[Samba] DNS: Update not allowed for unsigned packet

Aaron C. de Bruyn aaron at heyaaron.com
Wed Nov 8 17:00:51 UTC 2023 

Found a work-around.

Manually create a DNS entry for the machine that is unable to register a
new record.  i.e. 'USSIF1DOFC07' with any random IP address.
Edit the newly-created record, grant the computer account (USSIF1DOFC07)
full privileges.
Run 'ipconfig /registerdns' on the machine.

If I had to guess, when a machine gets joined to the domain, the DNS record
is created and the computer can update it.
If the record gets deleted out of DNS, the domain-joined machine can't
recreate itself like it can in the Windows environment.
The record already has to exist with the proper permissions.

I'd say there's probably a bug in the Samba code related to DNS updates
where it can't recreate records from domain-joined machines only if they
already exist.

-A


On Mon, Nov 6, 2023 at 11:35 AM Aaron C. de Bruyn <aaron at heyaaron.com>
wrote:

> Thanks Andrew, but we checked for that.
>
> Firing up dnsmgmt.msc shows no entries with those computer names.
>
> -A
>
> On Mon, Nov 6, 2023 at 11:34 AM Andrew Bartlett <abartlet at samba.org>
> wrote:
>
>> On Mon, 2023-11-06 at 10:02 -0800, Aaron C. de Bruyn via samba wrote:
>> > DNS is suddenly not working properly for some machines.
>> >
>> >
>> >
>> > We had a bunch of machines that were joined to the domain, but the
>> > computer
>> >
>> > name was wrong.
>> >
>> >
>> >
>> > To fix this, we unjoined the machines and deleted the computer
>> > accounts out
>> >
>> > of Samba (because renames while joined will leave LDAP attributes
>> > with the
>> >
>> > previous machine name and there will be connectivity problems for
>> > some
>> >
>> > reason), and we deleted them out of DNS (dnsmgmt.msc) so there were
>> > no
>> >
>> > mismatched SIDs.
>> >
>> >
>> >
>> > Then we renamed and restarted the machines (All Windows 11 Pro), then
>> > we
>> >
>> > joined them back to the domain.
>>
>> The unsigned packet is a red herring, all first DNS updates are
>> unsigned, then a signed one comes after the DC disallows it.
>>
>> The issues is that you deleted accounts, but did not clean out DNS, so
>> the old name is still owned by the old account (now gone), so the update
>> fails due to simple permissions (DNS is secured on a first-to-claim basis).
>>
>> Clean out your DNS records and it should work.
>>
>> Andrew Bartlett
>>
>>
>> --
>> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
>> Samba Team Member (since 2001) https://samba.org
>> Samba Team Lead                https://catalyst.net.nz/services/samba
>> Catalyst.Net <https://catalyst.net.nz/services/sambaCatalyst.Net> Ltd
>>
>> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
>> company
>>
>> Samba Development and Support: https://catalyst.net.nz/services/samba
>>
>> Catalyst IT - Expert Open Source Solutions
>>
>>

More information about the samba mailing list