is not a socket, assuming -D option
[2013/09/24 18:50:26.955916,  0] ../source3/smbd/trans2.c:3087(smbd_do_qfsinfo)
  smbd_do_qfsinfo: not an allowed info level (0x102) on IPC$.
[2013/09/24 18:50:27.777576,  0] ../source3/smbd/trans2.c:3087(smbd_do_qfsinfo)
  smbd_do_qfsinfo: not an allowed info level (0x102) on IPC$.
.......
```

Please help.

This is the cook book:

Frank Peng
PCCOM COMPUTERS INC.
47 Pannahill Drive, Brampton, ONTARIO, CANADA, L6P 3B3

Cell: 416-781-0496, email: pccom.frank@gmail.com

HOW TO INSTALL SAMBA4.0.8 ON FREEBSD 9.1 RELEASE--AN ALTERNATIVE FOR WINDOWS SERVER

Install FreeBSD 9.1-RELEASE.
Update ports: `portsnap fetch && portsnap extract`
Port install Samba 4: `cd /usr/ports/net/samba4 && make -DBATCH install clean && rehash`
Modify the file system:
`cp fstab fstab.orig`
`sed -e "s/ufs.*rw.*1/ufs     rw,acls 1       1/g" fstab.orig > tmp`
`cat tmp`
`mv tmp fstab`
`rm tmp`
`mount -o acls /`
Install CUPS: `cd /usr/ports/print/cups && make -DBATCH install clean && rehash`
Check the hosts file. `hostname` to find out your computer's name. 
Check the resolv.com file, add a domain line and nameserver lines.
Enable named (BIND98):
`echo 'named_enable="YES"' >> /etc/rc.conf`
`echo 'named_chrootdir=""' >> /etc/rc.conf`
`echo 'cupsd_enable="YES"' >> /etc/rc.conf`
`echo 'samba4_enable="YES"' >> /etc/rc.conf`
Configure named:
Change listen to local to listen to world, comment out 127.0.0.1.
Change forwarder.
Add an option line (later).
Include a DLZ file.
Change the dns-keytab's file group and permission (necessary?).

Samba4 domain provision: `samba-tool domain provision --use-rfc2307 --interactive`
default realm name
default domain name
Use the BIND9_DLZ DNS server.
Remember the administrator password.
Change the Samba4 configuration file: /usr/local/etc/smb4.conf. Add a line
	
	



```
nsupdate command = /usr/local/bin/samba-nsupdate -g
```
`cp /var/db/samba4/private/krb5.conf /etc`

Start named by `/etc/rc.d/named start`.
Start samba4 by `/usr/local/etc/rc.d/samba4 start`.
Check errors in /var/log/samba4/log.smdb.
Change the Widows computer's DNS IP address to point to the Samba4 server IP address.
Change computer to join the domain.
Restart the Windows computer to join the domain.
Download administrative tools from Microsoft to manage the domain controller.

https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO
http://www.samba.org/
http://forums.freebsd.org/showthread.php?t=36137&highlight=samba4


----------



## QuinRiva (Oct 19, 2013)

I followed @frankpeng's YouTube tutorial and I can confirm that I now have a working Samba4 DC on FreeBSD 9.2.

There are steps that are covered in the YouTube tutorial that are not covered in the post above.  Also, a warning that it is painfully slow and difficult to follow (as in visually difficult to follow, he skips around the screen constantly requiring a lot a pausing and rewinding to figure out what it is that he is typing).

Expect to set aside 2-3 hours if you want to go through the YouTube tutorial.  Frank seems to know his stuff, but it would be great if someone could refine the steps into an easy to follow guide with a few more references as to why certain steps are being taken.


----------



## von_Gaden (Oct 20, 2013)

I have to admit my impatience to follow the whole guide. The exact configuration for Samba and BIND was unclear to me. I suppose the used BIND is version 9.8? I'll try to follow the guide step-by-step on a clear installation and see what was wrong with my previous tests. I'll gladly share my "new experiences".


----------



## QuinRiva (Nov 17, 2013)

Yeah, as I said , technically if you watch the whole video you _can_ come out with everything working, but it is insanely difficult to follow.  Obviously @frankpeng has put in a bit of effort to creating the YouTube video, but it's almost unbearable to watch and his cookbook omits about a dozen steps (don't follow his cookbook, the steps that are there aren't in order either).

I'll update the OP when I have a bit more time, thankfully a clean install is sped up a bit by the release of the samba4 package for 9.1 x64.


----------



## donbeal (Nov 21, 2013)

Hey guys. Great information on this post. Unfortunately, I've got the exact same problem and even following the 'cookbook' I cannot get DNS updates to work. I'm running Samba 4 (from ports) and BIND 9.8 (ports). 

Everything works for the most part. I can add new users, machines, and view users on the DC machine. Just can't get the DNS updates to work despite TSIG present, Kerberos working, etc. Were you guys able to isolate what you did to fix?

Thanks,
Don


----------



## ogie (Nov 22, 2013)

Guys,

Thanks for all the great info in the post. I currently have a functioning domain with everything EXCEPT DNS updates. Here's some of my output:

_[ nothing here -- Mod. ]_

As you can see, dnsupdate is running successfully

However, when I run `samba_dnsupdate --verbose --all-names`

