DNS update from s3 to s4, working with nsupdate, fails with net ads dns register

Michael Croes mycroes at gmail.com
Thu Nov 3 10:39:56 MDT 2011


Thanks for your response, will have to try a newer Samba release then...
Regards,

Michael
Op 3 nov. 2011 17:35 schreef "Gémes Géza" <geza at kzsdabas.hu> het volgende:

> 2011-11-03 16:30 keltezéssel, Michael Croes írta:
> > Dear list,
> >
> > I hate to respond to myself again, but I think I might've found (part
> > of) the reason for the failing DNS updates. It seems that the DLZ
> > module doesn't respond to SOA requests. I've verified (using
> > ldbsearch) that the SOA record is actually there, however a DNS
> > request for the SOA record just results in a SERVFAIL, with no errors
> > logged (neither bind nor samba). It seems that at least
> > samba_dnsupdate needs this SOA record, this doesn't change anything
> > about 'net ads dns register' failing when I use the provision
> > generated named.conf though.
> >
> > Could anyone using the DLZ module verify existence of the SOA record
> > (dig @dc.sam.dom SOA sam.dom)? I'm using the Samba alpha 17 shipped
> > with Ubuntu Oneiric, so I can imagine different behaviour in a newer
> > release.
> > Regards,
> >
> > Michael
> >
> > 2011/11/3 Michael Croes <mycroes at gmail.com>:
> >> Dear list,
> >>
> >> I've been struggling to get DNS updates working properly. Now there's
> >> two situations I tested, with the DLZ module and with an old provision
> >> generated named.conf. My test clients are net from Samba 3.5.11
> >> (however this behaves the same as 3.5.8 for me) and nsupdate 9.7.3.
> >> With net I can get no satisfying result at all (just 'DNS update
> >> failed!'), but with nsupdate I can get further.
> >>
> >> I'm using the following to test with nsupdate (keytab exported with
> >> samba-tool and copied to s3 host):
> >> mycroes at mater:~$ kinit -k -t dns.keytab -S DNS/mijlweg.visser.eu
> >> mater\$@MIJLWEG.VISSER.EU
> >> mycroes at mater:~$ nsupdate -g
> >>> server adc.mijlweg.visser.eu
> >>> zone mijlweg.visser.eu.
> >>> update add mater.mijlweg.visser.eu.   86400   IN      A
> 172.16.1.222
> >>> send
> >> With the DLZ module loaded, this results in the following error:
> >> could not find enclosing zone
> >>
> >> Without DLZ (using the generated named.conf inclusion), this will
> >> properly update the DNS entry.
> >>
> >> I understand that this procedure might not be close enough to the 'net
> >> ads dns register' command to warrant a bughunt, but I hope the
> >> developer who wrote the dns register part might be able to point me to
> >> a more precise test.
> >>
> >> Some more information that might prove useful: when bind is running
> >> without the DLZ module I 'constantly' see XP clients updating their
> >> DNS records successfully, with the DLZ module loaded I don't see any
> >> update log messages at all. The bind version I'm using is 9.9.0 from
> >> Hauke Lampe's PPA. As for the bind configuration I have the following:
> >>
> >> named.conf.options:
> >>
> >> options {
> >>  ...
> >>
> >>  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> >> };
> >>
> >> (Just a single kerberos reference in the entire file)
> >>
> >> named.conf.local:
> >>
> >> dlz "AD DNS Zone" {
> >>  database "dlopen /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
> >> };
> >>
> >> //include "/var/lib/samba/private/named.conf";
> >>
> >> logging {
> >>        channel samba {
> >>                file "/var/log/named/bind.log";
> >>                severity debug 5;
> >>                print-time yes;
> >>                print-category yes;
> >>        };
> >>        category update {
> >>                samba;
> >>        };
> >>        category update-security {
> >>                samba;
> >>        };
> >> };
> >>
> >> (Commenting either dlz or the include statement for testing)
> >>
> >> Regards,
> >>
> >> Michael Croes
> >>
> Hi,
>
> My samba4 (4.0.0alpha18-GIT-6b06b0d) and bind9 (9.8.1) with dlz-dlopen
> gives the expected response to that query returning the correct SOA
>
> Cheers
>
> Geza
>


More information about the samba-technical mailing list