[Samba] V4 - New Install - Missing Zone File

Amitay Isaacs amitay at gmail.com
Mon Feb 27 23:37:41 MST 2012 

Hi Jeremy,

On Sat, Feb 25, 2012 at 12:57 PM, JDFire <jdfire at cox.net> wrote:
> Hi Amitay
>
> On Feb 23, 2012, at 10:28 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>
>> Hi Jeremy,
>>
>> On Thu, Feb 23, 2012 at 4:54 PM, Jeremy Davis <jdavis4102 at gmail.com> wrote:
>>>
>>>
>>> On 02/22/2012 10:48 PM, Amitay Isaacs wrote:
>>>>
>>>> On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>>  wrote:
>>>>>
>>>>> Hello Amitay,
>>>>>
>>>>>
>>>>> On 02/22/2012 10:07 PM, Amitay Isaacs wrote:
>>>>>>
>>>>>> Hi Jeremy,
>>>>>>
>>>>>> On Thu, Feb 23, 2012 at 3:29 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>>>>  wrote:
>>>>>>>
>>>>>>> Hello Amitay,
>>>>>>>
>>>>>>> On 02/22/2012 02:34 PM, Amitay Isaacs wrote:
>>>>>>>>
>>>>>>>> Hi Jeremy,
>>>>>>>>
>>>>>>>>
>>>>>>>> That error message needs to be fixed. :)
>>>>>>>>
>>>>>>>> Looks like "nsupdate" command is not in the path. samba_dnsupdate
>>>>>>>> script uses nsupdate to dynamically update DNS entries.
>>>>>>>>
>>>>>>>> Try adding "nsupdate command = /path/to/nsupdate" in smb.conf.
>>>>>>>>
>>>>>>>> Amitay.
>>>>>>>>
>>>>>>> Thank you SO MUCH for getting me this far!! :) That looks like it fixed
>>>>>>> that
>>>>>>> issue but I have now ran into a denied error message for bind. Below
>>>>>>> you
>>>>>>> can
>>>>>>> find my logs for both samba_dnsupdate and bind. Seems like the
>>>>>>> dns.keytab
>>>>>>> file is not correct or something. I have tried to put allow-update {
>>>>>>> 192.168.30.1; } in my options section of my named.conf with no luck.
>>>>>>>
>>>>>> I forgot to mention that nsupdate command should also include -g flag to
>>>>>> force
>>>>>> secure (kerberos) updates.
>>>>>>
>>>>>>    nsupdate command = /path/to/nsupdate -g
>>>>>>
>>>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>>>
>>>>>> Amitay.
>>>>>>
>>>>> I added the -g to the smb.conf and restarted samba and named but it
>>>>> doesn't
>>>>> seem to do anything. Could this be an issue with kerberos? I am able to
>>>>> authenticate with my Windows machine and via the command line using the
>>>>> tests on the samba4 wiki. Any ideas as to what this could be?
>>>>
>>>> What happens when you run samba_dnsupdate --verbose?
>>>> What's the output from BIND?
>>>>
>>>> Amitay.
>>>>
>>>
>>> Well, the samba_dnsupdate logs are the same but bind is now showing a little
>>> different error.
>>>
>>>
>>> samba-dnsupdate:
>>>
>>> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491',
>>> 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1',
>>> '192.168.7.30', '192.168.30.1']
>>> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
>>> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
>>> Looking for DNS entry AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as
>>> bob-dc.com.
>>> Failed to find matching DNS entry AAAA bob-dc.com
>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>> Looking for DNS entry AAAA dc1.bob-dc.com
>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
>>> Failed to find matching DNS entry AAAA dc1.bob-dc.com
>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as
>>> gc._msdcs.bob-dc.com.
>>> Looking for DNS entry AAAA gc._msdcs.bob-dc.com
>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
>>> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com
>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>> Looking for DNS entry CNAME
>>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as
>>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
>>> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as
>>> _kpasswd._tcp.bob-dc.com.
>>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com
>>> dc1.bob-dc.com 464
>>> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as
>>> _kpasswd._udp.bob-dc.com.
>>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com
>>> dc1.bob-dc.com 464
>>> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as
>>> _kerberos._tcp.bob-dc.com.
>>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com
>>> dc1.bob-dc.com 88
>>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com
>>> 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
>>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>>> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
>>> Looking for DNS entry SRV
>>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>>> as _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
>>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>>> Looking for DNS entry SRV
>>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>> dc1.bob-dc.com 88 as
>>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>> dc1.bob-dc.com 88
>>> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as
>>> _kerberos._udp.bob-dc.com.
>>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com
