DNS update failed when joining samba3 to samba4

srikumar 108 srikumar108 at gmail.com
Sun Sep 19 12:12:26 MDT 2010

I am using Ubuntu Lucid too. Here's what works for me (I am stripping
out the comments):

First of all, named refuses to start because it doesn't have access to
the keytab. Add the following to /etc/default/bind9:

# samba4
export KRB5_KTNAME

Next we need to setup named:

# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.local";

# cat /etc/bind/named.conf.local

include "/etc/bind/zones.rfc1918";

key rndc-key {
        algorithm hmac-md5;
        secret "xyz*";

controls {
        inet port 953
        allow {; } keys { "rndc-key"; };

zone "test.com." IN {
        type master;
        file "test.com.zone";
        update-policy {
                grant TEST.COM ms-self * A AAAA;
                grant administrator at TEST.COM wildcard * A AAAA SRV CNAME TXT;
                grant HOST$@TEST.COM wildcard * A AAAA SRV CNAME;
                grant rndc-key subdomain test.com A;
        check-names ignore;

zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "1.168.192.in-addr.arpa.zone";
        update-policy {
                grant *.COM wildcard *.1.168.192.in-addr.arpa. PTR;
                grant rndc-key subdomain 1.168.192.in-addr.arpa PTR;

Note that instead of linking the samba-generated named.conf, I am
basically copying its contents to named.conf.local, because I need to
make several changes that will be blown away with the next samba
upgrade. For the same reason, I am hosting the zone files in bind's
default location /var/cache/bind.

Finally, you need to update bind to the latest version, or patch and
rebuild your current version of bind. The patches are in:
<srcdir>/examples/bind9-patches. I elected to do the latter, because I
found that much easier to deal with: just do apt-get build-dep,
aprt-get source, etc.

Hope that helps.

On Sun, Sep 19, 2010 at 11:15 AM, Christian Huldt <christian at solvare.se> wrote:
> We are setting up a new network with samba4 as DC and samba3 for files and
> printers
> However, bind as provided by ubuntu server 10.4.1 lts does not like the tkey
> settings and refuses the start with them
>        tkey-gssapi-credential "DNS/arkitekt.msg83";
>        tkey-domain "ARKITEKT.MSG83";
> Of course I would like to fix this (any hints? kerberos works nicely, kinit
> and klist), but I wonder if this is a show-stopper?
> Joining a samba3 server to the domain "works", I can see the server in the
> domain (but not connect to it yet...) but "DNS update failed!" seems like
> something that I should fix ASAP.
>> # net ads join -Uadministrator
>> Enter administrator's password:
>> Using short domain name -- ARKITEKT
>> Joined 'SOLVARE2' to realm 'arkitekt.msg83'
>> DNS update failed!
> Second question: we used to have dhcp add computers to dns through
> allow-update { key "rndc-key"; };, is this compatible with samba4 and the
> tkey stuff or should we change that (haven't added it yet)?
>> # /usr/sbin/named -V
>> BIND 9.7.0-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
>> '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
>> '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
>> '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
>> '--with-dlz-postgres=no' '--with-dlz-mysql=no' '--with-dlz-bdb=yes'
>> '--with-dlz-filesystem=yes' '--with-dlz-ldap=yes' '--with-dlz-stub=yes'
>> '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing
>> -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions' 'CPPFLAGS='
> Christian Huldt
> christian at solvare.se
> +46704612207
> No unicorns were harmed during the composition of this email.

More information about the samba-technical mailing list