[Samba] Bind DNS Issues
Rowland Penny
rowlandpenny241155 at gmail.com
Tue Oct 27 08:27:50 UTC 2015
On 27/10/15 03:57, David Minard wrote:
> G'day All,
>
> I'm running up Samba4.2.3 with 4 DCs on Centos7. There are no
> changes to the default smb.conf file that gets created at provision/DC
> join. "samba-tool drs showrepl" show all DC replicating in and out.
> "samba-tool dbcheck" shows no errors.
>
> See below for named.conf.
>
> I'm having two issues.
>
> 1) After bind first starts up (systemctl restart/start bind), and
> I watch it's log, I start getting these messages:
>
> 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
>
> If I reload bind (systemctl reload bind), the messages stop.
>
> Any idea why this might be? Are these messages an issue?
>
>
> 2) When a new windows client joins the domain, sometimes it's DNS
> entry takes a day to appear. Other times an hour or so, and other
> times near to immediately. The AD in question is only under extremely
> light load, as it is only y being testedat the moment in the hope that
> it will replace our existing AD next year.
>
> What could be causing the DNS entry to not be added immediately
> all the time? Is it related to question 1?
>
>
> Named.conf: - with minor sanitising to remove IP addresses;
>
> acl "SCEM" { KWD_Internal_Nets; PTA_Internal_Nets;
> CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets;
> KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets;
> IC2_Private_Nets; };
>
> #acl "Server_ADM_Network" { server_adm; };
>
> options {
> directory "/local/etc/named";
> allow-transfer { none; };
> notify yes;
> forward only;
> allow-query { SCEM; };
> # Samba4
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
> forwarders {
> IP.of.non-ad.dns1;
> IP.of.non-ad.dns2;
> IP.of.non-ad.dns3;
> IP.of.non-ad.dns4;
> };
> };
>
> logging{
> channel simple_log {
> file "/var/log/named.log" versions 3 size 5m;
> severity warning;
> print-time yes;
> print-severity yes;
> print-category yes;
> };
> category default{
> simple_log;
> };
> };
>
>
> # Master Zones
>
> # Samba4
> include "/usr/local/samba/private/named.conf";
>
> zone "." in {
> type hint;
> file "var/named.cache";
> };
>
> zone "0.0.127.in-addr.arpa" in {
> type master;
> allow-update { none; };
> notify no;
> file "master/localhost.rev";
> };
>
One thing I missed, you have 'allow-query { SCEM; };' , unless 'SCEM'
includes 127.0.0.1, it should be ' allow-query { SCEM; 127.0.0.1/32; };
Rowland
More information about the samba
mailing list