DNS update from s3 to s4, working with nsupdate, fails with net ads dns register

Gémes Géza geza at kzsdabas.hu
Thu Nov 3 10:35:10 MDT 2011


2011-11-03 16:30 keltezéssel, Michael Croes írta:
> Dear list,
>
> I hate to respond to myself again, but I think I might've found (part
> of) the reason for the failing DNS updates. It seems that the DLZ
> module doesn't respond to SOA requests. I've verified (using
> ldbsearch) that the SOA record is actually there, however a DNS
> request for the SOA record just results in a SERVFAIL, with no errors
> logged (neither bind nor samba). It seems that at least
> samba_dnsupdate needs this SOA record, this doesn't change anything
> about 'net ads dns register' failing when I use the provision
> generated named.conf though.
>
> Could anyone using the DLZ module verify existence of the SOA record
> (dig @dc.sam.dom SOA sam.dom)? I'm using the Samba alpha 17 shipped
> with Ubuntu Oneiric, so I can imagine different behaviour in a newer
> release.
> Regards,
>
> Michael
>
> 2011/11/3 Michael Croes <mycroes at gmail.com>:
>> Dear list,
>>
>> I've been struggling to get DNS updates working properly. Now there's
>> two situations I tested, with the DLZ module and with an old provision
>> generated named.conf. My test clients are net from Samba 3.5.11
>> (however this behaves the same as 3.5.8 for me) and nsupdate 9.7.3.
>> With net I can get no satisfying result at all (just 'DNS update
>> failed!'), but with nsupdate I can get further.
>>
>> I'm using the following to test with nsupdate (keytab exported with
>> samba-tool and copied to s3 host):
>> mycroes at mater:~$ kinit -k -t dns.keytab -S DNS/mijlweg.visser.eu
>> mater\$@MIJLWEG.VISSER.EU
>> mycroes at mater:~$ nsupdate -g
>>> server adc.mijlweg.visser.eu
>>> zone mijlweg.visser.eu.
>>> update add mater.mijlweg.visser.eu.   86400   IN      A       172.16.1.222
>>> send
>> With the DLZ module loaded, this results in the following error:
>> could not find enclosing zone
>>
>> Without DLZ (using the generated named.conf inclusion), this will
>> properly update the DNS entry.
>>
>> I understand that this procedure might not be close enough to the 'net
>> ads dns register' command to warrant a bughunt, but I hope the
>> developer who wrote the dns register part might be able to point me to
>> a more precise test.
>>
>> Some more information that might prove useful: when bind is running
>> without the DLZ module I 'constantly' see XP clients updating their
>> DNS records successfully, with the DLZ module loaded I don't see any
>> update log messages at all. The bind version I'm using is 9.9.0 from
>> Hauke Lampe's PPA. As for the bind configuration I have the following:
>>
>> named.conf.options:
>>
>> options {
>>  ...
>>
>>  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> };
>>
>> (Just a single kerberos reference in the entire file)
>>
>> named.conf.local:
>>
>> dlz "AD DNS Zone" {
>>  database "dlopen /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
>> };
>>
>> //include "/var/lib/samba/private/named.conf";
>>
>> logging {
>>        channel samba {
>>                file "/var/log/named/bind.log";
>>                severity debug 5;
>>                print-time yes;
>>                print-category yes;
>>        };
>>        category update {
>>                samba;
>>        };
>>        category update-security {
>>                samba;
>>        };
>> };
>>
>> (Commenting either dlz or the include statement for testing)
>>
>> Regards,
>>
>> Michael Croes
>>
Hi,

My samba4 (4.0.0alpha18-GIT-6b06b0d) and bind9 (9.8.1) with dlz-dlopen
gives the expected response to that query returning the correct SOA

Cheers

Geza


More information about the samba-technical mailing list