samba4 from BDC to PDC

Amitay Isaacs amitay at
Fri Dec 23 15:13:59 MST 2011

Hi Daniele,

On Sat, Dec 24, 2011 at 2:18 AM, Daniele Dario <d.dario76 at> wrote:

> my sbs2003 definetly crashed and samba4 has been able to keep the network
> up for a few days but yesterday, the fileserver with samba 3.4.7 stopped
> allowing users to connect to the network shares.
> Then I tried to set up a new VM (ubuntu 11.04 server i386) with samba4
> Version 4.0.0alpha18-GIT-32317b0 and named BIND 9.9.0b1 from PPA.
> I followed the instructions from samba4 howto on the wiki mixed with the
> info related to bind DLZ and provisioned a new domain.
> At this time all seems to be OK:
> - added organization unit, users and groups
> - joined computers to the domain (Win XP)
> - joined fileserver with samba 3.4.7 to the domain (with some chown on the
> shares)
> So, what can I say? GREAT !!!
> What I'm currently missing is:
> - when I join a new computer to the domain, bind says
>  update-security: error: client update
> 'saitelitalia.local/IN' denied
>  database: info: samba_dlz: cancelling transaction on zone
> saitelitalia.local
>  and looking in the AD zone, also adding a new A record it does not work
> - it is not possible to add the reversed zone

This looks like the dynamic update with kerberos. dlz_bind9 only supports secure
dynamic updates. Windows first tries to do dynamic update without kerberos and
if that fails, it will try with kerberos. So it's common to find a
pattern of first denied
and then updated.

I have recently pushed patches to support reverse zones. (You can
fetch the latest
git tree.) You should be able to create reverse zones and get
dlz_bind9 resolve PTR

Just to note. One of the users had trouble getting bind 9.9.0 from PPA to work.
He had to compile bind 9.8.1 from sources and then it worked. May be the PPA
package has been updated since.


More information about the samba-technical mailing list