Ubuntu Server - Samba, Kerberos, BIND9 and Kea DHCP - Samba/Kerberos dynamic update issues

Support and Help
, ,
1

Hi everyone,

First post in this forum, let me know if anything is incorrect (should be posting this elsewhere or not what this forum is for).

I will happily share my configurations and make sure I share knowledge with everyone, so they can replicate my design in their own home and small business networks, without having to pay thousands of dollars for MS Server OS’s.

Please find a detailed summary below (I have been working with ChatGPT, I use a private subscription)

I am attempting to configure a fully functional Ubuntu server environment using BIND9 as a DNS server, Kea DHCP, Samba Active Directory (AD), and Kerberos for authentication. The ultimate goal is to have Samba dynamically update DNS records securely via Kerberos. However, I am encountering consistent issues where Samba fails to dynamically update the DNS records in BIND9, returning a GSS-TSIG query was unsuccessful (REFUSED) error.

The system seems to be configured correctly for secure communication between BIND9 and Kea using a TSIG key. However, Samba’s dynamic updates use Kerberos, and this is where the issue lies.

Despite setting allow-update { any; }; for troubleshooting purposes, the dynamic updates are still failing.

Relevant Errors

  1. Dynamic Update Failure (Samba and nsupdate):
  • Attempting nsupdate -g or running sudo samba_dnsupdate --verbose results in:

css

CopyEdit

response to GSS-TSIG query was unsuccessful (REFUSED)
Failed nsupdate: 1
  1. Kerberos Keytab Validation:
  • kinit with the Kerberos keytab appears to succeed:

bash

CopyEdit

sudo kinit -k -t /etc/samba/samba.keytab dns-dc01
  • However, subsequent DNS updates fail.
  1. Manual Updates Work:
  • Using nsupdate without GSS-TSIG (-g) works when allow-update { any; }; is set:

sql

CopyEdit

server 127.0.0.1
zone patllm.lan
update add testrecord.patllm.lan. 86400 A 192.168.234.100
send

Steps Taken to Troubleshoot

  1. Verified that Samba successfully generated a Kerberos keytab (/etc/samba/samba.keytab), which contains valid entries for dns-dc01.
  2. Tested manual DNS updates via nsupdate both with and without Kerberos, confirming updates work only without GSS-TSIG.
  3. Adjusted named.conf.local to include permissive allow-update { any; }; for testing.
  4. Confirmed that the TSIG key used between Kea DHCP and BIND9 does not interfere with Kerberos updates by removing the key from the configuration temporarily.

Despite these efforts, Samba dynamic updates via Kerberos remain non-functional.

System Details

Operating System:

  • Distribution: Ubuntu 24.04.1 LTS (Noble Numbat)
  • Kernel Version: Output of uname -r
  • APT Sources:

makefile

CopyEdit

Types: deb
URIs: http://au.archive.ubuntu.com/ubuntu/
Suites: noble noble-updates noble-backports
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Types: deb
URIs: http://security.ubuntu.com/ubuntu/
Suites: noble-security
Components: main restricted universe multiverse
Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg

Network Configuration:

  • IP Address: 192.168.234.10/24
  • Hostname: dc01.patllm.lan
  • DNS Zones:
    • patllm.lan
    • _msdcs.patllm.lan
    • 234.168.192.in-addr.arpa

Software Versions:

  • BIND9 Version: 9.18.28
  • Samba Version: 4.18.x
  • Kerberos (MIT): Confirmed installed and functioning.

BIND9 Configuration:

  • /etc/bind/named.conf.options includes:

conf

CopyEdit

options {
    directory "/var/cache/bind";
    recursion yes;
    allow-query { any; };
    allow-query-cache { any; };
    allow-recursion { any; };
    forwarders {
       1.1.1.1;
       8.8.8.8;
    };
    dnssec-validation no;
    listen-on port 53 { any; };
};
  • /etc/bind/named.conf.local includes:

conf

CopyEdit

include "/etc/bind/patllm-ddns.key";

zone "patllm.lan" {
    type master;
    file "/var/lib/bind/db.patllm.lan";
    allow-update { any; };  # Testing purposes
};

zone "_msdcs.patllm.lan" {
    type master;
    file "/var/lib/bind/db._msdcs.patllm.lan";
    allow-update { any; };
};

zone "234.168.192.in-addr.arpa" {
    type master;
    file "/var/lib/bind/db.234.168.192";
    allow-update { any; };
};

Kerberos Configuration:

  • Kerberos keytab /etc/samba/samba.keytab contains entries for dns-dc01:

sql

CopyEdit

KVNO Principal
---- --------------------------------------------------------------------------
   1 Administrator@PATLLM.LAN
   1 krbtgt@PATLLM.LAN
   1 DC01$@PATLLM.LAN
   1 dns-dc01@PATLLM.LAN

Request for Assistance

I am seeking guidance on the following:

  1. Kerberos vs TSIG Keys: Can Kerberos-based secure updates and TSIG coexist without interference? If so, how should this be configured?
  2. Dynamic Update Failures: What steps can I take to resolve the GSS-TSIG query was unsuccessful (REFUSED) issue for Samba?
  3. Configuration Validation: Are there misconfigurations in BIND9, Samba, or Kerberos that might be contributing to this issue?

