[Samba] Bind DNS Issues
David Minard
david at scem.uws.edu.au
Tue Oct 27 22:44:52 UTC 2015
> On 27/10/15 03:57, David Minard wrote:
> >/ G'day All,
> />/
> />/ I'm running up Samba4.2.3 with 4 DCs on Centos7. There are no
> />/ changes to the default smb.conf file that gets created at provision/DC
> />/ join. "samba-tool drs showrepl" show all DC replicating in and out.
> />/ "samba-tool dbcheck" shows no errors.
> />/
> />/ See below for named.conf.
> />/
> />/ I'm having two issues.
> />/
> />/ 1) After bind first starts up (systemctl restart/start bind), and
> />/ I watch it's log, I start getting these messages:
> />/
> />/ 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/
> />/ If I reload bind (systemctl reload bind), the messages stop.
> />/
> />/ Any idea why this might be? Are these messages an issue?
> />/
> />/
> />/ 2) When a new windows client joins the domain, sometimes it's DNS
> />/ entry takes a day to appear. Other times an hour or so, and other
> />/ times near to immediately. The AD in question is only under extremely
> />/ light load, as it is only y being testedat the moment in the hope that
> />/ it will replace our existing AD next year.
> />/
> />/ What could be causing the DNS entry to not be added immediately
> />/ all the time? Is it related to question 1?
> />/
> />/
> />/ Named.conf: - with minor sanitising to remove IP addresses;
> />/
> />/ acl "SCEM" { KWD_Internal_Nets; PTA_Internal_Nets;
> />/ CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets;
> />/ KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets;
> />/ IC2_Private_Nets; };
> />/
> />/ #acl "Server_ADM_Network" { server_adm; };
> />/
> />/ options {
> />/ directory "/local/etc/named";
> />/ allow-transfer { none; };
> />/ notify yes;
> />/ forward only;
> />/ allow-query { SCEM; };
> />/ # Samba4
> />/ tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> />/
> />/ forwarders {
> />/ IP.of.non-ad.dns1;
> />/ IP.of.non-ad.dns2;
> />/ IP.of.non-ad.dns3;
> />/ IP.of.non-ad.dns4;
> />/ };
> />/ };
> />/
> />/ logging{
> />/ channel simple_log {
> />/ file "/var/log/named.log" versions 3 size 5m;
> />/ severity warning;
> />/ print-time yes;
> />/ print-severity yes;
> />/ print-category yes;
> />/ };
> />/ category default{
> />/ simple_log;
> />/ };
> />/ };
> />/
> />/
> />/ # Master Zones
> />/
> />/ # Samba4
> />/ include "/usr/local/samba/private/named.conf";
> />/
> />/ zone "." in {
> />/ type hint;
> />/ file "var/named.cache";
> />/ };
> />/
> />/ zone "0.0.127.in-addr.arpa" in {
> />/ type master;
> />/ allow-update { none; };
> />/ notify no;
> />/ file "master/localhost.rev";
> />/ };
> />/
> /
> One thing I missed, you have 'allow-query { SCEM; };' , unless 'SCEM'
> includes 127.0.0.1, it should be ' allow-query { SCEM; 127.0.0.1/32; };
>
> Rowland
SCEM has { localhost; other.ips; }; so that should be the same as
127.0.0.1 - I think??
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list