```
root@server1:~ # samba_dnsupdate --verbose --all-names
IPs: ['192.168.254.2']
ldb_wrap open of secrets.ldb
Calling nsupdate for A example.com 192.168.254.2
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
example.com.		900	IN	A	192.168.254.2

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for A server1.example.com 192.168.254.2
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
server1.example.com.	900	IN	A	192.168.254.2

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for A gc._msdcs.example.com 192.168.254.2
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.example.com. 900	IN	A	192.168.254.2

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for CNAME dfd9e627-803d-4a18-9d92-984bff22d60a._msdcs.example.com server1.example.com
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dfd9e627-803d-4a18-9d92-984bff22d60a._msdcs.example.com. 900	IN CNAME server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._tcp.example.com server1.example.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.example.com. 900 IN	SRV	0 100 464 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kpasswd._udp.example.com server1.example.com 464
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.example.com. 900 IN	SRV	0 100 464 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.example.com. 900 IN	SRV	0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.example.com. 900 IN	SRV 0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com.	900 IN SRV 0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _kerberos._udp.example.com server1.example.com 88
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.example.com. 900 IN	SRV	0 100 88 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.example.com. 900	IN	SRV	0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.example.com. 900 IN SRV	0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.example.com. 900 IN SRV	0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.pdc._msdcs.example.com. 900 IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com. 900	IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com. 900	IN SRV 0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _ldap._tcp.e9a190c3-a698-4700-8912-51ca0c647f23.domains._msdcs.example.com server1.example.com 389
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.e9a190c3-a698-4700-8912-51ca0c647f23.domains._msdcs.example.com. 900 IN SRV 0 100 389 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.example.com. 900	IN	SRV	0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.example.com server1.example.com 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.example.com.	900 IN SRV 0 100 3268 server1.example.com.

dns_tkey_negotiategss: TKEY is unacceptable 
Failed nsupdate: 1
Failed update of 21 entries
```

One thing I have noticed, when I run the above command with --use-file=/var/db/samba4/private/dns.keytab, it is successful.

