DNS update from s3 to s4, working with nsupdate, fails with net ads dns register

Michael Croes mycroes at gmail.com
Thu Nov 3 06:21:25 MDT 2011 

Dear list,

I've been struggling to get DNS updates working properly. Now there's
two situations I tested, with the DLZ module and with an old provision
generated named.conf. My test clients are net from Samba 3.5.11
(however this behaves the same as 3.5.8 for me) and nsupdate 9.7.3.
With net I can get no satisfying result at all (just 'DNS update
failed!'), but with nsupdate I can get further.

I'm using the following to test with nsupdate (keytab exported with
samba-tool and copied to s3 host):
mycroes at mater:~$ kinit -k -t dns.keytab -S DNS/mijlweg.visser.eu
mater\$@MIJLWEG.VISSER.EU
mycroes at mater:~$ nsupdate -g
> server adc.mijlweg.visser.eu
> zone mijlweg.visser.eu.
> update add mater.mijlweg.visser.eu.   86400	IN	A	172.16.1.222
> send

With the DLZ module loaded, this results in the following error:
could not find enclosing zone

Without DLZ (using the generated named.conf inclusion), this will
properly update the DNS entry.

I understand that this procedure might not be close enough to the 'net
ads dns register' command to warrant a bughunt, but I hope the
developer who wrote the dns register part might be able to point me to
a more precise test.

Some more information that might prove useful: when bind is running
without the DLZ module I 'constantly' see XP clients updating their
DNS records successfully, with the DLZ module loaded I don't see any
update log messages at all. The bind version I'm using is 9.9.0 from
Hauke Lampe's PPA. As for the bind configuration I have the following:

named.conf.options:

options {
  ...

  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
};

(Just a single kerberos reference in the entire file)

named.conf.local:

dlz "AD DNS Zone" {
  database "dlopen /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
};

//include "/var/lib/samba/private/named.conf";

logging {
        channel samba {
                file "/var/log/named/bind.log";
                severity debug 5;
                print-time yes;
                print-category yes;
        };
        category update {
                samba;
        };
        category update-security {
                samba;
        };
};

(Commenting either dlz or the include statement for testing)

Regards,

Michael Croes

More information about the samba-technical mailing list