# Samba DC



## Reken (May 21, 2020)

FreeBSD 11.3 
File system: ZFS
Samba411
Bind916

My actions:
1)
/usr/ports/dns/bind916/make install clean
/usr/ports/net/samba411/make install clean 
(I selected the option "Use BIND 9.16")
(I added option NTVFS)

2)
samba-tool domain provision -–domain=DOMENFO –-host-name=DC1 –-host-ip=192.168.10.10 –-use-rfc2307 –-realm=domenfo.local –-server-role=dc –-dns-backend=BIND9_DLZ –-adminpass=******** —-use-ntvfs

3)
I changed the file named.conf
I added the lines

tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
minimal-responses yes;
include "/var/db/samba4/bind-dns/named.conf";

4)
cp /var/db/samba4/private/krb5.conf /usr/local/etc/krb5.conf 

5) 
My rights

-rwxrwxr-x  1 bind  bind   21842 May 21 09:10 named.conf
-rwxrwxr-x  1 bind  bind   250 May 21 07:55 localhost-forward.db
-rwxrwxr-x  1 bind  bind   318 May 21 07:55 localhost-reverse.db
-rw-r--r--  1 bind  bind     94 May 21 08:42 krb5.conf
-rwxrwxr-x  2 bind  bind       747 May 21 08:36 dns.keytab

6)
Verification successful

root@DC1:~ # smbclient //localhost/netlogon -UAdministrator -c 'ls'

```
Enter DOMENFO\Administrator's password:
  .                                   D        0  Thu May 21 08:36:03 2020
  ..                                  D        0  Thu May 21 08:36:08 2020

                39560476 blocks of size 1024. 37795404 blocks available
```

root@DC1:~ # host -t SRV _ldap._tcp.domenfo.local.

```
_ldap._tcp.domenfo.local has SRV record 0 100 389 dc1.domenfo.local.
```

root@DC1:~ # host -t SRV _kerberos._udp.domenfo.local.

```
_kerberos._udp.domenfo.local has SRV record 0 100 88 dc1.domenfo.local.
```

root@DC1:~ # host -t A domenfo.local.

```
domenfo.local has address 192.168.10.10
```

root@DC1:~ # kinit administrator@DOMENFO.LOCAL

root@DC1:~ # klist

```
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: administrator@DOMENFO.LOCAL

  Issued                Expires               Principal
May 21 09:41:01 2020  May 21 19:41:01 2020  krbtgt/DOMENFO.LOCAL@DOMENFO.LOCAL
```

7)
samba_dnsupdate --verbose --all-names

```
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
/usr/bin/nsupdate: cannot specify -g    or -o, program not linked with GSS API Library
Failed nsupdate: 1
Failed update of 34 entries
```

I changed the file smb4.conf
I added the lines
*nsupdate command = /usr/local/sbin/samba_dnsupdate -g*

samba_dnsupdate --verbose --all-names

```
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

samba_dnsupdate: error: no such option: -g
Failed nsupdate: 2
Failed update of 34 entries
```

Total: 
Tell me what is the problem?

P.S.
My application configuration files:
/usr/local/etc/krb5.conf
/usr/local/etc/smb4.conf
/usr/local/etc/namedb/named.conf
/etc/resolv.conf
/var/db/samba4/bind-dns/named.conf


----------



## mark_j (May 22, 2020)

Good stuff.
You gave options for samba, how about bind916?
These can be found in * /var/db/ports/dns_bind916/options* and so on. It may be worth posting them.

*WHY *are you using a long deprecated back end in ntvfs?


----------



## Reken (May 22, 2020)

bind916

```
OPTIONS_FILE_UNSET+=DNSTAP
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_UNSET+=FIXED_RRSET
OPTIONS_FILE_UNSET+=GEOIP
OPTIONS_FILE_SET+=IDN
OPTIONS_FILE_SET+=JSON
OPTIONS_FILE_UNSET+=LARGE_FILE
OPTIONS_FILE_SET+=LMDB
OPTIONS_FILE_UNSET+=OVERRIDECACHE
OPTIONS_FILE_UNSET+=PORTREVISION
OPTIONS_FILE_UNSET+=QUERYTRACE
OPTIONS_FILE_SET+=SIGCHASE
OPTIONS_FILE_UNSET+=START_LATE
OPTIONS_FILE_SET+=TCP_FASTOPEN
OPTIONS_FILE_UNSET+=TUNING_LARGE
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_SET+=GSSAPI_NONE
OPTIONS_FILE_UNSET+=NATIVE_PKCS11
OPTIONS_FILE_UNSET+=DLZ_BDB
OPTIONS_FILE_SET+=DLZ_FILESYSTEM
OPTIONS_FILE_UNSET+=DLZ_LDAP
OPTIONS_FILE_UNSET+=DLZ_MYSQL
OPTIONS_FILE_UNSET+=DLZ_POSTGRESQL
OPTIONS_FILE_UNSET+=DLZ_STUB
```

