[Samba] Samba 4.2.14 Group Policy (GPO) sync error
Rowland Penny
rpenny at samba.org
Thu Aug 4 16:10:56 UTC 2016
On Thu, 4 Aug 2016 17:51:09 +0200
rme at bluemail.ch wrote:
> Even some more observations.
>
> I noticed when I join my machine to AD it prompts a second time for
> the credentials. It does not matter what I enter or even cancel the
> dialog it will always display an error:
>
> Changing the Primary Domain DNS name of this computer to "" failed.
> The name will remain "ad.cyberdyne.local".
>
> Well, actualy this is what I want anyway. I found this Microsoft
> article about:
> <https://support.microsoft.com/en-us/kb/2018583>
> But also forcing NetBIOS over TCP did not help. I have the follwowing
> in my dhcpd.conf anyway:
> option netbios-name-servers 10.0.1.6;
> option netbios-node-type 8;
>
>
> In any case this should not harm as far as I understood.
>
>
> But I went a bit more into DNS topics and came across a potential
> issue or at least nuisance.
> I am currently using BIND and it manages the zone cyberdyne.local.
> Where I also manage a reverse-DNS zone (zone
> "1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa" in). This zone is managing
> PTR entries for my local LAN eqipment with fixed IP addresses.
>
> It looks like when a machine is domain-joined the clients try to
> update those records and I see the following in my BIND logs (starts
> after domain join):
>
> 04-Aug-2016 17:09:52.381 update-security: error: client
> fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update
> '1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN' denied
> 04-Aug-2016 17:09:52.382 update: info: client
> fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#54604/key
> cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
> '1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN': update failed:
> rejected by secure update (REFUSED)
>
>
> I am in question to myself how to resolve this.
> One possibility might be to remove the reverse DNS zone and let
> Samba_DLZ manage it. This might work but does not allow me to manage
> the PTR records for my static LAN equipment in BIND.
>
> A second possibility might be to allow secure updates. Though I
> haven't been able to find some working guide how to allow
> kerberos-authenticated secure updates. Somewhere I found to use
> something like
>
> update-policy {
> grant AD.CYBERDYNE.LOCAL krb5-self * PTR;
> };
>
> in my zone definition. However it didn't work as expected.
> I also found this:
> <http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/>
> However I didn't go through the complete instruction. As of my
> understanding it will forward the verification of the request to an
> external script.
> Well, I think it's far too complex and kerberos authentication should
> be possible with BIND directly.
>
>
No its not, its fairly easy, once you get your head around it. I have
been using something based on that webpage for nearly 4 years now and
only had self inflicted problems.
Rowland
More information about the samba
mailing list