# Joining Samba AD domain: DNS update failed



## zirias@ (May 15, 2018)

Trying to join my newly setup Samba domain, I get the following error:

```
DNS Update for files.home.palmen-it.de failed: ERROR_DNS_GSS_ERROR
DNS update failed: NT_STATUS_UNSUCCESSFUL
```

Probably relevant info:

The AD DC uses Samba 4.7.3 (this was the only way to get it running)
Both this DC and the instance I'm trying to join to it are running in jails using `VIMAGE`
The system uses libressl and MIT krb5 (base is built `WITHOUT_KERBEROS` and ports use option `GSSAPI_MIT` and `DEFAULT_VERSIONS+=ssl=libressl`)
The DC uses the DLZ_BIND9 backend, configured with dns/bind911
Host system: FreeBSD 11.1-RELEASE-p10 on ZFS
With debugging on samba_dlz enabled, my bind911 logs the following:


```
May 15 17:24:53 addc named[4851]: samba_dlz: Acquiring acceptor credentials failed: Key table entry not found
May 15 17:24:53 addc named[4851]: samba_dlz: Failed to start GENSEC server mech gssapi_krb5: NT_STATUS_CANT_ACCESS_DOMAIN_INFO
May 15 17:24:53 addc named[4851]: samba_dlz: spnego update failed
```

Any hints what I could try?


----------



## zirias@ (May 15, 2018)

I sorted out two issues: First, named was unable to read /var/db/samba4/private/dns.keytab, this is resolved by

```
chgrp bind /var/db/samba4/private
chmod g+rx /var/db/samba4/private
```
The second issue then was that named claimed to see a replay ... using this document, I could work around by creating /etc/rc.conf.d/named with

```
KRB5RCACHETYPE=none
export KRB5RCACHETYPE
```

So far so good, but now, named seems to crash when I try to add a domain member -- the last log messages are:

```
May 15 18:00:54 addc named[5300]: samba_dlz: spnego update failed
May 15 18:00:55 addc named[5300]: samba_dlz: unable to obtain a PAC against this GSSAPI library.  GSSAPI secured connections are available only with Heimdal or MIT Kerberos >= 1.8
May 15 18:00:55 addc named[5300]: samba_dlz: gensec_generate_session_info_pac: Unable to find PAC for FILES$@HOME.PALMEN-IT.DE, resorting to local user lookup
```

This again leaves me puzzled  I have krb5-1.16.1 installed, I guess this *is* ">= 1.8"?

I'm now trying to rebuild my system to use kerberos from base -- which will take a while. If that's the solution, fine  (I hope so)


----------



## SirDice (May 16, 2018)

Zirias said:


> I have krb5-1.16.1 installed, I guess this *is* ">= 1.8"?


If I'm not mistaken Samba is built against the base OS Kerberos, not the port versions.


----------



## zirias@ (May 16, 2018)

SirDice said:


> If I'm not mistaken Samba is built against the base OS Kerberos, not the port versions.


I would have expected it to complain about a missing library then (the base in that jail didn't have kerberos and libgssapi), which it didn't...
But maybe there is some strange incompatibility when it is built against MIT, that's why I'm doing a complete rebuild of base and packages right now, to find out.


----------



## SirDice (May 16, 2018)

You can have a look at the dependencies of Samba. It should show a dependency on the MIT Kerberos if it's correctly linked in this case.


----------



## zirias@ (May 16, 2018)

SirDice: Interesting hint, thanks. No, it isn't listed, but I then looked at the ld dependencies of samba's libraries: It doesn't depend on any kerberos, instead there is libkrb5-samba4.so.26 and libgssapi-samba4.so.2, and these libs indeed export all these krb5_* symbols. So, samba comes with its own implementation 

Maybe this is incompatible with my named linking against MIT:

```
/usr/local/sbin/named:
        libgssapi_krb5.so.2.2 => /usr/local/lib/libgssapi_krb5.so.2.2 (0x800b27000)
        libkrb5.so.3.3 => /usr/local/lib/libkrb5.so.3.3 (0x800d70000)
...
```

I will see if recompiling all with kerberos in base will solve the issue.


----------



## SirDice (May 16, 2018)

Zirias said:


> Maybe this is indeed incompatible with my named linking against MIT:


Reading up a bit about this I noticed Samba used be only compatible with Heimdal, only recent versions can support MIT. 

This was quite an interesting read: https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC


----------



## zirias@ (May 16, 2018)

Thanks for this link! And oh my, now I might just go back to my old settings and hack the samba port to enable --with-system-mitkrb5...


----------



## SirDice (May 16, 2018)

For Samba 4.8 it might be a nice addition to the port to allow a choice between the builtin, base OS, Heimdal or MIT Kerberos.


----------



## zirias@ (May 16, 2018)

I'm pretty sure it never uses anything from base but just incorporates heimdal source to build its own libraries. The --with-system- prefix of the configuration option also hints in this direction. But yes, making this configurable would probably be a nice feature for the port  (maybe just add as `GSSAPI_MIT` option?)


