nsupdate and internal DNS
Rowland Penny
repenny at f2s.com
Mon Dec 31 05:51:56 MST 2012
On 31/12/12 12:07, Andrew Bartlett wrote:
>> OK, for me, The internal DNS server will not update via a script that
>> DHCP runs, this script is based on the one at:
>> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/.
>> OK, it works again.
>>
>> The original dhcp update script was written to update a windows server,
>> so as it will not update the internal DNS server, I think that we can
>> infer that the internal DNS server is not working the same as a windows
>> server. Not a problem for me, as now I know the limitations of The
>> internal dns server, I will stop using it and only use bind9.
>>
> Rowland,
>
> From here, what we need is for someone to look not at DHCP and that
> script, but simply why nsupdate -g fails against the internal server.
>
> This will hit more than DHCP anyway, as samba_dnsupdate is essentially
> doing the same thing.
>
> That BIND's nsupdate -g works against BIND itself is not supprising, but
> there may be some small details we are getting wrong in the internal
> server.
>
> So, what I'm suggesting is that someone needs to manaully kinit, and
> then manually run nsupdate -g commands and show what bits fail, how they
> fail and perhaps work out why they fail.
>
> Thanks,
>
> Andrew Bartlett
>
OK, restart Samba 4 using internal DNS server, su to dhcpd user, kinit
as dhcpd and then manually run nsupdate with debug turned on
service samba4 stop
service bind9 stop
mv /usr/local/samba /usr/local/samba-bind
mv /usr/local/samba-internal /usr/local/samba
service samba4 start
* Starting Samba 4 daemons samba
smbd [ OK ]
su - -s /bin/bash dhcpd
kinit -F -k -t /etc/dhcp/dhcpduser.keytab dhcpduser at HOME.LAN
klist
Ticket cache: FILE:/tmp/krb5cc_107
Default principal: dhcpduser at HOME.LAN
Valid starting Expires Service principal
31/12/12 12:24:27 31/12/12 22:24:27 krbtgt/HOME.LAN at HOME.LAN
renew until 01/01/13 12:24:27
dhcpd at adserver:~$ nsupdate -g -d
> server 192.168.0.10
> realm HOME.LAN
> update delete LinPad.home.lan 3600 A
> update add LinPad.home.lan 3600 A 192.168.0.173
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 58559
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;LinPad.home.lan. IN SOA
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9390
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;home.lan. IN SOA
;; ANSWER SECTION:
home.lan. 3600 IN SOA adserver.home.lan.
hostmaster.home.lan. 1 900 600 86400 0
Found zone name: home.lan
The master is: adserver.home.lan
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21882
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2488446920.sig-adserver.home.lan. ANY TKEY
;; ADDITIONAL SECTION:
2488446920.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957453
1356957453 3 NOERROR 1276
YIIE+AYGKwYBBQUCoIIE7DCCBOigDTALBgkqhkiG9xIBAgKiggTVBIIE
0WCCBM0GCSqGSIb3EgECAgEAboIEvDCCBLigAwIBBaEDAgEOogcDBQAg
AAAAo4IDuGGCA7QwggOwoAMCAQWhChsISE9NRS5MQU6iIzAhoAMCAQGh
GjAYGwNETlMbEWFkc2VydmVyLmhvbWUubGFuo4IDdjCCA3KgAwIBF6ED
AgEBooIDZASCA2CUZJwxo6TGmT56jA96kbK5NjwOKBF73KppRa12f5Ub
md1zpthXjiCHOqwD4/PcE9at9rAzWajUOquYxw0KGguYYcGExAWiU/oO
Z3iA4tohc3C0QEghivbAQx4Ktq9ygKMCzmLvzsQaJiaWReXrkN/RgAiR
3WlLnawHtyVL0sBiOThZkJ0Yq3dkx6k65H9Jv/3faPLYYOX9137bRA1f