Thank you for your time and expertise. Let me know if you need additional logs or configuration details.

2

Hi James. I too am wanting to build an Ubuntu AD environment with Bind and Kea DHCP with dynamic DNS updates. This time, I’m replacing a workgroup and router DHCP etc.
Have you had any success with the AD build? I’m wondering if to use the old ISC-DHCP instead.
Thanks Michael

3

Hi Michael,

Sorry for the delayed response. I gave up using BIND9 and Kea, so I fell back to the internal Samba DNS, while utilizing a DNS forwarder, which is my UniFi Dream Router. The UDR is also my DHCP server. The end result was quite acceptable. I have a functioning Samba AD environment that I can even configure from Windows 11 Professional clients, using remote server administration tools for AD Users and Computers as well as Group Policy Management (does not have full GPO functionality of a Windows Server though, but drive and printer mappings work great).

Any device that connects to WiFi or Ethernet can be resolved by its hostname across the network. Auto mapped shared drives allow me to access all systems within the network seamlessly. Communications utilize SMB version 3, which is secure.

I actually have 2 Ubuntu Server DC’s as well (dc01.patllm.lan and dc02.patllm.lan). I run both DC’s via Proxmox VE hosts (separate hosts in case one fails). They both backup to a local 4TB NAS drive via Proxmox’s inbuilt backup tool. Each backup only consumes 5 GB of space.

I have pretty much achieved my goal of creating a small business grade network within my home, while avoiding massive OS costs. Proxmox hosts run on old Dell Optiplex machines with 32GB RAM and 8th gen i7’s. I get these through work once the disks fail and the units are out of warranty. I then replace parts as needed.

So, this entire system has been created with pretty much $0 net cost… if you don’t count about 50 hours of a qualified Engineer’s time and a few disks, but most were acquired through work as well.

Let me know if you want me to share any specific details. I have devised a list of commands that can configure a functioning Primary Domain Controller with a freshly provisioned Samba AD environment in about 5 to 10 minutes, depending on your system’s performance. Considering it took hours to get the first version working, this is quite a time saver. But the knowledge I gained figuring this stuff out is worth the time spent as well.

Cheers,

James

1 Like
4

I’ve decided to simply paste in my work, since I said I would in the original post.

I would like to acknowledge Scott Plude for his YouTube video which helped me heaps - https://www.youtube.com/watch?v=dS5PxJk2gyg

I noticed a few things that perhaps weren’t required when he created the video. I had to locate and remove PID files as well as the LDB and TDB files he gets you to remove before provisioning Samba AD. By removing PID file(s) as well, it seems to resolve the TSIG key generation error I was getting before. This in turn seems to resolve the dynamic DNS updates. There were a few other issues I found as well, such as the location of the samba-ad-dc.service file. The current instructions I have created work great on the latest Ubuntu Server image downloaded directly from Ubuntu’s website, as of Feb 2025.

FEEL FREE TO USE THE FOLLOWING INSTRUCTIONS - PLEASE DO NOT BLINDLY COPY AND PASTE, SOME INSTRUCTIONS REQUIRE YOU TO READ YOUR OWN SYSTEM’S OUTPUT AND ADJUST THE COMMANDS ACCORDINGLY.

#Setup Ubuntu Server Live via USB

#Ethernet = 192.168.234.10/24
dns Server = 192.168.234.1

server Name = DC01
#Username = administrator
#Password = P@ssword01 (DO NOT USE THIS - SET YOUR OWN!)

#Once Installed, run the following commands

sudo timedatectl set-timezone Australia/Melbourne ### use your own correct timezone ###

sudo apt update

sudo apt full-upgrade

sudo reboot

sudo apt-get install acl attr samba samba-dsdb-modules samba-vfs-modules winbind libpam-winbind libnss-winbind libpam-krb5 krb5-config krb5-user smbclient -y

sudo systemctl disable systemd-resolved.service

sudo service systemd-resolved stop

ping yahoo.com #THIS TEST SHOULD FAIL

###ADDED MYSELF###

sudo rm -f /etc/resolv.conf

echo -e “search patllm.lan\nnameserver 127.0.0.1\nnameserver 192.168.234.1” | sudo tee /etc/resolv.conf

###END ADD###

sudo ps ax | egrep “samba|smbd|nmbd|winbind|winbindd”