----------



## SirDice (May 16, 2018)

Zirias said:


> I'm pretty sure it never uses anything from base but just incorporates heimdal source to build its own libraries.


I can't remember where I read this but if I recall correctly the Samba build process tries to use the system's Kerberos and will fall-back to it's own implementation if it doesn't exist (or isn't compatible).


----------



## zirias@ (May 17, 2018)

Well, if that's the case, it doesn't like the kerberos in base -- I checked yesterday, building in a jail "standard" base still creates a version linking against the internal implementations.
Unfortunately, this didn't work for me either, with dns/bind911 linked against base kerberos, the DNS update fails as well and doesn't give any meaningful output in the logs 

So now trying the approach with `--with-system-mitkrb5`. Here's a patch against net/samba48 in case anyone's interested:

```
Index: Makefile
===================================================================
--- Makefile    (revision 470059)
+++ Makefile    (working copy)
@@ -84,7 +84,7 @@
 OPTIONS_SUB=                   yes
 
 OPTIONS_DEFINE=                        AD_DC ADS DEBUG DOCS FAM LDAP \
-                               QUOTAS SYSLOG UTMP PROFILE
+                               QUOTAS SYSLOG UTMP PROFILE GSSAPI_MIT
 # Make those default options
 OPTIONS_DEFAULT:=              ${OPTIONS_DEFINE}
 # This shouldn't be default in the release
@@ -334,6 +334,11 @@
 MANDOC_BUILD_DEPENDS=          ${LOCALBASE}/share/xsl/docbook/manpages/docbook.xsl:textproc/docbook-xsl \
                                xsltproc:textproc/libxslt
 MANDOC_CONFIGURE_ENV_OFF=      XSLTPROC="true"
+
+GSSAPI_MIT_CONFIGURE_ON=       --with-system-mitkrb5 \
+                               --with-system-mitkdc=/usr/local/sbin/krb5kdc
+GSSAPI_MIT_USES=               gssapi:mit
+
 # !SAMBA4_SUBPORT
 .endif
 
@@ -578,6 +583,10 @@
                                ${INSTALL_DATA} ${WRKDIR}/${doc} ${STAGEDIR}${DOCSDIR}
 .endfor
 
+post-install-GSSAPI_MIT-on:
+                               ${INSTALL} -d -m 0755 "${STAGEDIR}${SAMBA4_MODULEDIR}/krb5/plugins/kdb"
+                               ${MV} "${STAGEDIR}${SAMBA4_LIBDIR}/krb5/plugins/kdb/samba.so" "${STAGEDIR}${SAMBA4_MODULEDIR}/krb5/plugins/kdb/"
+
 # !SAMBA4_SUBPORT
 .endif
 
Index: pkg-plist
===================================================================
--- pkg-plist   (revision 470059)
+++ pkg-plist   (working copy)
@@ -187,13 +187,13 @@                                                          
 %%AD_DC%%lib/samba4/private/libprocess-model-samba4.so                        
 %%AD_DC%%lib/samba4/private/libservice-samba4.so                              
 lib/samba4/private/libCHARSET3-samba4.so                                      
-%%AD_DC%%lib/samba4/private/libHDB-SAMBA4-samba4.so                           
+%%NO_GSSAPI_MIT%%%%AD_DC%%lib/samba4/private/libHDB-SAMBA4-samba4.so          
 lib/samba4/private/libLIBWBCLIENT-OLD-samba4.so                               
 lib/samba4/private/libMESSAGING-samba4.so                                     
 lib/samba4/private/libMESSAGING-SEND-samba4.so                                
 lib/samba4/private/libaddns-samba4.so                                         
 lib/samba4/private/libads-samba4.so                                           
-lib/samba4/private/libasn1-samba4.so.8                                        
+%%NO_GSSAPI_MIT%%lib/samba4/private/libasn1-samba4.so.8                       
 lib/samba4/private/libasn1util-samba4.so                                      
 lib/samba4/private/libauth-samba4.so                                          
 lib/samba4/private/libauth-unix-token-samba4.so                               
@@ -208,7 +208,7 @@                                                            
 lib/samba4/private/libcliauth-samba4.so                                       
 lib/samba4/private/libcluster-samba4.so                                       
 lib/samba4/private/libcmdline-credentials-samba4.so                           
-lib/samba4/private/libcom_err-samba4.so.0                                     
+%%NO_GSSAPI_MIT%%lib/samba4/private/libcom_err-samba4.so.0                    
 lib/samba4/private/libcommon-auth-samba4.so                                   
 %%AD_DC%%lib/samba4/private/libdb-glue-samba4.so                              
 lib/samba4/private/libdbwrap-samba4.so                                        
@@ -224,18 +224,18 @@                                                          
 lib/samba4/private/libgensec-samba4.so                                        
 lib/samba4/private/libgpext-samba4.so                                         
 lib/samba4/private/libgse-samba4.so                                           
-lib/samba4/private/libgssapi-samba4.so.2                                      
-lib/samba4/private/libhcrypto-samba4.so.5                                     
-lib/samba4/private/libhdb-samba4.so.11                                        
-lib/samba4/private/libheimbase-samba4.so.1                                    
-lib/samba4/private/libheimntlm-samba4.so.1                                    
+%%NO_GSSAPI_MIT%%lib/samba4/private/libgssapi-samba4.so.2                     
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhcrypto-samba4.so.5                    
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhdb-samba4.so.11                       
+%%NO_GSSAPI_MIT%%lib/samba4/private/libheimbase-samba4.so.1                   
+%%NO_GSSAPI_MIT%%lib/samba4/private/libheimntlm-samba4.so.1                   
 lib/samba4/private/libhttp-samba4.so                                          
-lib/samba4/private/libhx509-samba4.so.5                                       
+%%NO_GSSAPI_MIT%%lib/samba4/private/libhx509-samba4.so.5                      
 lib/samba4/private/libidmap-samba4.so                                         
 lib/samba4/private/libinterfaces-samba4.so                                    
 lib/samba4/private/libiov-buf-samba4.so                                       
-lib/samba4/private/libkdc-samba4.so.2                                         
-lib/samba4/private/libkrb5-samba4.so.26                                       
+%%NO_GSSAPI_MIT%%lib/samba4/private/libkdc-samba4.so.2                        
+%%NO_GSSAPI_MIT%%lib/samba4/private/libkrb5-samba4.so.26                      
 lib/samba4/private/libkrb5samba-samba4.so                                     
 lib/samba4/private/libldbsamba-samba4.so                                      
 lib/samba4/private/liblibcli-lsa3-samba4.so                                   
@@ -257,7 +257,7 @@                                                            
 lib/samba4/private/libprinting-migrate-samba4.so                              
 lib/samba4/private/libregistry-samba4.so                                      
 lib/samba4/private/libreplace-samba4.so                                       
-lib/samba4/private/libroken-samba4.so.19                                      
+%%NO_GSSAPI_MIT%%lib/samba4/private/libroken-samba4.so.19                     
 lib/samba4/private/libsamba-cluster-support-samba4.so                         
 lib/samba4/private/libsamba-debug-samba4.so                                   
 lib/samba4/private/libsamba-modules-samba4.so                                 
@@ -290,7 +290,7 @@                                                            
 lib/samba4/private/libutil-setid-samba4.so                                    
 lib/samba4/private/libutil-tdb-samba4.so                                      
 lib/samba4/private/libwinbind-client-samba4.so                                
-lib/samba4/private/libwind-samba4.so.0                                        
+%%NO_GSSAPI_MIT%%lib/samba4/private/libwind-samba4.so.0                       
 lib/samba4/private/libxattr-tdb-samba4.so                                     
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_10.so                             
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_11.so                             
@@ -297,6 +297,7 @@                                                            
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_9.so                              
 %%AD_DC%%lib/shared-modules/bind9/dlz_bind9.so                                
 %%AD_DC%%lib/shared-modules/gensec/krb5.so                                    
+%%GSSAPI_MIT%%%%AD_DC%%lib/shared-modules/krb5/plugins/kdb/samba.so           
 %%AD_DC%%lib/shared-modules/ldb/acl.so                                        
 %%AD_DC%%lib/shared-modules/ldb/aclread.so                                    
 %%AD_DC%%lib/shared-modules/ldb/anr.so
```

