Samba 4.0 DNS configuration

Andrew Bartlett abartlet at samba.org
Sat Jun 11 20:42:00 MDT 2011 

On Sat, 2011-06-11 at 06:19 -0600, Trever L. Adams wrote:

> Ok, two bug reports here, I guess. First, I just had to move several
> servers. samba_dnsupdate found the new IP addresses, but didn't remove
> the old ones. I think 'update delete FQDN' does the trick, if it is
> possible to know when to issue this.
> 
> As for net ads dns register, if I am kinited as administrator or
> HOSTNAME$ and run it, I get "DNS update fialed!"
> 
> On the server, in /var/named/data/named.run, (with high debug  value on
> named) I see:
> 
> client 10.0.0.21#45674: query
> gss cred: "DNS/realm at REALM", GSS_C_ACCEPT, 4294961332
> failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS
> failure.  Minor code may provide more information, Minor = Wrong
> principal in request.
> process_gsstkey(): dns_tsigerror_badkey
> 
> With lower debug, I simply see:
> 
> update unsuccessful:host/A: 'RRset exists (value dependent)'
> prerequisite not satisfied (NXRRSET)
> 
> I will try Samba 3.6.0rc1 hopefully this today or some time Monday.
> 
> Thank you,
> Trever Adams

This isn't an issue with Samba 3.6, but with BIND and the Samba4 zone
you have loaded. 

The most reliable way to fix this is to upgrade to Bind 9.8 and change
the gssapi settings in the name.conf to only:

tkey-gssapi-keytab /path/to/dns.keytab

This should then work much more reliably.  Your DNS zone is also showing
a bug we had for ages, where the first line contained only the realm
where it should be your server's full hostname.  (see the following line
in the new zone template).  

@               IN SOA  hostname.realm   hostmaster (

I suspect your provision is old, so perhaps upgrade to a current Samba4
git checkout and reprovision (if possible).  If you can't reprovision,
ensure that the servicePrinciaplNames attribute on the 'cn=dns' user has
a value of DNS/hostname.realm

Andrew Barltett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list