[Samba] Bind DNS Issues
David Minard
david at scem.uws.edu.au
Tue Oct 27 03:57:54 UTC 2015
G'day All,
I'm running up Samba4.2.3 with 4 DCs on Centos7. There are no
changes to the default smb.conf file that gets created at provision/DC
join. "samba-tool drs showrepl" show all DC replicating in and out.
"samba-tool dbcheck" shows no errors.
See below for named.conf.
I'm having two issues.
1) After bind first starts up (systemctl restart/start bind), and
I watch it's log, I start getting these messages:
27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
update 'samba4.scem.westernsydney.edu.au/IN' denied
If I reload bind (systemctl reload bind), the messages stop.
Any idea why this might be? Are these messages an issue?
2) When a new windows client joins the domain, sometimes it's DNS
entry takes a day to appear. Other times an hour or so, and other times
near to immediately. The AD in question is only under extremely light
load, as it is only y being testedat the moment in the hope that it will
replace our existing AD next year.
What could be causing the DNS entry to not be added immediately all
the time? Is it related to question 1?
Named.conf: - with minor sanitising to remove IP addresses;
acl "SCEM" { KWD_Internal_Nets; PTA_Internal_Nets; CTN_Internal_Nets;
KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; KWD_Private_Staff_Nets;
KWD_Private_Solarcar_Nets; IC2_Internal_Nets; IC2_Private_Nets; };
#acl "Server_ADM_Network" { server_adm; };
options {
directory "/local/etc/named";
allow-transfer { none; };
notify yes;
forward only;
allow-query { SCEM; };
# Samba4
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
forwarders {
IP.of.non-ad.dns1;
IP.of.non-ad.dns2;
IP.of.non-ad.dns3;
IP.of.non-ad.dns4;
};
};
logging{
channel simple_log {
file "/var/log/named.log" versions 3 size 5m;
severity warning;
print-time yes;
print-severity yes;
print-category yes;
};
category default{
simple_log;
};
};
# Master Zones
# Samba4
include "/usr/local/samba/private/named.conf";
zone "." in {
type hint;
file "var/named.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
allow-update { none; };
notify no;
file "master/localhost.rev";
};
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list