I'm building 4.7.3 again though, due to problems discussed earlier


----------



## zirias@ (May 17, 2018)

Little update: at least, joining worked now.

What I did:

patch net/samba48 with the patch from the post above
downgrade net/samba47 to version 4.7.3 (so domain provisioning works)
patch net/samba47 in a similar way to enable MIT kerberos
Add the patch from PR #220844 to both samba versions (deemed unsafe, but otherwise it wouldn't work in a jail)
Install samba47-4.7.3 on the DC jail, provision the domain (including configuring kerberos and named) and test basic functionality
Upgrade the DC to net/samba48
Execute `samba_upgradedns --dns-backend=BIND9_DLZ`, follow the hints to update the named configuration
After this procedure, I could finally join my domain with automatic DNS update:

```
# net ads join -U administrator
Enter administrator's password:
Using short domain name -- PALMEN
Joined 'FILES' to dns domain 'home.palmen-it.de'
# host files
files.home.palmen-it.de has address 192.168.42.103
#
```

Well, great so far, we will see whether this setup will actually work for clients 

I guess I'll mail this patch to the samba ports' maintainer, after all, it's probably a good idea to respect option `GSSAPI_MIT` when building samba.


----------



## zirias@ (May 22, 2018)

Well, it really seems to work as intended! I meanwhile joined another jail as a file server (also serving home directories), and two workstations, running Windows 7 and Debian stable, seems all fine.

Great, but I hope this will improve in the future, so samba domain provisioning just works out of the box with ZFS and inside a jail ... and optionally with MIT kerberos. To at least help a little, I submitted PR #228365 -- anyone attempting to follow the insane procedure outlined above can find the required patches there for now


----------

