Author Topic: Add record to DNS give error to restart  (Read 405 times)

mcoa

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Add record to DNS give error to restart
« on: June 13, 2019, 03:33:28 pm »
Hello.
I've Zentyal 5.0 and with Samba A/D and DNS, ntp, etc modules. I try add host into DNS service and have error after save and restart service.


Quote
2019/06/12 23:22:36 INFO> GlobalImpl.pm:625 EBox::GlobalImpl::saveAllModules - Saving config and restarting services: firewall dns
2019/06/12 23:22:37 INFO> Base.pm:231 EBox::Module::Base::save - Restarting service for module: dns
2019/06/12 23:22:42 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2019/06/12 23:22:46 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal1 failed.
Error output: kinit: krb5_get_init_creds: Clock skew too great

Command output: .
Exit value: 1 at root command kinit -k -t /var/lib/samba/private/dns.keytab dns-zentyal1 failed.
Error output: kinit: krb5_get_init_creds: Clock skew too great

What's wrong?


Thanks

doncamilo

  • Zen Warrior
  • ***
  • Posts: 203
  • Karma: +41/-0
    • View Profile
Re: Add record to DNS give error to restart
« Reply #1 on: June 13, 2019, 04:24:50 pm »
Hi!

It signifies that there's not synchronicity on your whole system. 

But this is bizarre as far as you have configured your Zentyal as domain controller and this option enables automatically NTP...  :o

Do  you have some additional domain controller that isn't synchronized ?

Cheers!

mcoa

  • Zen Apprentice
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: Add record to DNS give error to restart
« Reply #2 on: June 13, 2019, 06:23:09 pm »
Hi!

It signifies that there's not synchronicity on your whole system. 

But this is bizarre as far as you have configured your Zentyal as domain controller and this option enables automatically NTP...  :o

Do  you have some additional domain controller that isn't synchronized ?

Cheers!

Hello,
yes i've two additional domain controllers . MMmm,, i see some errors:


Quote
root@zentyal1:~# samba-tool drs showrepl 2>&1
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Using binding ncacn_ip_tcp:zentyal1.example.local[,seal]
resolve_lmhosts: Attempting lmhosts lookup for name zentyal1.example.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name zentyal1.example.local<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name zentyal1.example.local<0x20>
GSS client Update(krb5)(1) Update failed:  Miscellaneous failure (see text): Clock skew too great
SPNEGO(gssapi_krb5) creating NEG_TOKEN_INIT for ldap/zentyal1.example.local failed (next[ntlmssp]): NT_STATUS_LOGON_FAILURE
Got challenge flags:
Got NTLMSSP neg_flags=0x62898235
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x62088235
Default-First-Site-Name\ZENTYAL1
DSA Options: 0x00000001
DSA object GUID: 696d9995-8406-408c-82af-9aa254a6d338
DSA invocationId: b0a91b8a-3bd6-4489-b846-ddba28dcf5a4

==== INBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:13:47 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      445 consecutive failure(s).
      Last success @ Tue Jun 11 23:16:56 2019 -04

DC=ForestDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ Thu Jun 13 12:13:47 2019 -04 was successful
      0 consecutive failure(s).
      Last success @ Thu Jun 13 12:13:47 2019 -04

DC=DomainDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:16:19 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      2305 consecutive failure(s).
      Last success @ Tue Jun 11 23:16:56 2019 -04

DC=DomainDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ Thu Jun 13 12:13:47 2019 -04 was successful
      0 consecutive failure(s).
      Last success @ Thu Jun 13 12:13:47 2019 -04

DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:13:47 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      929 consecutive failure(s).
      Last success @ Tue Jun 11 23:16:59 2019 -04

DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ Thu Jun 13 12:13:49 2019 -04 was successful
      0 consecutive failure(s).
      Last success @ Thu Jun 13 12:13:49 2019 -04

CN=Schema,CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:13:50 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      446 consecutive failure(s).
      Last success @ Tue Jun 11 23:16:59 2019 -04

CN=Schema,CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ Thu Jun 13 12:13:50 2019 -04 was successful
      0 consecutive failure(s).
      Last success @ Thu Jun 13 12:13:50 2019 -04

CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:13:50 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      447 consecutive failure(s).
      Last success @ Tue Jun 11 23:16:59 2019 -04

CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ Thu Jun 13 12:13:50 2019 -04 was successful
      0 consecutive failure(s).
      Last success @ Thu Jun 13 12:13:50 2019 -04

==== OUTBOUND NEIGHBORS ====

DC=ForestDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:17:26 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      14 consecutive failure(s).
      Last success @ NTTIME(0)

DC=ForestDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ NTTIME(0) was successful
      0 consecutive failure(s).
      Last success @ NTTIME(0)

DC=DomainDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:17:26 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      14 consecutive failure(s).
      Last success @ NTTIME(0)

DC=DomainDnsZones,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ NTTIME(0) was successful
      0 consecutive failure(s).
      Last success @ NTTIME(0)

DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:17:26 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      13 consecutive failure(s).
      Last success @ NTTIME(0)

DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ NTTIME(0) was successful
      0 consecutive failure(s).
      Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:17:27 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      14 consecutive failure(s).
      Last success @ NTTIME(0)

CN=Schema,CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ NTTIME(0) was successful
      0 consecutive failure(s).
      Last success @ NTTIME(0)

CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL2 via RPC
      DSA object GUID: 7692d6b0-2684-4f27-937a-08f52be0d4c8
      Last attempt @ Thu Jun 13 12:17:27 2019 -04 failed, result 1326 (WERR_LOGON_FAILURE)
      14 consecutive failure(s).
      Last success @ NTTIME(0)

CN=Configuration,DC=example,DC=local
   Default-First-Site-Name\ZENTYAL3 via RPC
      DSA object GUID: 2cd36245-dcae-479d-b8d0-b7a8e19caad3
      Last attempt @ NTTIME(0) was successful
      0 consecutive failure(s).
      Last success @ NTTIME(0)

==== KCC CONNECTION OBJECTS ====

Connection --
   Connection name: 36a4786c-c9de-4fc1-b2b7-390c0d7f4dba
   Enabled        : TRUE
   Server DNS name : zentyal2.example.local
   Server DN name  : CN=NTDS Settings,CN=ZENTYAL2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
      TransportType: RPC
      options: 0x00000001
Warning: No NC replicated for Connection!
Connection --
   Connection name: f74e48dd-ca6a-43a3-8c7e-ddba4203a12f
   Enabled        : TRUE
   Server DNS name : zentyal3.example.local
   Server DN name  : CN=NTDS Settings,CN=ZENTYAL3,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=example,DC=local
      TransportType: RPC
      options: 0x00000001
Warning: No NC replicated for Connection!

basselope

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +7/-0
    • View Profile
Re: Add record to DNS give error to restart
« Reply #3 on: June 17, 2019, 11:45:25 am »
If 2 (or more) domain controllers are not time synchronised, authentication will fail.

Check the configuration and time on all your domain controllers.

If the setup is correct and consistent, are your controllers physical or virtual machines?

I had a similar problem here - https://forum.zentyal.org/index.php/topic,32364.msg108925.html#msg108925