[Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.

Andrew Bartlett abartlet at samba.org
Sun Jun 2 16:14:00 MDT 2013 

On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
> 2013.06.02 16:16, Andrew Bartlett rašė:
> > On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
> >> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
> >>> This is a follow up to my previous...
> >>>
> >>> Thomas, I have tried everything else I can think of, I WAS  able to get
> >>> further debugging information out of samba, winbind, bind9_dlz, and whats
> >>> going wrong in this process for us, but I am not a developer I have no way
> >>> of knowing if this will be useful to you or anyone but I figure I should
> >>> put it out so someday this can get fixed, Thanks:
> >>
> >> Hi Gary
> >> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
> >> win7 and Linux clients. Maybe strip your config down to just this, then
> >> add the other stuff afterwards if you get it going?
> >>
> >> 1. Make sure that named is not running chrooted. That was a real gotcha
> >> for me: it's default on openSUSE.
> > This certainly could be the major issue here.  I can imagine this
> > causing no end of drama if folks don't check for it. 
> >
> >> 2. for now, chown -R named.named /var/lib/named
> > I certainly agree, for now (try and restore a more secure set of
> > permissions later, but it is very worthwhile to test and rule out). 
> >
> >> 3. Use minimum options /etc/named.conf
> >>
> >> options {
> >> 	directory "/var/lib/named";
> >> 	managed-keys-directory "/var/lib/named/dyn";
> >> 	notify no;
> >> 	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >> };
> >> include  "/usr/local/samba/private/named.conf";
> Also add:
>          tkey-domain "<KRB5 REALM>";
>          tkey-gssapi-credential "<DNS principal>";
> 
>          BIND9 in openSUSE seems to require this to enable GSSAPI

If that's required, then I think you have an older version of bind that
is known to be incredibly painful to configure for GSS-TSIG. 

>          Also try hard-linking /usr/local/samba/private/dns.keytab to
> /etc/krb5.keytab....

I really wouldn't do that. 

>          Somewhere in the mailing lists there was a report bind9 is
> always using system default keytab
>          If you get errors loading krb5 principal after specifying
> tkey-gssapi-credential, you might need to regenerate the dns.keytab
> (changed password ?)

Which version is this?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list