[Samba] V4 - New Install - Missing Zone File

Jeremy Davis jdavis4102 at gmail.com
Wed Feb 22 22:54:20 MST 2012 


On 02/22/2012 10:48 PM, Amitay Isaacs wrote:
> On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>  wrote:
>> Hello Amitay,
>>
>>
>> On 02/22/2012 10:07 PM, Amitay Isaacs wrote:
>>> Hi Jeremy,
>>>
>>> On Thu, Feb 23, 2012 at 3:29 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>   wrote:
>>>> Hello Amitay,
>>>>
>>>> On 02/22/2012 02:34 PM, Amitay Isaacs wrote:
>>>>> Hi Jeremy,
>>>>>
>>>>>
>>>>> That error message needs to be fixed. :)
>>>>>
>>>>> Looks like "nsupdate" command is not in the path. samba_dnsupdate
>>>>> script uses nsupdate to dynamically update DNS entries.
>>>>>
>>>>> Try adding "nsupdate command = /path/to/nsupdate" in smb.conf.
>>>>>
>>>>> Amitay.
>>>>>
>>>> Thank you SO MUCH for getting me this far!! :) That looks like it fixed
>>>> that
>>>> issue but I have now ran into a denied error message for bind. Below you
>>>> can
>>>> find my logs for both samba_dnsupdate and bind. Seems like the dns.keytab
>>>> file is not correct or something. I have tried to put allow-update {
>>>> 192.168.30.1; } in my options section of my named.conf with no luck.
>>>>
>>> I forgot to mention that nsupdate command should also include -g flag to
>>> force
>>> secure (kerberos) updates.
>>>
>>>     nsupdate command = /path/to/nsupdate -g
>>>
>>> dlz_bind9 module only allows secure dynamic updates.
>>>
>>> Amitay.
>>>
>> I added the -g to the smb.conf and restarted samba and named but it doesn't
>> seem to do anything. Could this be an issue with kerberos? I am able to
>> authenticate with my Windows machine and via the command line using the
>> tests on the samba4 wiki. Any ideas as to what this could be?
> What happens when you run samba_dnsupdate --verbose?
> What's the output from BIND?
>
> Amitay.
>

Well, the samba_dnsupdate logs are the same but bind is now showing a 
little different error.

samba-dnsupdate:

IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491', 
'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1', 
'192.168.7.30', '192.168.30.1']
Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
Looking for DNS entry AAAA bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491 as bob-dc.com.
Failed to find matching DNS entry AAAA bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491
Looking for DNS entry AAAA dc1.bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
Failed to find matching DNS entry AAAA dc1.bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491
Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as 
gc._msdcs.bob-dc.com.
Looking for DNS entry AAAA gc._msdcs.bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491
Looking for DNS entry CNAME 
48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as 
48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as 
_kpasswd._tcp.bob-dc.com.
Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com 
dc1.bob-dc.com 464
Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as 
_kpasswd._udp.bob-dc.com.
Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com 
dc1.bob-dc.com 464
Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as 
_kerberos._tcp.bob-dc.com.
Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com 
dc1.bob-dc.com 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com 
dc1.bob-dc.com 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
Checking 0 100 88 dc1.bob-dc.com. against SRV 
_kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
Looking for DNS entry SRV 
_kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 
88 as _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
Checking 0 100 88 dc1.bob-dc.com. against SRV 
_kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
Looking for DNS entry SRV 
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
dc1.bob-dc.com 88 as 
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
Checking 0 100 88 dc1.bob-dc.com. against SRV 
_kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
dc1.bob-dc.com 88
Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as 
_kerberos._udp.bob-dc.com.
Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com 
dc1.bob-dc.com 88
Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as 
_ldap._tcp.bob-dc.com.
Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com 
dc1.bob-dc.com 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 
389 as _ldap._tcp.dc._msdcs.bob-dc.com.
Checking 0 100 389 dc1.bob-dc.com. against SRV 
_ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 
3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
Checking 0 100 3268 dc1.bob-dc.com. against SRV 
_ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com 
dc1.bob-dc.com 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
Checking 0 100 389 dc1.bob-dc.com. against SRV 
_ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
Looking for DNS entry SRV 
_ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 
as _ldap._tcp.default-first-site-name._sites.bob-dc.com.
Checking 0 100 389 dc1.bob-dc.com. against SRV 
_ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
Looking for DNS entry SRV 
_ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
dc1.bob-dc.com 389 as 
_ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
Checking 0 100 389 dc1.bob-dc.com. against SRV 
_ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
dc1.bob-dc.com 389
Looking for DNS entry SRV 
_ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com 
dc1.bob-dc.com 3268 as 
_ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
Checking 0 100 3268 dc1.bob-dc.com. against SRV 
_ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com 
dc1.bob-dc.com 3268
Looking for DNS entry SRV 
_ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com dc1.bob-dc.com 
389 as 
_ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
Checking 0 100 389 dc1.bob-dc.com. against SRV 
_ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com dc1.bob-dc.com 
389
Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as 
_gc._tcp.bob-dc.com.
Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com 
dc1.bob-dc.com 3268
Looking for DNS entry SRV 
_gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268 
as _gc._tcp.default-first-site-name._sites.bob-dc.com.
Checking 0 100 3268 dc1.bob-dc.com. against SRV 
_gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
Failed to find matching DNS entry A bob-dc.com 192.168.30.1
Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as 
gc._msdcs.bob-dc.com.
Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
bob-dc.com.        900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for AAAA dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc1.bob-dc.com.    900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for AAAA gc._msdcs.bob-dc.com 
2002:4b46:c8ad:0:a00:27ff:fe14:5491
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.bob-dc.com.    900    IN    AAAA    
2002:4b46:c8ad:0:a00:27ff:fe14:5491

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A bob-dc.com 192.168.30.1
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
bob-dc.com.        900    IN    A    192.168.30.1

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc1.bob-dc.com.    900    IN    A    192.168.30.1

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.bob-dc.com.    900    IN    A    192.168.30.1

update failed: REFUSED
Failed nsupdate: 2
Failed update of 6 entries


bind logs:

Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone 
bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating 
zone 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
zone bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone 
bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating 
zone 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
zone bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone 
_msdcs.bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating 
zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update 
(REFUSED)
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
zone _msdcs.bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone 
bob-dc.com
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating 
zone 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
zone bob-dc.com
Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone 
bob-dc.com
Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating 
zone 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on 
zone bob-dc.com
Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone 
_msdcs.bob-dc.com
Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating 
zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update 
(REFUSED)
Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on 
zone _msdcs.bob-dc.com

More information about the samba-technical mailing list