```
oot@server1:~ # samba_dnsupdate --use-file=/var/db/samba4/private/dns.keytab --verbose --all-names
IPs: ['192.168.254.2']
ldb_wrap open of secrets.ldb
Calling nsupdate for A example.com 192.168.254.2
Calling nsupdate for A server1.example.com 192.168.254.2
Calling nsupdate for A gc._msdcs.example.com 192.168.254.2
Calling nsupdate for CNAME dfd9e627-803d-4a18-9d92-984bff22d60a._msdcs.example.com server1.example.com
Calling nsupdate for SRV _kpasswd._tcp.example.com server1.example.com 464
Calling nsupdate for SRV _kpasswd._udp.example.com server1.example.com 464
Calling nsupdate for SRV _kerberos._tcp.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 88
Calling nsupdate for SRV _kerberos._udp.example.com server1.example.com 88
Calling nsupdate for SRV _ldap._tcp.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.example.com server1.example.com 3268
Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com server1.example.com 3268
Calling nsupdate for SRV _ldap._tcp.e9a190c3-a698-4700-8912-51ca0c647f23.domains._msdcs.example.com server1.example.com 389
Calling nsupdate for SRV _gc._tcp.example.com server1.example.com 3268
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.example.com server1.example.com 3268
```

Any recommendations would be appreciated.


----------



## von_Gaden (Nov 30, 2013)

Hi, Ogie!

What DNS server do you use? I have a complete success in integrating Samba 4 in Server 2003 AD as an additional domain controller. I plan to transfer FSMO roles to this server later. Since the server is connected to an internal network only without direct Internet access I've used Samba's internal DNS. If someone is interested I can share my "experience".


----------



## Zucca (Dec 2, 2013)

Hello, any idea if Samba4 will work with LDNS of FreeBSD 10 without BIND? I hope my question makes sense, I couldn't find the answer online. Thanks in advance.


----------



## ogie (Dec 2, 2013)

von_Gaden said:
			
		

> Hi, Ogie!
> 
> What DNS server do you use? I have a complete success in integrating Samba 4 in Server 2003 AD as an additional domain controller. I plan to transfer FSMO roles to this server later. Since the server is connected to an internal network only without direct Internet access I've used Samba's internal DNS. If someone is interested I can share my "experience".



I'm currently trying to get the BIND9_DLZ setup to work. I've tried BIND 9.9 and 9.8, as well as Samba 4.0.8 and Samba 4.0.12 all without success. Right now I'm stuck at the error:

```
Dec  2 09:02:39 server1 named[74095]: samba_dlz: GSS server Update(krb5)(1) Update failed:  An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
Dec  2 09:02:39 server1 named[74095]: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
Dec  2 09:02:39 server1 named[74095]: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
Dec  2 09:02:39 server1 named[74095]: samba_dlz: spnego update failed
```

When I run the command `samba_dnsupdate --verbose --all-names` I can do pretty much everything else in AD (user groups shares etc.) but dynamic updating will just NOT work. Is the internal DNS suitable for a production environment? Is this error across the DNS platform? Any tips would be appreciated.


----------



## von_Gaden (Dec 5, 2013)

Zucca said:
			
		

> Hello, any idea if Samba4 will work with LDNS of FreeBSD 10 without BIND? I hope my question makes sense, I couldn't find the answer online. Thanks in advance.



Samba has only two DNS back-ends in general - built-in (all-working, well integrated with AD) and BIND9 (files and DLZ). I'm sure (even without research) you can't tell Samba to use any other.


----------



## von_Gaden (Dec 5, 2013)

ogie said:
			
		

> ....
> When I run the command `samba_dnsupdate --verbose --all-names` I can do pretty much everything else in AD (user groups shares etc.) but dynamic updating will just NOT work. Is the internal DNS suitable for a production environment? Is this error across the DNS platform? Any tips would be appreciated.



I'm not sure why the errors for unsuccessful login occur but giving you advises is pointless since I have no success with BIND9_DLZ either. As for internal DNS I think it is completely useful in internal networks - it works very well for me. I have only security concerns if the server is directly connected to the Internet - DNS is (or at least was) one of mostly attacked services. Currently I couldn't limit Samba 4 interface binding or listening without stopping its work at all (Samba refuses to start). The internal DNS has no known ACL capabilities and you can't limit it. Even more complicated is if you need to serve AD zones and some "real" DNS zones.

My opinion is: if your server is connected in an internal network (ex. behind NAT) and its DNS is not used for Internet accessible zones you can safely use Samba's internal DNS. I have such servers in production, one of them is an AD domain controller with a Server 2003 master.


----------



## ogie (Dec 5, 2013)

von_Gaden said:
			
		

> ogie said:
> 
> 
> 
> ...



Yeah, I wasn't sure how secure the DNS server was/is so that was my main concern when I started with BIND. I guess for the production server I'll just have to leave it on the internal DNS. Did it work out of the box with DNS updates for you? Or was there anything special that you had to do? Thanks in advance.


----------



## von_Gaden (Dec 5, 2013)

Nothing special, Samba internal DNS was OK just out-of-the box. Note that if you add the server to an existing AD domain you should check if both domain and forest functional levels are 2003, not 2000-compatible. Otherwise some of the replications aren't working.


----------



## Preacher (Jan 12, 2014)

Hi. I've been following this thread too since yesterday. The 
	
	



