DLZ updates "denied"

Charles Tryon charles.tryon at gmail.com
Mon Jan 9 15:23:28 MST 2012 

On Mon, Jan 9, 2012 at 5:02 PM, Amitay Isaacs <amitay at gmail.com> wrote:

> Hi Charles,
>
>
> On Tue, Jan 10, 2012 at 8:08 AM, Charles Tryon <charles.tryon at gmail.com>
> wrote:
> > Well, I completely rebuilt my Samba4 server, this time based on Fedora16
> so
> > that I would take advantage of the updated bind 9.8.  I believe I have
> > successfully configured my DNS according to the Samba4 HOWTO, pointing to
> > the config file generated by the S4 provision step.  I can look up the
> > various A and SVR records generated by the provision step, and have
> > successfully manually added definitions for other machines on my network
> > using the samba-tool commands.
> >
> > My problem is that I STILL can't get DHCP leases to update DNS.  I've
> seen
> > a lot of different references on the Internet for the DHCP settings, some
> > of which contradict each other, so it's likely I have problems in that
> > setup.
> >
> > This is what I get:
> >
> > Jan  9 15:47:10 samba dhcpd: DHCPACK on 192.168.2.181 to
> 08:00:27:6f:7e:c9
> > (mint) via eth0
> > Jan  9 15:47:10 samba dhcpd[31106]: DHCPACK on 192.168.2.181 to
> > 08:00:27:6f:7e:c9 (mint) via eth0
> > Jan  9 15:47:10 samba dhcpd: Unable to add forward map from
> > mint.bbaggins.net to 192.168.2.181: not found
> > Jan  9 15:47:10 samba dhcpd[31106]: Unable to add forward map from
> > mint.bbaggins.net to 192.168.2.181: not found
> >
> > DHCP config:
> >
> > authoratative;
> > option      domain-name     "bbaggins.net";
> > option      nis-domain      "bbaggins.net";
> > option      subnet-mask     255.255.255.0;
> > option      broadcast-address   192.168.2.255;
> > option      domain-name-servers 192.168.2.6;
> > option      ntp-servers     brenen.bbaggins.net;
> > default-lease-time      9200;
> > max-lease-time          14400;
> > ddns-updates            on;
> > ddns-update-style       interim;
> > ddns-domainname         "bbaggins.net";
> > ddns-rev-domainname     "in-addr.arpa";
> > ignore     client-updates;
> > update-optimization     false;
> >
> > subnet  192.168.2.0     netmask 255.255.255.0
> > {
> > allow client-updates;
> > authoritative;
> > option  routers 192.168.2.1;
> > range   192.168.2.100  192.168.2.200;
> > }
> >
> > ----------------------------------
> > If I configure the ddns-style to "OFF", then I get a different failure
> mode:
> >
> > Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on
> zone
> > bbaggins.net
> > Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65186: update '
> > bbaggins.net/IN' denied
> > Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction on
> > zone bbaggins.net
> > Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on
> zone
> > bbaggins.net
> > Jan  9 15:27:13 samba named[30891]: samba_dlz: failed to create session
> info
> > Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65098: updating
> > zone 'bbaggins.net/NONE': update failed: rejected by secure update
> (REFUSED)
> > Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction on
> > zone bbaggins.net
> >
> >
> > ----------------------------------
> > My /etc/named.conf is mostly from the default one provided by Fedora,
> aside
> > from the tkey-gssapi-keytab line and the "include" pointing to the Samba
> > named.conf at the bottom.  The generated conf just points to the DLZ
> > database file in the samba modules dir:
> >
> > options {
> >        listen-on port 53 { 127.0.0.1; 192.168.2.0/24; };
> > listen-on-v6 port 53 { ::1; };
> > directory "/var/named";
> > dump-file "/var/named/data/cache_dump.db";
> >        statistics-file "/var/named/data/named_stats.txt";
> >        memstatistics-file "/var/named/data/named_mem_stats.txt";
> >        allow-query { localhost; 192.168.2.0/24; };
> > recursion yes;
> > dnssec-enable yes;
> > dnssec-validation yes;
> > dnssec-lookaside auto;
> > bindkeys-file "/etc/named.iscdlv.key";
> > managed-keys-directory "/var/named/dynamic";
> >
> > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > };
> > logging {
> >        channel default_debug {
> >                file "data/named.run";
> >                severity dynamic;
> >        };
> > };
> > zone "." IN {
> > type hint;
> > file "named.ca";
> > };
> >
> > include "/usr/local/samba/private/named.conf";
> >
> > include "/etc/named.rfc1912.zones";
> > include "/etc/named.root.key";
> >
> > ----------------------------------
> > So, what am I still doing wrong???
> >
>
> Samba DLZ module supports only secure updates via kerberos tickets.
> From your DHCP
> configuration it appears that you have not configured secure updates.
>

OK...  That much I could kind of guess.  I didn't see anywhere in the
Samba4 HOWTO saying how to configure the DHCP side to use secure updates.
 It lists the changes for bind, but not DHCP.  Any pointers on where to
find that?



>
> Amitay.
>



-- 
    Charles Tryon
_________________________________________________________________________
      "It's the job that's never started that takes longest to finish."
                                 -- Samwise Gamgee

More information about the samba-technical mailing list