Samba 4.0 DNS configuration

Trever L. Adams trever.adams at gmail.com
Sun Jun 12 17:04:40 MDT 2011 

On 06/11/2011 08:42 PM, Andrew Bartlett wrote:
>
> This isn't an issue with Samba 3.6, but with BIND and the Samba4 zone
> you have loaded. 
>
> The most reliable way to fix this is to upgrade to Bind 9.8 and change
> the gssapi settings in the name.conf to only:
Ok, I am using bind 9.8.0 (bind-9.8.0-5.P2.fc15.x86_64).
> tkey-gssapi-keytab /path/to/dns.keytab
>
So, tkey-gssapi-credential is gone and tkey-domain is gone? Done.
> This should then work much more reliably.  Your DNS zone is also showing
> a bug we had for ages, where the first line contained only the realm
> where it should be your server's full hostname.  (see the following line
> in the new zone template).  
>
> @               IN SOA  hostname.realm   hostmaster (
No, the DNS zone is correct. It may be showing up a bit weird as this
machine isn't setup, even for itself, as the resolving host
(/etc/resolv.conf). It points to another machine that acts as the site's
dns server, but which then refers to this one for this subdomain.
> I suspect your provision is old, so perhaps upgrade to a current Samba4
> git checkout and reprovision (if possible).  If you can't reprovision,
> ensure that the servicePrinciaplNames attribute on the 'cn=dns' user has
> a value of DNS/hostname.realm
>
> Andrew Barltett
Is it possible for upgrade provision to be setup to search for all of
these and fix them (actually to bring anything current)? I am using
Version 4.0.0alpha16-GIT-516dc40.

I am having a problem following the last part of your instructions. I
have CN=DNSAdmins, Dns-Node, Dns-UpdateProxy, DNS-Zone, and
DNS-Hostname. Dns-Hostname may be what you are referring to, but it
already has the DNS/hostname.realm SPN as well as SPN DNS/realm.

All of this still fails.
client 10.0.0.21#55048: new TCP connection
client 10.0.0.21#55048: replace
clientmgr @0x7f11fc32f3b8: createclients
clientmgr @0x7f11fc32f3b8: create new
client @0x7f11f00021e0: create
client 10.0.0.21#55048: read
client 10.0.0.21#55048: TCP request
client 10.0.0.21#55048: using view '_default'
client 10.0.0.21#55048: request is not signed
client 10.0.0.21#55048: recursion available
client 10.0.0.21#55048: update
client 10.0.0.21#55048: ns_client_attach: ref = 1
client @0x7f11f00021e0: accept
client 10.0.0.21#55048: updating zone 'srealm-zone/IN': update
unsuccessful: HOST_FQDN/A: 'RRset exists (value dependent)' prerequisite
not satisfied (NXRRSET)
client 10.0.0.21#55048: updating zone 'srealm-zone/IN': rolling back
client 10.0.0.21#55048: send
client 10.0.0.21#55048: sendto
client 10.0.0.21#55048: senddone
client 10.0.0.21#55048: next
client 10.0.0.21#55048: ns_client_detach: ref = 0
client 10.0.0.21#55048: endrequest
client 10.0.0.21#55048: read
client 10.0.0.21#55048: TCP request
client 10.0.0.21#55048: using view '_default'
client 10.0.0.21#55048: request is not signed
client 10.0.0.21#55048: recursion available
client 10.0.0.21#55048: update
client 10.0.0.21#55048: ns_client_attach: ref = 1
client 10.0.0.21#55048: updating zone 'srealm-zone/IN': prerequisites are OK
client 10.0.0.21#55048: updating zone 'srealm-zone/IN': update failed:
rejected by secure update (REFUSED)
client 10.0.0.21#55048: updating zone 'srealm-zone/IN': rolling back
client 10.0.0.21#55048: send
client 10.0.0.21#55048: sendto
client 10.0.0.21#55048: senddone
client 10.0.0.21#55048: next
client 10.0.0.21#55048: ns_client_detach: ref = 0
client 10.0.0.21#55048: endrequest
client 10.0.0.21#55048: read
client 10.0.0.21#55049: new TCP connection
client 10.0.0.21#55049: replace
clientmgr @0x7f11fc32f3b8: createclients
clientmgr @0x7f11fc32f3b8: create new
client @0x7f11f0002900: create
client 10.0.0.21#55049: read
client @0x7f11f0002900: accept
client 10.0.0.21#55049: next
client 10.0.0.21#55049: request failed: end of file
client 10.0.0.21#55049: endrequest
client 10.0.0.21#55049: closetcp
client 10.0.0.21#55051: new TCP connection
client 10.0.0.21#55051: replace
clientmgr @0x7f11fc32f3b8: createclients
clientmgr @0x7f11fc32f3b8: recycle
client 10.0.0.21#55051: read
client @0x7f11f00021e0: accept
client 10.0.0.21#55051: next
client 10.0.0.21#55051: request failed: end of file
client 10.0.0.21#55051: endrequest
client 10.0.0.21#55051: closetcp
client 10.0.0.21#55048: next
client 10.0.0.21#55048: request failed: end of file
client 10.0.0.21#55048: endrequest
client 10.0.0.21#55048: closetcp

This is kinit as the machine. Same as administrator. One more thing to
note, I do not know if where the A update failed if it should be trying
AAAA, but this machine does have ipv6 addresses on eth0.

I guess you now know that my servers are Samba 4. The other machines I
am trying to net ads dns register with are joined to the domain. Samba 3
is samba-3.5.8-68.fc15.1.x86_64. Bind version is above.

Thank you for any help,
Trever
-- 
"In protocol design, perfection has been reached not when there is
nothing left to add, but when there is nothing left to take away." --
RFC1925: The Twelve Networking Truths

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20110612/396a5997/attachment.pgp>

More information about the samba-technical mailing list