```
nsupdate command = samba-nsupdate -g
```
 that needs to be put in the global section of /usr/local/etc/smb4.conf was helpful for example (thanks all!).

I've now also managed to make it work with the BIND9_DLZ DNS-backend. I just had to change my hostname to the FQDN hostname, and then I needed to execute the `samba-tool` again for the domain provisioning. No more "refused" or "spnego" errors. It just works 

Using FreeBSD 9.2, Samba 4.0.8 and BIND 9.8 (I read something about BIND 9.9 not working with Samba 4.0.8? Don't know for sure though because the Samba wiki mentions BIND 9.9 as an option).

Also, if you install another BIND version than the base BIND, you can have them both installed, but use the newer version, with the following line in /etc/rc.conf:

```
named_program="/usr/local/sbin/named"
```

Anyway. I'm going to try to set this up again, from scratch, hoping it's not magic that I have encountered. ;-)

Edit:
It stopped working... Hm...


----------



## Preacher (Jan 18, 2014)

I've given up on using the BIND9_DLZ DNS back-end, just using SAMBA_INTERNAL now, which works just fine. ;-)


----------



## von_Gaden (Feb 20, 2014)

Well, but how can `SAMBA_INTERNAL` be secured? In my setups even `bind interfaces only` causes samba4 to fail on load...


----------



## Keith Shellingfield (Jun 24, 2016)

any update?

okay,still same here like

```
24-Jun-2016 02:14:11.418 database: info: samba_dlz: starting transaction on zone sambadomain.local
24-Jun-2016 02:14:11.421 database: error: samba_dlz: GSS server Update(krb5)(1) Update failed: An unsupported mechanism was requested: unknown mech-code 0 for mech 1 2 840 113554 1 2 2
24-Jun-2016 02:14:11.421 database: error: samba_dlz: SPNEGO(gssapi_krb5) NEG_TOKEN_INIT failed: NT_STATUS_LOGON_FAILURE
24-Jun-2016 02:14:11.421 database: warning: samba_dlz: SPNEGO login failed: NT_STATUS_LOGON_FAILURE
24-Jun-2016 02:14:11.421 database: error: samba_dlz: spnego update failed
24-Jun-2016 02:14:11.421 database: info: samba_dlz: cancelling transaction on zone sambadomain.local
```
from named log

on FreeBSD 10.3-STABLE (r301741) with samba43-4.3.9 and bind99-9.9.9P1 via ports. of course build with _--with-dlopen=yes --with-gssapi_

then, just inspired from log "An unsupported mechanism was requested"...

I've built dns/bind99 with *GSSAPI_BASE*, means use heimdal in base. however ports also have security/heimdal, *GSSAPI_HEIMDAL* option in dns/bind99
I have not investigated about how difference between base and ports, but no big separation about version I think

consequently, this was an answer for me. no changing any configuration about named.conf, DNS update from nsupdate -g or Windows that Domain Member have done.
(need krb5.conf or so on /usr/local/etc, symlink are ok)


