[Samba] DNS updates, machine name changes...

Mon Nov 13 12:58:33 UTC 2023

Il 09/11/2023 23:23, Aaron C. de Bruyn via samba ha scritto:
> Short and easy test for you.
> Assuming one of the non-working computers is named MYPC.
> Go into dnsmgmt.msc and delete MYPC out of DNS.
> Create a new A record for MYPC and point it wherever...  127.99.99.99 would
> be fine.
> Edit the record you just created, go to the security tab, click 'Add' and
> add MYPC to it.  Set MYPC to have full control.
> Go to MYPC and run 'ipconfig /registerdns'.
>
> Refresh dnsmgmt.msc and see if the IP updated to the correct IP.
>
> I'm betting that will fix it.
>
> That can be for one of two reasons from what I've seen.
> * The DNS record for MYPC was associated with the old MYPC AD account and
> SID
> * What appears to me to be a bug in Samba where you delete the old DNS
> record that's associated with the wrong SID and the *new* MYPC still can't
> create a record--possible due to tombstoning as Rowland mentioned, but I
> haven't tested it myself.
>
> -A

hi, during the DNS update tests I had strange behavior and seeing this 
topic perhaps it seems similar as a domain member was unable to update 
the DNS on DC Samba, even after adding the permissions to the computer 
(missing previously), even after removing and re-registering the domain, 
only after I removed it, manually deleted the DNS and computer account 
records before redoing the join did it create a DNS record that manages 
to update correctly

the member is name W2019-TEST added to domain 1-2 years ago with only 
one samba dc (I don't remember which version there was) and internal dns 
server

now I have as pdc a debian 12 with samba 4.19.2 (named D12DC), recently 
I added a windows 2019 standard as additional dc (WIN19DC)

after saw dns dynamic update error on windows event I migrated samba dc 
to bind as dns server and after dns update from WIN19DC with "ipconfig 
/registerdns" was without error event (and correctly updated on dns server)

on W2019-TEST instead dns update was not working, I checked permission 
on security tab of W2019-TEST record and manually added the missed 
permission to W2019-TEST computer

dns update was still failing on samba dc, on bind server log:

> nov 13 11:59:10 d12dc.m2r.local named[480]: client @0x7fe5fc58c568 
> 192.168.1.21#52514: update 'm2r.local/IN' denied
> nov 13 11:59:10 d12dc.m2r.local named[480]: samba_dlz: disallowing 
> update of signer=W2019-TEST\$\@M2R.LOCAL name=W2019-TEST.m2r.local 
> type=AAAA error=insufficient access rights
> nov 13 11:59:10 d12dc.m2r.local named[480]: client @0x7fe5eb608d68 
> 192.168.1.21#50715/key W2019-TEST\$\@M2R.LOCAL: updating zone 
> 'm2r.local/NONE': update failed: rejected by secure update (REFUSED)
tried to set in smb.conf "allow dns updates = nonsecure" and reboot but 
still didn't worked

tried to switch the first dns server in W2019-TEST to WIN19DC and it 
worked (windows dc have secure only update)

changed again dns server to D12DC I tried to left and rejoin the domain 
but update of dns record still not working

left the domain, deleted W2019-TEST computer account and dns record, 
rejoin domain and now the new created dns record works also in samba dc:

> nov 13 12:43:10 d12dc.m2r.local named[480]: client @0x7fe5eb608d68 
> 192.168.1.21#53494/key W2019-TEST\$\@M2R.LOCAL: updating zone 
> 'm2r.local/NONE': adding an RR at 'W2019-TEST.m2r.local' A 192.168.1.21
> nov 13 12:43:10 d12dc.m2r.local named[480]: samba_dlz: added rdataset 
> W2019-TEST.m2r.local 'W2019-TEST.m2r.local.        1200        IN 
> A        192.168.1.21'
> nov 13 12:43:10 d12dc.m2r.local named[480]: samba_dlz: committed 
> transaction on zone m2r.local
there was a know issue on how create dns record with older samba that is 
now solved?

to fix old dns records the only working way is rejoin the domain 
manually deleting records before new join?

and remain the strange thing that with windows dc is needed only to add 
computer permission to dns record and works, with samba dc instead not

I also tried to rename W2019-TEST to W2019-TEST2and after reboot dns was 
automatically updated and still works also doing a manually one after:

