[Samba] V4 - New Install - Missing Zone File

JDFire jdfire at cox.net
Fri Feb 24 18:57:22 MST 2012 

Hi Amitay

On Feb 23, 2012, at 10:28 PM, Amitay Isaacs <amitay at gmail.com> wrote:

> Hi Jeremy,
> 
> On Thu, Feb 23, 2012 at 4:54 PM, Jeremy Davis <jdavis4102 at gmail.com> wrote:
>> 
>> 
>> On 02/22/2012 10:48 PM, Amitay Isaacs wrote:
>>> 
>>> On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>  wrote:
>>>> 
>>>> Hello Amitay,
>>>> 
>>>> 
>>>> On 02/22/2012 10:07 PM, Amitay Isaacs wrote:
>>>>> 
>>>>> Hi Jeremy,
>>>>> 
>>>>> On Thu, Feb 23, 2012 at 3:29 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>>>  wrote:
>>>>>> 
>>>>>> Hello Amitay,
>>>>>> 
>>>>>> On 02/22/2012 02:34 PM, Amitay Isaacs wrote:
>>>>>>> 
>>>>>>> Hi Jeremy,
>>>>>>> 
>>>>>>> 
>>>>>>> That error message needs to be fixed. :)
>>>>>>> 
>>>>>>> Looks like "nsupdate" command is not in the path. samba_dnsupdate
>>>>>>> script uses nsupdate to dynamically update DNS entries.
>>>>>>> 
>>>>>>> Try adding "nsupdate command = /path/to/nsupdate" in smb.conf.
>>>>>>> 
>>>>>>> Amitay.
>>>>>>> 
>>>>>> Thank you SO MUCH for getting me this far!! :) That looks like it fixed
>>>>>> that
>>>>>> issue but I have now ran into a denied error message for bind. Below
>>>>>> you
>>>>>> can
>>>>>> find my logs for both samba_dnsupdate and bind. Seems like the
>>>>>> dns.keytab
>>>>>> file is not correct or something. I have tried to put allow-update {
>>>>>> 192.168.30.1; } in my options section of my named.conf with no luck.
>>>>>> 
>>>>> I forgot to mention that nsupdate command should also include -g flag to
>>>>> force
>>>>> secure (kerberos) updates.
>>>>> 
>>>>>    nsupdate command = /path/to/nsupdate -g
>>>>> 
>>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>> 
>>>>> Amitay.
>>>>> 
>>>> I added the -g to the smb.conf and restarted samba and named but it
>>>> doesn't
>>>> seem to do anything. Could this be an issue with kerberos? I am able to
>>>> authenticate with my Windows machine and via the command line using the
>>>> tests on the samba4 wiki. Any ideas as to what this could be?
>>> 
>>> What happens when you run samba_dnsupdate --verbose?
>>> What's the output from BIND?
>>> 
>>> Amitay.
>>> 
>> 
>> Well, the samba_dnsupdate logs are the same but bind is now showing a little
>> different error.
>> 
>> 
>> samba-dnsupdate:
>> 
>> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491',
>> 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1',
>> '192.168.7.30', '192.168.30.1']
>> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
>> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
>> Looking for DNS entry AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as
>> bob-dc.com.
>> Failed to find matching DNS entry AAAA bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry AAAA dc1.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
>> Failed to find matching DNS entry AAAA dc1.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as
>> gc._msdcs.bob-dc.com.
>> Looking for DNS entry AAAA gc._msdcs.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
>> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry CNAME
>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as
>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
>> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as
>> _kpasswd._tcp.bob-dc.com.
>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com
>> dc1.bob-dc.com 464
>> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as
>> _kpasswd._udp.bob-dc.com.
>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com
>> dc1.bob-dc.com 464
>> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as
>> _kerberos._tcp.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com
>> 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>> as _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 88 as
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as
>> _kerberos._udp.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as
>> _ldap._tcp.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> as _ldap._tcp.dc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com
>> 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com
>> 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 as
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 389 as
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>> dc1.bob-dc.com 3268 as
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>> dc1.bob-dc.com 3268
>> Looking for DNS entry SRV
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>> dc1.bob-dc.com 389 as
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as
>> _gc._tcp.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com
>> dc1.bob-dc.com 3268
>> Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.bob-dc.com
>> dc1.bob-dc.com 3268 as _gc._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
>> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
>> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
>> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
>> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as
>> gc._msdcs.bob-dc.com.
>> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
>> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> bob-dc.com.        900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> 
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for AAAA dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> dc1.bob-dc.com.    900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> 
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for AAAA gc._msdcs.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.bob-dc.com.    900    IN    AAAA
>>  2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> 
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> bob-dc.com.        900    IN    A    192.168.30.1
>> 
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> dc1.bob-dc.com.    900    IN    A    192.168.30.1
>> 
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.bob-dc.com.    900    IN    A    192.168.30.1
>> 
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 6 entries
>> 
>> 
>> bind logs:
>> 
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> _msdcs.bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating zone
>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> _msdcs.bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>> _msdcs.bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating zone
>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> _msdcs.bob-dc.com
>> 
> 
> The problem is "spnego update failed". This step actually verifies the kerberos
> ticket provided in dynamic update and that is failing for some reason.
> I'll do some
> testing and find out what's causing this.
> 
> 

I see, leave it up to me to find possible bugs. :) Please let me know if you need any further information/testing. Thanks again for your help so far. 

Regards,
Jeremy

More information about the samba-technical mailing list