```
24-Jun-2016 02:19:11.463 database: info: samba_dlz: starting transaction on zone sambadomain.local
24-Jun-2016 02:19:11.466 database: info: samba_dlz: cancelling transaction on zone sambadomain.local
24-Jun-2016 02:19:11.474 database: info: samba_dlz: starting transaction on zone sambadomain.local
24-Jun-2016 02:19:11.478 database: info: samba_dlz: allowing update of signer=NONO\$\@SMBADOMAIN.LOCAL name=nono.sambadomain.local tcpaddr= type=AAAA key=XXXX-ms-X.XX-XXXXXX.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/XXX/X
24-Jun-2016 02:19:11.481 database: info: samba_dlz: allowing update of signer=NONO\$\@SMBADOMAIN.LOCAL name=nono.sambadomain.local tcpaddr= type=A key=XXXX-ms-X.XX-XXXXXX.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/XXX/X
24-Jun-2016 02:19:11.484 database: info: samba_dlz: allowing update of signer=NONO\$\@SMBADOMAIN.LOCAL name=nono.sambadomain.local tcpaddr= type=A key=XXXX-ms-X.XX-XXXXXX.XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/XXX/X
24-Jun-2016 02:19:11.497 database: info: samba_dlz: added rdataset nono.sambadomain.local 'nono.sambadomain.local.      1200    IN      A       192.168.16.120'
24-Jun-2016 02:19:11.502 database: info: samba_dlz: subtracted rdataset sambadomain.local 'sambadomain.local.       3600    IN      SOA     dc.sambadomain.local. hostmaster.sambadomain.local. 8 900 600 86400 3600'
24-Jun-2016 02:19:11.504 database: info: samba_dlz: added rdataset sambadomain.local 'sambadomain.local.    3600    IN      SOA     dc.sambadomain.local. hostmaster.sambadomain.local. 9 900 600 86400 3600'
24-Jun-2016 02:19:11.512 database: info: samba_dlz: committed transaction on zone sambadomain.local
```

there are still small question like why first transaction was failed, why no PTR,,, anyway one step further

just for information and reminder.


----------



## Leifur (Jun 26, 2016)

First of all, I have been messing around with Samba, DNS and Kerberos configuration for quite a while now, but I have been completly new to this topic.
Thank you very much for the idea of using the "GSSAPI_HEIMDAL"-Flag. Now I got the DNS update at least partial running (by executing named -g, as root user; samba_dnsupdate --verbose --all-names doesn't return any errors).  When starting named (Bind 9.9) as service I still get messages like

```
"Jun 26 13:50:03 bsd10 named[43747]: client 192.168.100.82#50165: update 'sub.mydomain.tld/IN' denied".
```

samba_dnsupdate --verbose --all-names returns:

```
...

Calling nsupdate for A ForestDnsZones.sub.mydomain.tld 192.168.103.1 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.sub.mydomain.tld. 900 IN A    192.168.103.1

dns_tkey_negotiategss: TKEY is unacceptable
Failed nsupdate: 1
Failed update of 47 entries
```

What am I doing wrong?

I am running FreeBSD 10.2, Samba 4.3.9, Bind 9.9.9-P1.

Best Regards,
Leifur


----------



## Keith Shellingfield (Jun 29, 2016)

Hi,



Leifur said:


> ```
> Calling nsupdate for A ForestDnsZones.sub.mydomain.tld 192.168.103.1 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ...



I think, *TKEY is unacceptable* means problem around Kerberos like Authentication failure. how about krb5 config or keytabs ?

and you can see logs related kerberos on /var/log/samba4/log.samba with log level 7


----------



## Leifur (Jun 29, 2016)

log.samba (debug level 7) after running samba_dnsupdate:


