DNS update from s3 to s4, working with nsupdate, fails with net ads dns register
Michael Croes
mycroes at gmail.com
Thu Nov 3 09:30:38 MDT 2011
Dear list,
I hate to respond to myself again, but I think I might've found (part
of) the reason for the failing DNS updates. It seems that the DLZ
module doesn't respond to SOA requests. I've verified (using
ldbsearch) that the SOA record is actually there, however a DNS
request for the SOA record just results in a SERVFAIL, with no errors
logged (neither bind nor samba). It seems that at least
samba_dnsupdate needs this SOA record, this doesn't change anything
about 'net ads dns register' failing when I use the provision
generated named.conf though.
Could anyone using the DLZ module verify existence of the SOA record
(dig @dc.sam.dom SOA sam.dom)? I'm using the Samba alpha 17 shipped
with Ubuntu Oneiric, so I can imagine different behaviour in a newer
release.
Regards,
Michael
2011/11/3 Michael Croes <mycroes at gmail.com>:
> Dear list,
>
> I've been struggling to get DNS updates working properly. Now there's
> two situations I tested, with the DLZ module and with an old provision
> generated named.conf. My test clients are net from Samba 3.5.11
> (however this behaves the same as 3.5.8 for me) and nsupdate 9.7.3.
> With net I can get no satisfying result at all (just 'DNS update
> failed!'), but with nsupdate I can get further.
>
> I'm using the following to test with nsupdate (keytab exported with
> samba-tool and copied to s3 host):
> mycroes at mater:~$ kinit -k -t dns.keytab -S DNS/mijlweg.visser.eu
> mater\$@MIJLWEG.VISSER.EU
> mycroes at mater:~$ nsupdate -g
>> server adc.mijlweg.visser.eu
>> zone mijlweg.visser.eu.
>> update add mater.mijlweg.visser.eu. 86400 IN A 172.16.1.222
>> send
>
> With the DLZ module loaded, this results in the following error:
> could not find enclosing zone
>
> Without DLZ (using the generated named.conf inclusion), this will
> properly update the DNS entry.
>
> I understand that this procedure might not be close enough to the 'net
> ads dns register' command to warrant a bughunt, but I hope the
> developer who wrote the dns register part might be able to point me to
> a more precise test.
>
> Some more information that might prove useful: when bind is running
> without the DLZ module I 'constantly' see XP clients updating their
> DNS records successfully, with the DLZ module loaded I don't see any
> update log messages at all. The bind version I'm using is 9.9.0 from
> Hauke Lampe's PPA. As for the bind configuration I have the following:
>
> named.conf.options:
>
> options {
> ...
>
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> };
>
> (Just a single kerberos reference in the entire file)
>
> named.conf.local:
>
> dlz "AD DNS Zone" {
> database "dlopen /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
> };
>
> //include "/var/lib/samba/private/named.conf";
>
> logging {
> channel samba {
> file "/var/log/named/bind.log";
> severity debug 5;
> print-time yes;
> print-category yes;
> };
> category update {
> samba;
> };
> category update-security {
> samba;
> };
> };
>
> (Commenting either dlz or the include statement for testing)
>
> Regards,
>
> Michael Croes
>
More information about the samba-technical
mailing list