> nov 13 13:41:56 d12dc.m2r.local named[480]: client @0x7fe5eb609b68 
> 192.168.1.21#50687: update 'm2r.local/IN' denied
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: allowing update 
> of signer=W2019-TEST2\$\@M2R.LOCAL name=W2019-TEST2.m2r.local 
> tcpaddr=192.168.1.21 type=AAAA 
> key=1252-ms-7.2-135518.19994361-821f-11ee-0ea9-af7f35904ef0>
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: allowing update 
> of signer=W2019-TEST2\$\@M2R.LOCAL name=W2019-TEST2.m2r.local 
> tcpaddr=192.168.1.21 type=A 
> key=1252-ms-7.2-135518.19994361-821f-11ee-0ea9-af7f35904ef0/16>
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: allowing update 
> of signer=W2019-TEST2\$\@M2R.LOCAL name=W2019-TEST2.m2r.local 
> tcpaddr=192.168.1.21 type=A 
> key=1252-ms-7.2-135518.19994361-821f-11ee-0ea9-af7f35904ef0/16>
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: starting 
> transaction on zone m2r.local
> nov 13 13:41:56 d12dc.m2r.local named[480]: client @0x7fe5eb609b68 
> 192.168.1.21#49980/key W2019-TEST2\$\@M2R.LOCAL: updating zone 
> 'm2r.local/NONE': deleting rrset at 'W2019-TEST2.m2r.local' AAAA
> nov 13 13:41:56 d12dc.m2r.local named[480]: client @0x7fe5eb609b68 
> 192.168.1.21#49980/key W2019-TEST2\$\@M2R.LOCAL: updating zone 
> 'm2r.local/NONE': deleting rrset at 'W2019-TEST2.m2r.local' A
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: subtracted 
> rdataset W2019-TEST2.m2r.local 'W2019-TEST2.m2r.local.        
> 1200        IN A        192.168.1.21'
> nov 13 13:41:56 d12dc.m2r.local named[480]: client @0x7fe5eb609b68 
> 192.168.1.21#49980/key W2019-TEST2\$\@M2R.LOCAL: updating zone 
> 'm2r.local/NONE': adding an RR at 'W2019-TEST2.m2r.local' A 192.168.1.21
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: added rdataset 
> W2019-TEST2.m2r.local 'W2019-TEST2.m2r.local.        1200        IN 
> A        192.168.1.21'
> nov 13 13:41:56 d12dc.m2r.local named[480]: samba_dlz: committed 
> transaction on zone m2r.local
last question: first line of denied is normal and can be ignored?

thanks for any reply and sorry for my bad english

>
>
> On Thu, Nov 9, 2023 at 12:17 PM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Thu, 9 Nov 2023 12:08:14 -0800
>> "Aaron C. de Bruyn via samba" <samba at lists.samba.org> wrote:
>>
>>> You might be running into what I just ran into and posted about a day
>>> or so ago.
>>>
>>> When did you delete the names out of DNS?
>>  From my reading of the initial post, the dns data wasn't deleted and if
>> so, it will belong to the old computer and the new computer will not be
>> able to update the dns records.
>>
>> Rowland
>>
>>> If it was *after* you re-joined them to the domain, Samba appears to
>>> not allow the records to be created.
>>>
>>> If you manually create records for those names and grant the computer
>>> account full control on the record, Samba appears to allow updates
>>> again.
>>>
>>> If you deleted the names out of DNS *before* you re-joined them to the
>>> domain, it's probably not the issue I ran into.
>>>
>>>
>>> On Thu, Nov 9, 2023 at 10:09 AM Greg Sloop <gregs--- via samba <
>>> samba at lists.samba.org> wrote:
>>>
>>>> We have a situation where AD's dns isn't right. It's a result of us
>>>> moving/renaming machines, so I'm sure it's a self-induced problem.
>>>> But I'm not sure the "right" way to go about fixing it.
>>>>
>>>> So, here's how we "caused" it. Hopefully someone can tell me how to
>>>> best fix it.
>>>>
>>>> Lets assume two machines.
>>>> Machine 1: BuildingA-Sales1.ad.somedomain.net
>>>> Machine 2: BuildingB-Finance2.ad.somedomain.net
>>>>
>>>> Now assume the two machines/users swap places. And they take their
>>>> machines with them.
>>>> So now, machine 1: is BuildingB-Finance2.ad.somedomain.net
>>>> ...and vice versa.
>>>>
>>>> We did remove the machines from the domain and re-join them.
>>>> And while removed, we went and removed the machine accounts using
>>>> the Windows Computers/Users tool.
>>>> Then we re-joined the machines to the domain.
>>>>
>>>> But the IP's they resolve to are reversed.
>>>> For example; Machine 1 is till resolving to the IP it would get in
>>>> Building A, (different IP netblock) instead of the block it's
>>>> actually getting in Building B. (i.e. dig
>>>> BuildingB-Finance2.ad.somedomain.net returns the IP "Machine 1" is
>>>> getting in Building A.)
>>>>
>>>> I think I've seen this get discussed recently, and if someone can
>>>> point me at that discussion instead of typing a new reply, (or at a
>>>> wiki article) that would be fab.
>>>>
>>>> So, how do I do this "right"?
>>>>
>>>> TIA
>>>> -Greg
>>>> --
>>>>

-- 
Questa email è stata esaminata alla ricerca di virus dal software antivirus Avast.
www.avast.com