```
[2016/06/29 10:00:58.158645,  4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Wed Jun 29 10:01:03 2016 CEST
[2016/06/29 10:00:58.184860,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.103.1:35991 for krbtgt/SUB.MYDOMAIN.TLD@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.186159,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.188276,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.188581,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: No preauth found, returning PREAUTH-REQUIRED -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.301655,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.100.40:60344 for krbtgt/SUB.MYDOMAIN.TLD@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.302790,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.303464,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.303875,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client sent patypes: encrypted-timestamp
[2016/06/29 10:00:58.303894,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for PKINIT pa-data -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.303908,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Looking for ENC-TS pa-data -- BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304485,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: ENC-TS Pre-authentication succeeded -- BSD10$@SUB.MYDOMAIN.TLD using aes256-cts-hmac-sha1-96
[2016/06/29 10:00:58.304509,  4] ../source4/auth/sam.c:182(authsam_account_ok)
  authsam_account_ok: Checking SMB password for user BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304526,  5] ../source4/auth/sam.c:116(logon_hours_ok)
  logon_hours_ok: No hours restrictions for user BSD10$@SUB.MYDOMAIN.TLD
[2016/06/29 10:00:58.304542,  5] ../source4/auth/sam.c:820(authsam_logon_success_accounting)
  lastLogonTimestamp is 131109092047300850
[2016/06/29 10:00:58.304614,  5] ../source4/auth/sam.c:744(authsam_update_lastlogon_timestamp)
  sync interval is 14
[2016/06/29 10:00:58.304634,  5] ../source4/auth/sam.c:761(authsam_update_lastlogon_timestamp)
  randomised sync interval is 9 (-5)
[2016/06/29 10:00:58.304648,  5] ../source4/auth/sam.c:770(authsam_update_lastlogon_timestamp)
  old timestamp is 131109092047300850, threshold 131108832583045540, diff 259464255310
[2016/06/29 10:00:58.317278,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.317488,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: AS-REQ authtime: 2016-06-29T10:00:58 starttime: unset endtime: 2016-06-29T20:00:58 renew till: unset
[2016/06/29 10:00:58.317563,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
[2016/06/29 10:00:58.461218,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.461865,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ BSD10$@SUB.MYDOMAIN.TLD from ipv4:192.168.103.1:42627 for DNS/bsd10.sub.mydomain.tld@SUB.MYDOMAIN.TLD [canonicalize]
[2016/06/29 10:00:58.464367,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.464804,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.465508,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.466922,  6] ../lib/util/util_ldb.c:60(gendb_search_v)
  gendb_search_v: DC=sub,DC=mydomain,DC=tld NULL -> 1
[2016/06/29 10:00:58.467697,  3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: TGS-REQ authtime: 2016-06-29T10:00:58 starttime: 2016-06-29T10:00:58 endtime: 2016-06-29T20:00:58 renew till: unset
[2016/06/29 10:01:03.161596,  4] ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
  dreplsrv_notify_schedule(5) scheduled for: Wed Jun 29 10:01:08 2016 CEST
```

As already mentioned, the strange thing is, that it work's like a charm when running named as root. So my assumption is that there's something wrong with the privileges.


----------



## Keith Shellingfield (Aug 2, 2016)

Hi,

my experience,  execute "samba_dnsupdate --verbose --all-names" changed some file permissions, like dns.keytab.
since named running as root didn't encounter such a "*TKEY is unacceptable*" problem.

so I always use "nsupdate -g" to update dns record in test.

and please check permission in /var/db/samba4/private/ , I've changed for some files and directories to read/write bind user.



