Samba4 DNS dynamic updates denied

Mike Howard mike at
Sat Jun 25 07:32:46 MDT 2011

Hi All,

I currently use Bind9 and ISC dhcp servers on debian with dynamic 
updates working fine.

I've just started running with Samba4, which looks great, but I'm having 
trouble getting DNS dynamic updates woring. In fact, I've been pulling 
my hair out!

First I built and installed a newer version of bind9 (bind-9.8.0-P2), 
this works well and updates to my zones work without problem. I then 
built, installed and provisioned samba4 (samba-4.0.0alpha15) using the 
Samba4/HOWTO at This went well, configuring and testing  
DNS and Kerberos all succeeded as per the HOWTO.

However, DNS dynamic updates to the samba4 zone do not work. The 
following error is reported;

25-Jun-2011 13:55:49.801 error: client update 
'' denied

I've seen various reports of this but no solutions. I've tried various 
combinations of provisioning but never have any success. On some 
occasions, even worse than the above error is no error at all.

Anyway, in this incarnation I provisioned with;

./source4/setup/provision --domain=SKMDOM 
--adminpass='password' --server-role='domain controller'  

I've added;  tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; 
to my named.conf.options file and symlinked to /etc/krb5.keytab. I've 
played with permissions giving user bind everything but still no joy.

I suspect that it is a 'key' issue but have no evidence to support that.

Anybody got any ideas?


Michael Howard        mike at dewberryfields dot co dot uk

More information about the samba-technical mailing list