Ubuntu Server - Samba, Kerberos, BIND9 and Kea DHCP - Samba/Kerberos dynamic update issues

Support and Help
, ,
1

Hi everyone,

First post in this forum, let me know if anything is incorrect (should be posting this elsewhere or not what this forum is for).

I will happily share my configurations and make sure I share knowledge with everyone, so they can replicate my design in their own home and small business networks, without having to pay thousands of dollars for MS Server OS’s.

Please find a detailed summary below (I have been working with ChatGPT, I use a private subscription)

I am attempting to configure a fully functional Ubuntu server environment using BIND9 as a DNS server, Kea DHCP, Samba Active Directory (AD), and Kerberos for authentication. The ultimate goal is to have Samba dynamically update DNS records securely via Kerberos. However, I am encountering consistent issues where Samba fails to dynamically update the DNS records in BIND9, returning a GSS-TSIG query was unsuccessful (REFUSED) error.

The system seems to be configured correctly for secure communication between BIND9 and Kea using a TSIG key. However, Samba’s dynamic updates use Kerberos, and this is where the issue lies.

Despite setting allow-update { any; }; for troubleshooting purposes, the dynamic updates are still failing.

Relevant Errors

  1. Dynamic Update Failure (Samba and nsupdate):
  • Attempting nsupdate -g or running sudo samba_dnsupdate --verbose results in:

css

CopyEdit

response to GSS-TSIG query was unsuccessful (REFUSED)
Failed nsupdate: 1
  1. Kerberos Keytab Validation:
  • kinit with the Kerberos keytab appears to succeed:

bash

CopyEdit

sudo kinit -k -t /etc/samba/samba.keytab dns-dc01
  • However, subsequent DNS updates fail.
  1. Manual Updates Work:
  • Using nsupdate without GSS-TSIG (-g) works when allow-update { any; }; is set:

sql

CopyEdit

server 127.0.0.1
zone patllm.lan
update add testrecord.patllm.lan. 86400 A 192.168.234.100
send

Steps Taken to Troubleshoot

  1. Verified that Samba successfully generated a Kerberos keytab (/etc/samba/samba.keytab), which contains valid entries for dns-dc01.
  2. Tested manual DNS updates via nsupdate both with and without Kerberos, confirming updates work only without GSS-TSIG.
  3. Adjusted named.conf.local to include permissive allow-update { any; }; for testing.
  4. Confirmed that the TSIG key used between Kea DHCP and BIND9 does not interfere with Kerberos updates by removing the key from the configuration temporarily.

Despite these efforts, Samba dynamic updates via Kerberos remain non-functional.

System Details

Operating System:

  • Distribution: Ubuntu 24.04.1 LTS (Noble Numbat)
  • Kernel Version: Output of uname -r
  • APT Sources:

makefile

CopyEdit

Types: deb
URIs: http://au.archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Network Configuration:

  • IP Address: 192.168.234.10/24
  • Hostname: dc01.patllm.lan
  • DNS Zones:
    • patllm.lan
    • _msdcs.patllm.lan
    • 234.168.192.in-addr.arpa

Software Versions:

  • BIND9 Version: 9.18.28
  • Samba Version: 4.18.x
  • Kerberos (MIT): Confirmed installed and functioning.

BIND9 Configuration:

  • /etc/bind/named.conf.options includes:

conf

CopyEdit

options {
    directory "/var/cache/bind";
    recursion yes;
    allow-query { any; };
    allow-query-cache { any; };
    allow-recursion { any; };
    forwarders {
       1.1.1.1;
       8.8.8.8;
    };
    dnssec-validation no;
    listen-on port 53 { any; };
};
  • /etc/bind/named.conf.local includes:

conf

CopyEdit

include "/etc/bind/patllm-ddns.key";

zone "patllm.lan" {
    type master;
    file "/var/lib/bind/db.patllm.lan";
    allow-update { any; };  # Testing purposes
};

zone "_msdcs.patllm.lan" {
    type master;
    file "/var/lib/bind/db._msdcs.patllm.lan";
    allow-update { any; };
};

zone "234.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.234.168.192";
    allow-update { any; };
};

Kerberos Configuration:

  • Kerberos keytab /etc/samba/samba.keytab contains entries for dns-dc01:

sql

CopyEdit

KVNO Principal
---- --------------------------------------------------------------------------
   1 Administrator@PATLLM.LAN
   1 krbtgt@PATLLM.LAN
   1 DC01$@PATLLM.LAN
   1 dns-dc01@PATLLM.LAN

Request for Assistance

I am seeking guidance on the following:

  1. Kerberos vs TSIG Keys: Can Kerberos-based secure updates and TSIG coexist without interference? If so, how should this be configured?
  2. Dynamic Update Failures: What steps can I take to resolve the GSS-TSIG query was unsuccessful (REFUSED) issue for Samba?
  3. Configuration Validation: Are there misconfigurations in BIND9, Samba, or Kerberos that might be contributing to this issue?

Thank you for your time and expertise. Let me know if you need additional logs or configuration details.

2

Hi James. I too am wanting to build an Ubuntu AD environment with Bind and Kea DHCP with dynamic DNS updates. This time, I’m replacing a workgroup and router DHCP etc.
Have you had any success with the AD build? I’m wondering if to use the old ISC-DHCP instead.
Thanks Michael