```
root@nono:~ # ls -la /var/db/samba4/private
total 12948
drwxrwx---  8 root  bind      1024 Aug  2 11:40 .
drwxr-xr-x  8 root  wheel     1024 Aug  2 09:56 ..
drwxrwx---  3 root  bind       512 Jun 14 13:44 dns
-rw-r-----  1 root  bind      6664 Jun 20 01:13 dns.keytab
-rw-r-----  1 root  bind      1943 Aug  2 01:07 dns_update_cache
-rw-rw-r--  1 root  bind      3183 Jun 14 13:44 dns_update_list
-rw-------  1 root  wheel  1286144 Jun 14 13:44 hklm.ldb
-rw-------  1 root  wheel  1609728 Jun 23 09:55 idmap.ldb
-rw-r--r--  1 root  wheel       96 Jun 14 13:44 krb5.conf
drwxr-x---  2 root  wheel      512 Aug  2 09:56 ldap_priv
srwxrwxrwx  1 root  bind         0 Aug  2 09:56 ldapi
drwx------  2 root  wheel      512 Aug  2 11:26 msg.sock
-rw-r--r--  1 root  wheel      682 Jun 20 18:15 named.conf
-r--r--r--  1 root  wheel      233 Jun 23 18:30 named.conf.update
-rw-r--r--  1 root  wheel     2090 Jun 14 13:44 named.txt
-rw-------  1 root  wheel      696 Aug  2 09:56 netlogon_creds_cli.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 privilege.ldb
-rw-------  1 root  wheel      696 Jun 14 14:49 randseed.tdb
-rw-------  1 root  wheel  4247552 Jun 14 13:44 sam.ldb
drwxrwx---  2 root  bind       512 Jun 14 13:44 sam.ldb.d
-rw-------  1 root  wheel      696 Aug  2 09:56 schannel_store.tdb
-rw-------  1 root  wheel     1152 Jun 14 13:44 secrets.keytab
-rw-------  1 root  wheel  1286144 Jun 14 13:44 secrets.ldb
-rw-------  1 root  wheel   430080 Jun 14 13:44 secrets.tdb
-rw-------  1 root  wheel  1286144 Jun 14 13:44 share.ldb
drwxr-xr-x  2 root  wheel      512 Jun 14 14:49 smbd.tmp
-rw-r--r--  1 root  wheel      955 Jun 14 13:44 spn_update_list
drwx------  2 root  wheel      512 Jun 14 14:49 tls
-rw-------  1 root  wheel  1286144 Aug  1 15:46 wins_config.ldb
```

the point is /var/db/samba4/private itself and some dns stuff, In think. these result came from ktrace/kdump and intuition,,, unfortunately lost my working memo..

however, this is just in my case.


----------



## Daniel_BH (Sep 7, 2016)

Keith Shellingfield said:


> Hi,
> 
> my experience,  execute "samba_dnsupdate --verbose --all-names" changed some file permissions, like dns.keytab.
> since named running as root didn't encounter such a "*TKEY is unacceptable*" problem.
> ...



Hi, Keith

Do you could solve the problem update the forward zone?
The error: samba_dlz: spnego update failed

I'm having the same problem.

My enviroment: CentOS 6.8  / I tried Bind with 9.8, 9.9 and 9.10 

Tks!


----------



## JOAO BATISTA (Jan 22, 2018)

Greetings

First of all I would like to thank you for having responded and saying that I did the tests as they passed me, but it did not work. Although it did not work out, I got new ideas and re-created the whole process.

That done, it worked 99%.

My problem now is dynamic DNS update by host windows.

For example, when I put the computer running windows 7 in the domain, it usually comes in, but it does not appear in the DNS table.

I will put the settings used for the configuration of the Domain Controller and then put the errors.



Follow txt with step-by-step running to get started.

It also follows images with the errors.


----------



## JOAO BATISTA (Jan 22, 2018)

[FONT=verdana]I will now proceed with the error.

the clearest way I could find to demonstrate the error was as follows:

I turned on the virtual machine that was running windows 7, put it in the domain and rebooted, and when I rebooted it presented the error as below:


