[Samba] V4 - New Install - Missing Zone File

Jeremy Davis JDFire at cox.net
Tue Feb 28 18:31:55 MST 2012 

On 02/28/2012 06:27 PM, Amitay Isaacs wrote:
> On Wed, Feb 29, 2012 at 12:09 PM, Jeremy Davis<JDFire at cox.net>  wrote:
>> Hello Amitay,
>>
>>
>> On 02/27/2012 11:37 PM, Amitay Isaacs wrote:
>>> How was this samba4 instance provisioned? Did you use it upgradedns
>>> script to upgrade the DNS provision? Or was it provisioned using
>>> DLZ_BIND9 backend?
>>>
>>> Can you try running dynamic update manually as follows and monitor named
>>> log?
>>>
>>> $ kinitadministrator at bob-dc.com
>>> $ nsupdate -g
>>>    >    server dc1.bob-dc.com
>>>    >    update add foo.bob-dc.com 3600 A 1.2.3.4
>>>    >    show
>>>    >    send
>> Sorry for the delay in my reply.
>>
>> I am not sure what your asking on the provisioning questions. I provisioned
>> using DLZ_BIND9 I think. I don't think I ever ran a upgradedns script.
>>
>> Below you will find the output to all the commands requested.
>>
>> [root at dc1 ~]# kinit administrator at BOB-DC.COM
>> Password for administrator at BOB-DC.COM:
>> Warning: Your password will expire in 35 days on Wed Apr  4 00:14:53 2012
>> [root at dc1 ~]# nsupdate -g
>>
>>> server dc1.bob-dc.com
>>> update add foo.bob-dc.com 3600 A 1.2.3.4
>>> show
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> foo.bob-dc.com. 3600    IN      A       1.2.3.4
>>
>>> send
>> update failed: REFUSED
>>
>> Feb 28 18:03:34 dc1 named[1335]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 28 18:03:34 dc1 named[1335]: samba_dlz: spnego update failed
>> Feb 28 18:03:34 dc1 named[1335]: client 192.168.30.1#41987: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 28 18:03:34 dc1 named[1335]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
> Have you set up the tkey-gssapi-keytab option in named.conf? And is it pointing
> to the correct keytab file?
>
> Amitay.
>
I think so. Below is my configuration for named.

[root at dc1 etc]# cat named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
     listen-on port 53 { 127.0.0.1; 192.168.30.1; };
     directory     "/var/named";
     dump-file     "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
     allow-query     { localhost; ANY; };
     recursion yes;

     dnssec-enable yes;
     dnssec-validation yes;
     dnssec-lookaside auto;

     /* Path to ISC DLV key */
     bindkeys-file "/etc/named.iscdlv.key";
     tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
};

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
};

zone "." IN {
     type hint;
     file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/usr/local/samba/private/named.conf";

More information about the samba-technical mailing list