DNS update from s3 to s4, working with nsupdate, fails with net ads dns register
Gémes Géza
geza at kzsdabas.hu
Thu Nov 3 23:51:14 MDT 2011
2011-11-03 22:53 keltezéssel, Michael Croes írta:
>
> Yes, I'm using the Samba 4 packages from Ubuntu Oneiric. I've actually
> been using those from maverick and natty (in a version-mismatched
> configuration), but now both my DC's are running Oneiric.
>
> I was actually fiddling to build new .debs this evening, Samba 4
> source package seems easy, but I stopped at trying to get a talloc
> package. I do want to continue the effort, many people will benefit
> from it.
> Regards,
>
> Michael
>
> Op 3 nov. 2011 20:39 schreef "Gémes Géza" <geza at kzsdabas.hu
> <mailto:geza at kzsdabas.hu>> het volgende:
>
> 2011-11-03 17:39 keltezéssel, Michael Croes írta:
>>
>> Thanks for your response, will have to try a newer Samba release
>> then...
>> Regards,
>>
>> Michael
>>
>> Op 3 nov. 2011 17:35 schreef "Gémes Géza" <geza at kzsdabas.hu
>> <mailto:geza at kzsdabas.hu>> het volgende:
>>
>> 2011-11-03 16:30 keltezéssel, Michael Croes írta:
>> > Dear list,
>> >
>> > I hate to respond to myself again, but I think I might've
>> found (part
>> > of) the reason for the failing DNS updates. It seems that
>> the DLZ
>> > module doesn't respond to SOA requests. I've verified (using
>> > ldbsearch) that the SOA record is actually there, however a DNS
>> > request for the SOA record just results in a SERVFAIL, with
>> no errors
>> > logged (neither bind nor samba). It seems that at least
>> > samba_dnsupdate needs this SOA record, this doesn't change
>> anything
>> > about 'net ads dns register' failing when I use the provision
>> > generated named.conf though.
>> >
>> > Could anyone using the DLZ module verify existence of the
>> SOA record
>> > (dig @dc.sam.dom SOA sam.dom)? I'm using the Samba alpha 17
>> shipped
>> > with Ubuntu Oneiric, so I can imagine different behaviour
>> in a newer
>> > release.
>> > Regards,
>> >
>> > Michael
>> >
>> > 2011/11/3 Michael Croes <mycroes at gmail.com
>> <mailto:mycroes at gmail.com>>:
>> >> Dear list,
>> >>
>> >> I've been struggling to get DNS updates working properly.
>> Now there's
>> >> two situations I tested, with the DLZ module and with an
>> old provision
>> >> generated named.conf. My test clients are net from Samba
>> 3.5.11
>> >> (however this behaves the same as 3.5.8 for me) and
>> nsupdate 9.7.3.
>> >> With net I can get no satisfying result at all (just 'DNS
>> update
>> >> failed!'), but with nsupdate I can get further.
>> >>
>> >> I'm using the following to test with nsupdate (keytab
>> exported with
>> >> samba-tool and copied to s3 host):
>> >> mycroes at mater:~$ kinit -k -t dns.keytab -S
>> DNS/mijlweg.visser.eu <http://mijlweg.visser.eu>
>> >> mater\$@MIJLWEG.VISSER.EU <http://MIJLWEG.VISSER.EU>
>> >> mycroes at mater:~$ nsupdate -g
>> >>> server adc.mijlweg.visser.eu <http://adc.mijlweg.visser.eu>
>> >>> zone mijlweg.visser.eu <http://mijlweg.visser.eu>.
>> >>> update add mater.mijlweg.visser.eu
>> <http://mater.mijlweg.visser.eu>. 86400 IN A
>> 172.16.1.222
>> >>> send
>> >> With the DLZ module loaded, this results in the following
>> error:
>> >> could not find enclosing zone
>> >>
>> >> Without DLZ (using the generated named.conf inclusion),
>> this will
>> >> properly update the DNS entry.
>> >>
>> >> I understand that this procedure might not be close enough
>> to the 'net
>> >> ads dns register' command to warrant a bughunt, but I hope the
>> >> developer who wrote the dns register part might be able to
>> point me to
>> >> a more precise test.
>> >>
>> >> Some more information that might prove useful: when bind
>> is running
>> >> without the DLZ module I 'constantly' see XP clients
>> updating their
>> >> DNS records successfully, with the DLZ module loaded I
>> don't see any
>> >> update log messages at all. The bind version I'm using is
>> 9.9.0 from
>> >> Hauke Lampe's PPA. As for the bind configuration I have
>> the following:
>> >>
>> >> named.conf.options:
>> >>
>> >> options {
>> >> ...
>> >>
>> >> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>> >> };
>> >>
>> >> (Just a single kerberos reference in the entire file)
>> >>
>> >> named.conf.local:
>> >>
>> >> dlz "AD DNS Zone" {
>> >> database "dlopen
>> /usr/lib/i386-linux-gnu/samba/libdlz_bind9.so";
>> >> };
>> >>
>> >> //include "/var/lib/samba/private/named.conf";
>> >>
>> >> logging {
>> >> channel samba {
>> >> file "/var/log/named/bind.log";
>> >> severity debug 5;
>> >> print-time yes;
>> >> print-category yes;
>> >> };
>> >> category update {
>> >> samba;
>> >> };
>> >> category update-security {
>> >> samba;
>> >> };
>> >> };
>> >>
>> >> (Commenting either dlz or the include statement for testing)
>> >>
>> >> Regards,
>> >>
>> >> Michael Croes
>> >>
>> Hi,
>>
>> My samba4 (4.0.0alpha18-GIT-6b06b0d) and bind9 (9.8.1) with
>> dlz-dlopen
>> gives the expected response to that query returning the
>> correct SOA
>>
>> Cheers
>>
>> Geza
>>
> Is your samba4 from a packaged source (I have never been
> successful in using Debian/Ubuntu packages for samba4 yet)?
> From when I abandoned trying to fix the debs and using git
> versions everything is working as supposed (of course the
> unimplemented parts doesn't ;-) )
>
> Cheers
>
> Geza
>
Hi,
Regarding packaging you are right.
I just gave up (temporary) to try to build (the latest versions of) all
the build and runtime dependencies (which on an git obtained source are
included).
I'm interested in having stable packages once samba4 stabilizes a bit
(~RC1 maybe).
Cheers
Geza
More information about the samba-technical
mailing list