DLZ updates "denied"

Amitay Isaacs amitay at gmail.com
Mon Jan 9 15:02:20 MST 2012 

Hi Charles,


On Tue, Jan 10, 2012 at 8:08 AM, Charles Tryon <charles.tryon at gmail.com> wrote:
> Well, I completely rebuilt my Samba4 server, this time based on Fedora16 so
> that I would take advantage of the updated bind 9.8.  I believe I have
> successfully configured my DNS according to the Samba4 HOWTO, pointing to
> the config file generated by the S4 provision step.  I can look up the
> various A and SVR records generated by the provision step, and have
> successfully manually added definitions for other machines on my network
> using the samba-tool commands.
>
> My problem is that I STILL can't get DHCP leases to update DNS.  I've seen
> a lot of different references on the Internet for the DHCP settings, some
> of which contradict each other, so it's likely I have problems in that
> setup.
>
> This is what I get:
>
> Jan  9 15:47:10 samba dhcpd: DHCPACK on 192.168.2.181 to 08:00:27:6f:7e:c9
> (mint) via eth0
> Jan  9 15:47:10 samba dhcpd[31106]: DHCPACK on 192.168.2.181 to
> 08:00:27:6f:7e:c9 (mint) via eth0
> Jan  9 15:47:10 samba dhcpd: Unable to add forward map from
> mint.bbaggins.net to 192.168.2.181: not found
> Jan  9 15:47:10 samba dhcpd[31106]: Unable to add forward map from
> mint.bbaggins.net to 192.168.2.181: not found
>
> DHCP config:
>
> authoratative;
> option      domain-name     "bbaggins.net";
> option      nis-domain      "bbaggins.net";
> option      subnet-mask     255.255.255.0;
> option      broadcast-address   192.168.2.255;
> option      domain-name-servers 192.168.2.6;
> option      ntp-servers     brenen.bbaggins.net;
> default-lease-time      9200;
> max-lease-time          14400;
> ddns-updates            on;
> ddns-update-style       interim;
> ddns-domainname         "bbaggins.net";
> ddns-rev-domainname     "in-addr.arpa";
> ignore     client-updates;
> update-optimization     false;
>
> subnet  192.168.2.0     netmask 255.255.255.0
> {
> allow client-updates;
> authoritative;
> option  routers 192.168.2.1;
> range   192.168.2.100  192.168.2.200;
> }
>
> ----------------------------------
> If I configure the ddns-style to "OFF", then I get a different failure mode:
>
> Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on zone
> bbaggins.net
> Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65186: update '
> bbaggins.net/IN' denied
> Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction on
> zone bbaggins.net
> Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on zone
> bbaggins.net
> Jan  9 15:27:13 samba named[30891]: samba_dlz: failed to create session info
> Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65098: updating
> zone 'bbaggins.net/NONE': update failed: rejected by secure update (REFUSED)
> Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction on
> zone bbaggins.net
>
>
> ----------------------------------
> My /etc/named.conf is mostly from the default one provided by Fedora, aside
> from the tkey-gssapi-keytab line and the "include" pointing to the Samba
> named.conf at the bottom.  The generated conf just points to the DLZ
> database file in the samba modules dir:
>
> options {
>        listen-on port 53 { 127.0.0.1; 192.168.2.0/24; };
> listen-on-v6 port 53 { ::1; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
>        statistics-file "/var/named/data/named_stats.txt";
>        memstatistics-file "/var/named/data/named_mem_stats.txt";
>        allow-query { localhost; 192.168.2.0/24; };
> recursion yes;
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
> bindkeys-file "/etc/named.iscdlv.key";
> managed-keys-directory "/var/named/dynamic";
>
> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> };
> logging {
>        channel default_debug {
>                file "data/named.run";
>                severity dynamic;
>        };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/usr/local/samba/private/named.conf";
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> ----------------------------------
> So, what am I still doing wrong???
>

Samba DLZ module supports only secure updates via kerberos tickets.
>From your DHCP
configuration it appears that you have not configured secure updates.

Amitay.

More information about the samba-technical mailing list