DNS update from s3 to s4, working with nsupdate, fails with net ads dns register

Gémes Géza geza at kzsdabas.hu
Thu Nov 3 13:38:47 MDT 2011 

2011-11-03 17:39 keltezéssel, Michael Croes írta:
>
> Thanks for your response, will have to try a newer Samba release then...
> Regards,
>
> Michael
>
> Op 3 nov. 2011 17:35 schreef "Gémes Géza" <geza at kzsdabas.hu
> <mailto:geza at kzsdabas.hu>> het volgende:
>
>     2011-11-03 16:30 keltezéssel, Michael Croes írta:
>     > Dear list,
>     >
>     > I hate to respond to myself again, but I think I might've found
>     (part
>     > of) the reason for the failing DNS updates. It seems that the DLZ
>     > module doesn't respond to SOA requests. I've verified (using
>     > ldbsearch) that the SOA record is actually there, however a DNS
>     > request for the SOA record just results in a SERVFAIL, with no
>     errors
>     > logged (neither bind nor samba). It seems that at least
>     > samba_dnsupdate needs this SOA record, this doesn't change anything
>     > about 'net ads dns register' failing when I use the provision
>     > generated named.conf though.
>     >
>     > Could anyone using the DLZ module verify existence of the SOA record
>     > (dig @dc.sam.dom SOA sam.dom)? I'm using the Samba alpha 17 shipped
>     > with Ubuntu Oneiric, so I can imagine different behaviour in a newer
>     > release.
>     > Regards,
>     >
>     > Michael
>     >
>     > 2011/11/3 Michael Croes <mycroes at gmail.com
>     <mailto:mycroes at gmail.com>>:
>     >> Dear list,
>     >>
>     >> I've been struggling to get DNS updates working properly. Now
>     there's
>     >> two situations I tested, with the DLZ module and with an old
>     provision
>     >> generated named.conf. My test clients are net from Samba 3.5.11
>     >> (however this behaves the same as 3.5.8 for me) and nsupdate 9.7.3.
>     >> With net I can get no satisfying result at all (just 'DNS update
>     >> failed!'), but with nsupdate I can get further.
>     >>
>     >> I'm using the following to test with nsupdate (keytab exported with
>     >> samba-tool and copied to s3 host):
>     >> mycroes at mater:~$ kinit -k -t dns.keytab -S
>     DNS/mijlweg.visser.eu <http://mijlweg.visser.eu>
>     >> mater\$@MIJLWEG.VISSER.EU <http://MIJLWEG.VISSER.EU>
>     >> mycroes at mater:~$ nsupdate -g
>     >>> server adc.mijlweg.visser.eu <http://adc.mijlweg.visser.eu>
>     >>> zone mijlweg.visser.eu <http://mijlweg.visser.eu>.
>     >>> update add mater.mijlweg.visser.eu
>     <http://mater.mijlweg.visser.eu>.   86400   IN      A      
>     172.16.1.222
>     >>> send
>     >> With the DLZ module loaded, this results in the following error:
>     >> could not find enclosing zone
>     >>
>     >> Without DLZ (using the generated named.conf inclusion), this will
>     >> properly update the DNS entry.
>     >>
>     >> I understand that this procedure might not be close enough to
>     the 'net
>     >> ads dns register' command to warrant a bughunt, but I hope the
>     >> developer who wrote the dns register part might be able to
>     point me to
>     >> a more precise test.
>     >>
>     >> Some more information that might prove useful: when bind is running
>     >> without the DLZ module I 'constantly' see XP clients updating their
>     >> DNS records successfully, with the DLZ module loaded I don't
>     see any
>     >> update log messages at all. The bind version I'm using is 9.9.0
>     from
>     >> Hauke Lampe's PPA. As for the bind configuration I have the
>     following:
>     >>
>     >> named.conf.options:
>     >>
>     >> options {
>     >>  ...
>     >>
>     >>  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>     >> };
>     >>
>     >> (Just a single kerberos reference in the entire file)
>     >>
>     >> named.conf.local:
>     >>
>     >> dlz "AD DNS Zone" {
>     >>  database "dlopen /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
>     >> };
>     >>
>     >> //include "/var/lib/samba/private/named.conf";
>     >>
>     >> logging {
>     >>        channel samba {
>     >>                file "/var/log/named/bind.log";
>     >>                severity debug 5;
>     >>                print-time yes;
>     >>                print-category yes;
>     >>        };
>     >>        category update {
>     >>                samba;
>     >>        };
>     >>        category update-security {
>     >>                samba;
>     >>        };
>     >> };
>     >>
>     >> (Commenting either dlz or the include statement for testing)
>     >>
>     >> Regards,
>     >>
>     >> Michael Croes
>     >>
>     Hi,
>
>     My samba4 (4.0.0alpha18-GIT-6b06b0d) and bind9 (9.8.1) with dlz-dlopen
>     gives the expected response to that query returning the correct SOA
>
>     Cheers
>
>     Geza
>
Is your samba4 from a packaged source (I have never been successful in
using Debian/Ubuntu packages for samba4 yet)?
>From when I abandoned trying to fix the debs and using git versions
everything is working as supposed (of course the unimplemented parts
doesn't ;-) )

Cheers

Geza

More information about the samba-technical mailing list