###EXAMPLE OUTPUT###

administrator@dc01:~$ sudo ps ax | egrep “samba|smbd|nmbd|winbindd|winbind”
2045 ? Ss 0:00 /usr/sbin/smbd --foreground --no-process-group
2049 ? S 0:00 smbd: notifyd .
2050 ? S 0:00 smbd: cleanupd
2106 ? Ss 0:00 /usr/sbin/nmbd --foreground --no-process-group
2279 ? Ss 0:00 /usr/sbin/winbindd --foreground --no-process-group
2283 ? S 0:00 winbindd: domain child [DC01]
2473 ? Ss 0:00 /usr/libexec/samba/samba-dcerpcd --libexec-rpcds --ready-signal-fd=23 --np-helper --debuglevel=0
2482 ? S 0:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=5 --debuglevel=0
2484 ? S 0:00 /usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=6 --debuglevel=0
2499 pts/0 S+ 0:00 grep -E --color=auto samba|smbd|nmbd|winbindd|winbind

###END EXAMPLE###

sudo kill 2045
sudo kill 2049
sudo kill 2050
sudo kill 2106
sudo kill 2279
sudo kill 2283
sudo kill 2473
sudo kill 2482
sudo kill 2484

sudo nano /etc/hosts

###HOSTS FILE###

127.0.0.1 localhost
192.168.234.10 dc01.patllm.lan dc01

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

###HOSTS FILE END###

ping dc01 test SHOULD SUCCEED

sudo smbd -b | grep “CONFIGFILE”
#RESULT CONFIGFILE: /etc/samba/smb.conf

sudo rm /etc/samba/smb.conf

smbd -b | egrep “LOCKDIR|STATEDIR|CACHEDIR|PRIVATE_DIR”

###RESULTS###

LOCKDIR: /run/samba
STATEDIR: /var/lib/samba
CACHEDIR: /var/cache/samba
PRIVATE_DIR: /var/lib/samba/private

###END RESULTS###

cd /run/samba

sudo ls -l

sudo rm *.ldb

sudo rm *.pid

sudo rm *.tdb

cd /var/lib/samba

sudo ls -l

sudo rm *.ldb

sudo rm *.tdb

cd /var/cache/samba

sudo ls -l

sudo rm *.ldb

sudo rm *.tdb

cd /var/lib/samba/private

sudo ls -l

sudo rm *.ldb

sudo rm *.tdb

###ADDED MYSELF###

sudo rm -rf /run/samba/msg.lock
sudo rm -rf /run/samba/msg.sock
sudo rm -rf /run/samba/ncalrpc
sudo rm -rf /run/samba/nmbd
sudo rm -rf /run/samba/winbindd

###END ADD###

sudo rm /etc/krb5.conf

sudo samba-tool domain provision --use-rfc2307 --interactive

sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf

sudo systemctl mask smbd nmbd winbind

sudo systemctl disable smbd nmbd winbind

sudo nano /usr/lib/systemd/system/samba-ad-dc.service

###COPY THE FOLLOWING TEXT###

[Unit]
Description=Samba AD Daemon
Documentation=man:samba(8) man:samba(7) man:smb.conf(5)
Wants=network-online.target
After=network.target network-online.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/run/samba/samba.pid
LimitNOFILE=16384
EnvironmentFile=-/etc/default/samba
ExecStart=/usr/sbin/samba -D
ExecReload=/bin/kill -HUP $MAINPID
ExecCondition=/usr/share/samba/is-configured samba

[Install]
WantedBy=multi-user.target

Upstream name:

Alias=samba.service

###END FILE###

sudo systemctl daemon-reload

sudo systemctl enable samba-ad-dc

sudo reboot

sudo kinit Administrator

#Enter your password for PATLLM\administrator

sudo smbclient -L localhost -N

###EXPECTED RESULT###

Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
    sysvol          Disk
    netlogon        Disk
    IPC$            IPC       IPC Service (Samba 4.19.5-Ubuntu)

###JOB DONE!###

sudo apt-get install net-tools

samba-tool dns zonecreate 0.99.10.in-addr.arpa -U Administrator

Once finished - You may need to check and amend some file contents. The following file contents have been added as a reference.

smb.conf file contents

Global parameters

[global]
dns forwarder = 192.168.234.1
netbios name = DC01
realm = PATLLM.LAN
server role = active directory domain controller
workgroup = PATLLM
idmap_ldb:use rfc2307 = yes

[sysvol]
path = /var/lib/samba/sysvol
read only = No

[netlogon]
path = /var/lib/samba/sysvol/patllm.lan/scripts
read only = No

END FILE

krb5.conf

[libdefaults]
default_realm = PATLLM.LAN
dns_lookup_realm = false
dns_lookup_kdc = true
ticket_lifetime = 48h
renew_lifetime = 14d
forwardable = true

[realms]
PATLLM.LAN = {
default_domain = patllm.lan
kdc = dc01.patllm.lan
admin_server = dc01.patllm.lan
}

[domain_realm]
dc01 = PATLLM.LAN
.patllm.lan = PATLLM.LAN
patllm.lan = PATLLM.LAN

END FILE

1 Like
5

Thanks mate for the insight this gives and the shear effort in making it. I’ll let you know how I go…