yPDMwGS9Ex4vDSOUSvxoF1e8yd08A628gIPaMV84eZFmAHpoHVyXqeVr
GPIaW1ddRSId1bzL7e53+roYBZYDlJ2GOYppMNdn6WWMp3D+ELCoC5Y8
dndaTUymHg08fcz8uOykfaltXGyHfsJIiOcpwqwYzYQLfAQROAVcVm2f
PWE6tllyWDBfgB+XdHAzqW50vOofwrCaaqxx39kG8UmPBAOHYSob/odW
04ltgDuPEP8M4w0SSkWYz7t1LjNA4P+NaSrXzUClZrDUXwct2o/0gBu1
nJs4tG07GZgAIzWVPk9cFZZssNOy4oiS/owJfTm5wOaqzF8P8EMyTkiE
nWQwANSQtlhRF64pkwaf2OM+ERG1AQy/xtnesh47xIw6/lSOQ378FO/T
IiWH5bbUFVpsvl+1sG1VzWRwVThOq7AwEhgAeVUgHDlrrNdF9P2SHvZw
PUSigmg5LBfqDHUGB1x1bjUvXhPHT3+Tc+7fBTnaErDdkDnncMfLkvTF
AWeSnDKdDmwNE9FV+KOZMz7aRAWN+NSraoH+BqMXmJjhsb7LlsCtu8FC
UodvgPUd10zI4YpM1rE4hqCwCEb7QPBL8orRXKbIfZpxMlzYASYPsJ/6
jnabNcwAPDqikZUIuQvxqvAWllRGWBAZeuL+oGDYRwIHNkb7+PaoxObO
+hXjlxccWBxadvPEgGMvf+/AgIvADo2nBG3X4WQOskNkb6wfvj/PtvPM
WM3IlPk67NdDBhwj3LfEsvlWKFg0b96Q5eAxL9JGZGZPHaVGL22TVtXt
W7NNkDmO3zT6WgAeGziPquDIddPPadoQzYesFUQJtWtO2pPvlrC12mnu
2GxSPWchiByrzrVXqnA19eYFeuZ+eVugl7IP2C9BxnPvxhQ2EdBK04tE
HO7C8DliYRk5W9+ABPRfmQLDjZMN6iAEmd1suKJe4lTJDImkgeYwgeOg
AwIBF6KB2wSB2Bp/RtoPJxksNxijETXrX4+N+LgvgiyPRW7FfkOu0BW2
yZh3JARZsVMakpXF0YngJp11zDcMIKz+DfOE9T8dRHaIDH5AQEK7z3+j
BJW/mpG+cQOTdgkCzeQA63T6oW3hpja4xByQz8lgzbWJrsK/GGVZm8Xz
XeCAr4IKG+CKdNrPJOgF24F8F1s2wUbu9qStwdcaQFSHkRjK/LlN9Ldd
dyeoQug2ZvfOMH0jaTDOxAnQb+JnmwNH+0TCJ4HGFQ5a9ykPT9qgIEyR
0zKud4lsg9hA7ZTzU3AArg== 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21882
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2488446920.sig-adserver.home.lan. ANY TKEY
;; ANSWER SECTION:
2488446920.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957453
1356957453 3 NOERROR 182
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrXizTNaaPuOnP
rxDuEAq3dvHHBX3sXcA1g/u1UkL14r2aRNj+APOhumDgBjYTasrY/38k
nDb06HVOfdtEUNpve3DaC/wjnvb7892uqUtGlTLuknHGm0XMhQGKRcys
Ey77eL4UxwIUfyIPmtM= 0
;; TSIG PSEUDOSECTION:
2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
300 28 BAQF//////8AAAAABZ8VZeui8ZjCdztkDnkWiA== 21882 NOERROR 0
Sending update to 192.168.0.10#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 49222
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; UPDATE SECTION:
LinPad.home.lan. 0 ANY A
LinPad.home.lan. 3600 IN A 192.168.0.173
;; TSIG PSEUDOSECTION:
2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
300 28 BAQE//////8AAAAACaFb5Ursxrqu/FMMpvKsJg== 49222 NOERROR 0
; TSIG error with server: tsig verify failure
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 49222
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;home.lan. IN SOA
;; UPDATE SECTION:
LinPad.home.lan. 0 ANY A
LinPad.home.lan. 3600 IN A 192.168.0.173
;; TSIG PSEUDOSECTION:
2488446920.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957453
300 28 BAQE//////8AAAAACaFb5Ursxrqu/FMMpvKsJg== 49222 NOERROR 0
nsupdate -g -d
> server 192.168.0.10
> realm HOME.LAN
> update delete 173.0.168.192.in-addr.arpa 3600 PTR
> update add 173.0.168.192.in-addr.arpa 3600 PTR LinPad.home.lan
> send
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24941
;; flags: qr; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;173.0.168.192.in-addr.arpa. IN SOA
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5879
;; flags: qr aa ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;0.168.192.in-addr.arpa. IN SOA
;; ANSWER SECTION:
0.168.192.in-addr.arpa. 3600 IN SOA adserver.home.lan.
