DNS update from s3 to s4, working with nsupdate, fails with net ads dns register

Michael Croes mycroes at gmail.com
Thu Nov 3 15:53:50 MDT 2011 

Yes, I'm using the Samba 4 packages from Ubuntu Oneiric. I've actually been
using those from maverick and natty (in a version-mismatched
configuration), but now both my DC's are running Oneiric.

I was actually fiddling to build new .debs this evening, Samba 4 source
package seems easy, but I stopped at trying to get a talloc package. I do
want to continue the effort, many people will benefit from it.
Regards,

Michael
Op 3 nov. 2011 20:39 schreef "Gémes Géza" <geza at kzsdabas.hu> het volgende:

> **
> 2011-11-03 17:39 keltezéssel, Michael Croes írta:
>
> Thanks for your response, will have to try a newer Samba release then...
> Regards,
>
> Michael
> Op 3 nov. 2011 17:35 schreef "Gémes Géza" <geza at kzsdabas.hu> het volgende:
>
>> 2011-11-03 16:30 keltezéssel, Michael Croes írta:
>> > Dear list,
>> >
>> > I hate to respond to myself again, but I think I might've found (part
>> > of) the reason for the failing DNS updates. It seems that the DLZ
>> > module doesn't respond to SOA requests. I've verified (using
>> > ldbsearch) that the SOA record is actually there, however a DNS
>> > request for the SOA record just results in a SERVFAIL, with no errors
>> > logged (neither bind nor samba). It seems that at least
>> > samba_dnsupdate needs this SOA record, this doesn't change anything
>> > about 'net ads dns register' failing when I use the provision
>> > generated named.conf though.
>> >
>> > Could anyone using the DLZ module verify existence of the SOA record
>> > (dig @dc.sam.dom SOA sam.dom)? I'm using the Samba alpha 17 shipped
>> > with Ubuntu Oneiric, so I can imagine different behaviour in a newer
>> > release.
>> > Regards,
>> >
>> > Michael
>> >
>> > 2011/11/3 Michael Croes <mycroes at gmail.com>:
>> >> Dear list,
>> >>
>> >> I've been struggling to get DNS updates working properly. Now there's
>> >> two situations I tested, with the DLZ module and with an old provision
>> >> generated named.conf. My test clients are net from Samba 3.5.11
>> >> (however this behaves the same as 3.5.8 for me) and nsupdate 9.7.3.
>> >> With net I can get no satisfying result at all (just 'DNS update
>> >> failed!'), but with nsupdate I can get further.
>> >>
>> >> I'm using the following to test with nsupdate (keytab exported with
>> >> samba-tool and copied to s3 host):
>> >> mycroes at mater:~$ kinit -k -t dns.keytab -S DNS/mijlweg.visser.eu
>> >> mater\$@MIJLWEG.VISSER.EU
>> >> mycroes at mater:~$ nsupdate -g
>> >>> server adc.mijlweg.visser.eu
>> >>> zone mijlweg.visser.eu.
>> >>> update add mater.mijlweg.visser.eu.   86400   IN      A
>> 172.16.1.222
>> >>> send
>> >> With the DLZ module loaded, this results in the following error:
>> >> could not find enclosing zone
>> >>
>> >> Without DLZ (using the generated named.conf inclusion), this will
>> >> properly update the DNS entry.
>> >>
>> >> I understand that this procedure might not be close enough to the 'net
>> >> ads dns register' command to warrant a bughunt, but I hope the
>> >> developer who wrote the dns register part might be able to point me to
>> >> a more precise test.
>> >>
>> >> Some more information that might prove useful: when bind is running
>> >> without the DLZ module I 'constantly' see XP clients updating their
>> >> DNS records successfully, with the DLZ module loaded I don't see any
>> >> update log messages at all. The bind version I'm using is 9.9.0 from
>> >> Hauke Lampe's PPA. As for the bind configuration I have the following:
>> >>
>> >> named.conf.options:
>> >>
>> >> options {
>> >>  ...
>> >>
>> >>  tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> >> };
>> >>
>> >> (Just a single kerberos reference in the entire file)
>> >>
>> >> named.conf.local:
>> >>
>> >> dlz "AD DNS Zone" {
>> >>  database "dlopen /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
>> >> };
>> >>
>> >> //include "/var/lib/samba/private/named.conf";
>> >>
>> >> logging {
>> >>        channel samba {
>> >>                file "/var/log/named/bind.log";
>> >>                severity debug 5;
>> >>                print-time yes;
>> >>                print-category yes;
>> >>        };
>> >>        category update {
>> >>                samba;
>> >>        };
>> >>        category update-security {
>> >>                samba;
>> >>        };
>> >> };
>> >>
>> >> (Commenting either dlz or the include statement for testing)
>> >>
>> >> Regards,
>> >>
>> >> Michael Croes
>> >>
>> Hi,
>>
>> My samba4 (4.0.0alpha18-GIT-6b06b0d) and bind9 (9.8.1) with dlz-dlopen
>> gives the expected response to that query returning the correct SOA
>>
>> Cheers
>>
>> Geza
>>
>  Is your samba4 from a packaged source (I have never been successful in
> using Debian/Ubuntu packages for samba4 yet)?
> From when I abandoned trying to fix the debs and using git versions
> everything is working as supposed (of course the unimplemented parts
> doesn't ;-) )
>
> Cheers
>
> Geza
>

More information about the samba-technical mailing list