[Samba] BIND9_DLZ disallows ddns updates
steve
steve at steve-ss.com
Sat Sep 14 15:22:08 MDT 2013
Version 4.2.0pre1-GIT-20999fc
openSUSE BIND9.9.3
Hi
We're getting refusal of ddns updates using nsupdate from a client
sending the updates from sssd:
2013-09-14T22:53:36.517230+02:00 hh16 named[11055]: samba_dlz: starting
transaction on zone hh3.site
2013-09-14T22:53:36.522244+02:00 hh16 named[11055]: samba_dlz:
disallowing update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site
type=A error=insufficient access rights
2013-09-14T22:53:36.522283+02:00 hh16 named[11055]: client
192.168.1.21#40836/key CATRAL\$\@HH3.SITE: updating zone
'hh3.site/NONE': update failed: rejected by secure update (REFUSED)
2013-09-14T22:53:36.522310+02:00 hh16 named[11055]: samba_dlz:
cancelling transaction on zone hh3.site
CATRAL is a Linux client which is joined successfully to the domain.
CATRAL$ is the machine key created in /etc/krb5.keytab when we joined
the domain.
/etc/named.conf
options {
directory "/var/lib/named";
managed-keys-directory "/var/lib/named/dyn/";
forwarders { 192.168.1.1; };
notify no;
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};
include "/usr/local/samba/private/named.conf";
It starts fine:
2013-09-14T23:12:39.763122+02:00 hh16 named[11513]: Loading 'AD DNS
Zone' using driver dlopen
2013-09-14T23:12:40.165286+02:00 hh16 named[11513]: samba_dlz: started
for DN DC=hh3,DC=site
2013-09-14T23:12:40.166355+02:00 hh16 named[11513]: samba_dlz: starting
configure
2013-09-14T23:12:40.166993+02:00 hh16 named[11513]: samba_dlz:
configured writeable zone '1.168.192.in-addr.arpa'
2013-09-14T23:12:40.168235+02:00 hh16 named[11513]: samba_dlz:
configured writeable zone 'hh3.site'
2013-09-14T23:12:40.169545+02:00 hh16 named[11513]: samba_dlz:
configured writeable zone '_msdcs.hh3.site'
smb.conf:
[global]
workgroup = HH3
realm = HH3.SITE
netbios name = HH16
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
drepl, winbbind, ntp_signd, kcc, dnsupdate
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /usr/local/samba/var/locks/sysvol/hh3.site/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
What's missing?
Thanks,
Steve
More information about the samba
mailing list