```
root@ad:~ # tail -f /var/log/messages
Jan 21 19:49:07 ad smbd[611]: [2018/01/21 19:49:07.343869,  0] ../lib/util/become_daemon.c:124(daemon_ready)
Jan 21 19:49:07 ad smbd[611]:   STATUS=daemon 'smbd' finished starting up and ready to serve connections
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#56544: update 'estudo.local/IN' denied
Jan 21 19:49:47 ad named[476]: client 172.100.99.35#50618: update 'estudo.local/IN' denied
Jan 21 19:51:25 ad su: joaobrn to root on /dev/pts/0
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#63239: update 'estudo.local/IN' denied
Jan 21 19:52:10 ad named[476]: client 172.100.99.35#52497: update 'estudo.local/IN' denied
Jan 21 20:52:11 ad su: joaobrn to root on /dev/pts/0
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#62097: update 'estudo.local/IN' denied
Jan 21 20:53:11 ad named[476]: client 172.100.99.35#63298: update 'estudo.local/IN' denied
```

Thank you for the support!![/FONT]


----------



## Keith Shellingfield (Aug 28, 2018)

Hi, 

I'm using FreeBSD 10.4-Stable w/ samba46-4.6.14 and bind911-9.11.3_1(build GSSAPI_HEIMDAL: see my post above) now.

Could you try

```
# For BIND 9.9.x
     database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
```
on /var/db/samba4/private/named.conf to get verbose log of named, and run dnsupdate manually like below


```
root@nono:~ # klist
klist: No ticket file: /tmp/krb5cc_0
root@nono:~ # kinit Administrator
Administrator@AD.SMBDOMAIN.CC's Password:
root@nono:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@AD.SMBDOMAIN.CC

  Issued                Expires               Principal
Aug 28 17:01:31 2018  Aug 29 03:01:31 2018  krbtgt/AD.SMBDOMAIN.CC@AD.SMBDOMAIN.CC
root@nono:~ # nsupdate -g
> update add testws.ad.smbdomain.cc 100 in a 192.168.16.240
> send
> quit
```

then check named log of* "*channel log_database / log_update" (my result are below)

```
root@nono:~ # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@AD.SMBDOMAIN.CC

  Issued                Expires               Principal
Aug 28 17:01:31 2018  Aug 29 03:01:31 2018  krbtgt/AD.SMBDOMAIN.CC@AD.SMBDOMAIN.CC
Aug 28 17:09:34 2018  Aug 29 03:01:31 2018  DNS/nono.ad.smbdomain.cc@AD.SMBDOMAIN.CC
```


```
28-Aug-2018 17:09:34.427 update: info: client @0x805469400 192.168.16.18#41560/key Administrator\@AD.SMBDOMAIN.CC: updating zone 'ad.smbdomain.cc/NONE': adding an RR at 'testws.ad.smbdomain.cc' A 192.168.16.240

28-Aug-2018 17:09:34.420 database: info: samba_dlz: starting transaction on zone ad.smbdomain.cc
28-Aug-2018 17:09:34.426 database: info: samba_dlz: allowing update of signer=Administrator\@AD.SMBDOMAIN.CC name=testws.ad.smbdomain.cc tcpaddr=192.168.16.18 type=A key=1071743018.sig-nono.ad.smbdomain.cc/160/0
28-Aug-2018 17:09:34.434 database: info: samba_dlz: added rdataset testws.ad.smbdomain.cc 'testws.ad.smbdomain.cc.  100      IN      A       192.168.16.240'
28-Aug-2018 17:09:34.439 database: info: samba_dlz: subtracted rdataset ad.smbdomain.cc 'ad.smbdomain.cc.       3600  IN       SOA     nono.ad.smbdomain.cc. hostmaster.ad.smbdomain.cc. 76 900 600 86400 3600'
28-Aug-2018 17:09:34.441 database: info: samba_dlz: added rdataset ad.smbdomain.cc 'ad.smbdomain.cc.    3600    IN    SOA      nono.ad.smbdomain.cc. hostmaster.ad.smbdomain.cc. 77 900 600 86400 3600'
28-Aug-2018 17:09:34.449 database: info: samba_dlz: committed transaction on zone ad.smbdomain.cc
```


----------