hostmaster.home.lan. 2 900 600 86400 3600
Found zone name: 0.168.192.in-addr.arpa
The master is: adserver.home.lan
start_gssrequest
send_gssrequest
Outgoing update query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9536
;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3079738857.sig-adserver.home.lan. ANY TKEY
;; ADDITIONAL SECTION:
3079738857.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957727
1356957727 3 NOERROR 1276
YIIE+AYGKwYBBQUCoIIE7DCCBOigDTALBgkqhkiG9xIBAgKiggTVBIIE
0WCCBM0GCSqGSIb3EgECAgEAboIEvDCCBLigAwIBBaEDAgEOogcDBQAg
AAAAo4IDuGGCA7QwggOwoAMCAQWhChsISE9NRS5MQU6iIzAhoAMCAQGh
GjAYGwNETlMbEWFkc2VydmVyLmhvbWUubGFuo4IDdjCCA3KgAwIBF6ED
AgEBooIDZASCA2CUZJwxo6TGmT56jA96kbK5NjwOKBF73KppRa12f5Ub
md1zpthXjiCHOqwD4/PcE9at9rAzWajUOquYxw0KGguYYcGExAWiU/oO
Z3iA4tohc3C0QEghivbAQx4Ktq9ygKMCzmLvzsQaJiaWReXrkN/RgAiR
3WlLnawHtyVL0sBiOThZkJ0Yq3dkx6k65H9Jv/3faPLYYOX9137bRA1f
yPDMwGS9Ex4vDSOUSvxoF1e8yd08A628gIPaMV84eZFmAHpoHVyXqeVr
GPIaW1ddRSId1bzL7e53+roYBZYDlJ2GOYppMNdn6WWMp3D+ELCoC5Y8
dndaTUymHg08fcz8uOykfaltXGyHfsJIiOcpwqwYzYQLfAQROAVcVm2f
PWE6tllyWDBfgB+XdHAzqW50vOofwrCaaqxx39kG8UmPBAOHYSob/odW
04ltgDuPEP8M4w0SSkWYz7t1LjNA4P+NaSrXzUClZrDUXwct2o/0gBu1
nJs4tG07GZgAIzWVPk9cFZZssNOy4oiS/owJfTm5wOaqzF8P8EMyTkiE
nWQwANSQtlhRF64pkwaf2OM+ERG1AQy/xtnesh47xIw6/lSOQ378FO/T
IiWH5bbUFVpsvl+1sG1VzWRwVThOq7AwEhgAeVUgHDlrrNdF9P2SHvZw
PUSigmg5LBfqDHUGB1x1bjUvXhPHT3+Tc+7fBTnaErDdkDnncMfLkvTF
AWeSnDKdDmwNE9FV+KOZMz7aRAWN+NSraoH+BqMXmJjhsb7LlsCtu8FC
UodvgPUd10zI4YpM1rE4hqCwCEb7QPBL8orRXKbIfZpxMlzYASYPsJ/6
jnabNcwAPDqikZUIuQvxqvAWllRGWBAZeuL+oGDYRwIHNkb7+PaoxObO
+hXjlxccWBxadvPEgGMvf+/AgIvADo2nBG3X4WQOskNkb6wfvj/PtvPM
WM3IlPk67NdDBhwj3LfEsvlWKFg0b96Q5eAxL9JGZGZPHaVGL22TVtXt
W7NNkDmO3zT6WgAeGziPquDIddPPadoQzYesFUQJtWtO2pPvlrC12mnu
2GxSPWchiByrzrVXqnA19eYFeuZ+eVugl7IP2C9BxnPvxhQ2EdBK04tE
HO7C8DliYRk5W9+ABPRfmQLDjZMN6iAEmd1suKJe4lTJDImkgeYwgeOg
AwIBF6KB2wSB2J3nDwMLjElosBgzokR900fIHsOs+cungQDAh5JL36pA
KufY/v0flNaZlAJ2vWkACrczHxtiuOjMXzDmdy3xI7TNitZ5Fg7GZCQ1
TJ0jW4dBmqU6KNYV/7XuGmpZVshBUSy1ZXtUiWOjdfCPIDSyDNahBin8
qnhFVahvwM+QRQhU60Ll2xVhapq/cDieLTtF3T0nfjNIp4WgGX4beE3V
i1Tn6AabVxQG1Cp30d4KrgAFIVucF1SRGY5KIcCG5iz+D5DokcZh8MuQ
uzZPC9gfMp0Rl+D7ibG20w== 0
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9536
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3079738857.sig-adserver.home.lan. ANY TKEY
;; ANSWER SECTION:
3079738857.sig-adserver.home.lan. 0 ANY TKEY gss-tsig. 1356957727
1356957727 3 NOERROR 182
oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB
AgICAG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrNwVU+PQGV2Ee
aTuPGHZUQyV3zymYbuwosEl1gD/kUNG2KxFkygog/33RBrApPFEECych
JEHXiWTrrQdFk1tjKmrBnoccZ2FPNinDOgPWUzM2YPpVl9wrGCCJGgNW
IfBe8AROEW0rBo7Z0MI= 0
;; TSIG PSEUDOSECTION:
3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
300 28 BAQF//////8AAAAAHHTCBQzwY3WVCUNfBGd8Kw== 9536 NOERROR 0
Sending update to 192.168.0.10#53
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 48728
;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; UPDATE SECTION:
173.0.168.192.in-addr.arpa. 0 ANY PTR
173.0.168.192.in-addr.arpa. 3600 IN PTR LinPad.home.lan.
;; TSIG PSEUDOSECTION:
3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
300 28 BAQE//////8AAAAAPKw4E8zmJIeeotZxLYfxHA== 48728 NOERROR 0
; TSIG error with server: tsig verify failure
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: SERVFAIL, id: 48728
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;0.168.192.in-addr.arpa. IN SOA
;; UPDATE SECTION:
173.0.168.192.in-addr.arpa. 0 ANY PTR
173.0.168.192.in-addr.arpa. 3600 IN PTR LinPad.home.lan.
;; TSIG PSEUDOSECTION:
3079738857.sig-adserver.home.lan. 0 ANY TSIG gss-tsig. 1356957727
300 28 BAQE//////8AAAAAPKw4E8zmJIeeotZxLYfxHA== 48728 NOERROR 0
Hope this helps
Rowland
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba-technical
mailing list