samba411

```
OPTIONS_FILE_SET+=ADS
OPTIONS_FILE_SET+=AD_DC
OPTIONS_FILE_SET+=AESNI
OPTIONS_FILE_UNSET+=CLUSTER
OPTIONS_FILE_UNSET+=CUPS
OPTIONS_FILE_UNSET+=DEVELOPER
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=FAM
OPTIONS_FILE_UNSET+=GPGME
OPTIONS_FILE_SET+=LDAP
OPTIONS_FILE_UNSET+=MANDOC
OPTIONS_FILE_SET+=NTVFS
OPTIONS_FILE_SET+=PROFILE
OPTIONS_FILE_SET+=QUOTAS
OPTIONS_FILE_UNSET+=SPOTLIGHT
OPTIONS_FILE_SET+=SYSLOG
OPTIONS_FILE_SET+=UTMP
OPTIONS_FILE_SET+=GSSAPI_BUILTIN
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_UNSET+=ZEROCONF_NONE
OPTIONS_FILE_SET+=AVAHI
OPTIONS_FILE_UNSET+=MDNSRESPONDER
OPTIONS_FILE_UNSET+=NSUPDATE
OPTIONS_FILE_UNSET+=BIND911
OPTIONS_FILE_SET+=BIND916
OPTIONS_FILE_SET+=FRUIT
OPTIONS_FILE_UNSET+=GLUSTERFS
```

If I do not use *—-use-ntvfs*
I see an error: 

```
set_nt_acl_no_snum: fset_nt_acl returned NT_STATUS_INVALID_PARAMETER
```

P.S.
Fragment of log.samba 

```
dnsupdate_nameupdate_done: Failed DNS update with exit code 5
[2020/05/22 10:52:48.216401,  0] ../../source4/smbd/server.c:624(binary_smbd_main)
  samba version 4.11.8 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2019
[2020/05/22 10:52:49.327451,  0] ../../source4/smbd/server.c:865(binary_smbd_main)
  binary_smbd_main: samba: using 'prefork' process model
[2020/05/22 10:52:52.670018,  0] ../../lib/util/become_daemon.c:136(daemon_ready)
  daemon_ready: daemon 'samba' finished starting up and ready to serve connections
[2020/05/22 07:52:58.771762,  0] ../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
  dnsupdate_nameupdate_done: Failed DNS update with exit code 5
```


----------



## mark_j (May 22, 2020)

Reken said:


> If I do not use *—-use-ntvfs*
> I see an error:
> 
> ```
> ...



So how are both of these tied together? (Regardless I don't see this as your issue anyway, it's DNS oriented)

Have you read and understood this:





						Migrating the ntvfs File Server Back End to s3fs - SambaWiki
					






					wiki.samba.org
				




(not the migrating part but why ntvfs is not used?)


Also your problem with samba_dnsupdate is -g is not an command option. Why is it there, and what was it supposed to achieve?


----------



## Reken (May 26, 2020)

I understood my problem:
bind cannot update dynamically

Now it can be clearly seen from the logs:
named.log

```
26-May-2020 15:09:59.337 update-security: error: client @0x801b20f68 192.168.10.10#49770: update 'domenfo.com/IN' denied
26-May-2020 15:09:59.337 database: info: samba_dlz: cancelling transaction on zone domenfo.com
```

I think the problem is rights...

What do you think?

P.S.
samba_dnsupdate –verbose –all-names

```
update(nsupdate): A ForestDnsZones.domenfo.com 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.com 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.com as DC1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.domenfo.com. 900 IN A 192.168.10.10
update failed: REFUSED

Failed nsupdate: 2
Failed update of 34 entries
```


----------