>>> dc1.bob-dc.com 88
>>> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as
>>> _ldap._tcp.bob-dc.com.
>>> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com
>>> dc1.bob-dc.com 389
>>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>>> as _ldap._tcp.dc._msdcs.bob-dc.com.
>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com
>>> 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
>>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com
>>> 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 as
>>> _ldap._tcp.default-first-site-name._sites.bob-dc.com.
>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>> dc1.bob-dc.com 389 as
>>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>> dc1.bob-dc.com 389
>>> Looking for DNS entry SRV
>>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>>> dc1.bob-dc.com 3268 as
>>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>>> dc1.bob-dc.com 3268
>>> Looking for DNS entry SRV
>>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>>> dc1.bob-dc.com 389 as
>>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>>> dc1.bob-dc.com 389
>>> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as
>>> _gc._tcp.bob-dc.com.
>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com
>>> dc1.bob-dc.com 3268
>>> Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.bob-dc.com
>>> dc1.bob-dc.com 3268 as _gc._tcp.default-first-site-name._sites.bob-dc.com.
>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>>> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
>>> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
>>> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
>>> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
>>> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
>>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as
>>> gc._msdcs.bob-dc.com.
>>> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
>>> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> bob-dc.com.        900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>
>>> update failed: REFUSED
>>> Failed nsupdate: 2
>>> Calling nsupdate for AAAA dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> dc1.bob-dc.com.    900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>
>>> update failed: REFUSED
>>> Failed nsupdate: 2
>>> Calling nsupdate for AAAA gc._msdcs.bob-dc.com
>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> gc._msdcs.bob-dc.com.    900    IN    AAAA
>>>  2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>
>>> update failed: REFUSED
>>> Failed nsupdate: 2
>>> Calling nsupdate for A bob-dc.com 192.168.30.1
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> bob-dc.com.        900    IN    A    192.168.30.1
>>>
>>> update failed: REFUSED
>>> Failed nsupdate: 2
>>> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> dc1.bob-dc.com.    900    IN    A    192.168.30.1
>>>
>>> update failed: REFUSED
>>> Failed nsupdate: 2
>>> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
>>> Outgoing update query:
>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>> ;; UPDATE SECTION:
>>> gc._msdcs.bob-dc.com.    900    IN    A    192.168.30.1
>>>
>>> update failed: REFUSED
>>> Failed nsupdate: 2
>>> Failed update of 6 entries
>>>
>>>
>>> bind logs:
>>>
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating zone
>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating zone
>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>> _msdcs.bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating zone
>>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>> _msdcs.bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating zone
>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating zone
>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>> bob-dc.com
>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>>> _msdcs.bob-dc.com
>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating zone
>>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>> _msdcs.bob-dc.com
>>>
>>
>> The problem is "spnego update failed". This step actually verifies the kerberos
>> ticket provided in dynamic update and that is failing for some reason.
>> I'll do some
>> testing and find out what's causing this.
>>
>>
>
> I see, leave it up to me to find possible bugs. :) Please let me know if you need any further information/testing. Thanks again for your help so far.
>
> Regards,
> Jeremy

How was this samba4 instance provisioned? Did you use it upgradedns
script to upgrade the DNS provision? Or was it provisioned using
DLZ_BIND9 backend?

Can you try running dynamic update manually as follows and monitor named log?

$ kinit administrator at bob-dc.com
$ nsupdate -g
  > server dc1.bob-dc.com
  > update add foo.bob-dc.com 3600 A 1.2.3.4
  > show
  > send

Amitay.

More information about the samba-technical mailing list