[Samba] Bind DNS Issues

David Minard david at scem.uws.edu.au
Tue Oct 27 03:57:54 UTC 2015 

G'day All,

     I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no 
changes to the default smb.conf file that gets created at provision/DC 
join.  "samba-tool drs showrepl" show all DC replicating in and out.  
"samba-tool dbcheck" shows no errors.

     See below for named.conf.

     I'm having two issues.

     1)  After bind first starts up (systemctl restart/start bind), and 
I watch it's log, I start getting these messages:

27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374: 
update 'samba4.scem.westernsydney.edu.au/IN' denied

     If I reload bind (systemctl reload bind), the messages stop.

     Any idea why this might be?  Are these messages an issue?


     2)  When a new windows client joins the domain, sometimes it's DNS 
entry takes a day to appear.  Other times an hour or so, and other times 
near to immediately.  The AD in question is only under extremely light 
load, as it is only y being testedat the moment in the hope that it will 
replace our existing AD next year.

     What could be causing the DNS entry to not be added immediately all 
the time?  Is it related to question 1?


Named.conf: - with minor sanitising to remove IP addresses;

acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets; CTN_Internal_Nets; 
KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; KWD_Private_Staff_Nets; 
KWD_Private_Solarcar_Nets; IC2_Internal_Nets; IC2_Private_Nets; };

#acl "Server_ADM_Network" { server_adm; };

options {
     directory "/local/etc/named";
     allow-transfer { none; };
     notify yes;
     forward only;
     allow-query { SCEM; };
# Samba4
         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

     forwarders {
         IP.of.non-ad.dns1;
         IP.of.non-ad.dns2;
         IP.of.non-ad.dns3;
         IP.of.non-ad.dns4;
     };
};

logging{
   channel simple_log {
     file "/var/log/named.log" versions 3 size 5m;
     severity warning;
     print-time yes;
     print-severity yes;
     print-category yes;
   };
   category default{
     simple_log;
   };
};


# Master Zones

#  Samba4
     include "/usr/local/samba/private/named.conf";

     zone "." in {
         type hint;
         file "var/named.cache";
     };

     zone "0.0.127.in-addr.arpa" in {
         type master;
         allow-update { none; };
         notify no;
         file "master/localhost.rev";
     };

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list