DLZ updates "denied"

Michael Wood esiotrot at gmail.com
Mon Jan 9 15:51:32 MST 2012 

This might help. Otherwise just search for things like isc dhcpd,
dynamic dns updates and kerberos.
blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

On 10/01/2012, Charles Tryon <charles.tryon at gmail.com> wrote:
> On Mon, Jan 9, 2012 at 5:02 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>
>> Hi Charles,
>>
>>
>> On Tue, Jan 10, 2012 at 8:08 AM, Charles Tryon <charles.tryon at gmail.com>
>> wrote:
>> > Well, I completely rebuilt my Samba4 server, this time based on Fedora16
>> so
>> > that I would take advantage of the updated bind 9.8.  I believe I have
>> > successfully configured my DNS according to the Samba4 HOWTO, pointing
>> > to
>> > the config file generated by the S4 provision step.  I can look up the
>> > various A and SVR records generated by the provision step, and have
>> > successfully manually added definitions for other machines on my network
>> > using the samba-tool commands.
>> >
>> > My problem is that I STILL can't get DHCP leases to update DNS.  I've
>> seen
>> > a lot of different references on the Internet for the DHCP settings,
>> > some
>> > of which contradict each other, so it's likely I have problems in that
>> > setup.
>> >
>> > This is what I get:
>> >
>> > Jan  9 15:47:10 samba dhcpd: DHCPACK on 192.168.2.181 to
>> 08:00:27:6f:7e:c9
>> > (mint) via eth0
>> > Jan  9 15:47:10 samba dhcpd[31106]: DHCPACK on 192.168.2.181 to
>> > 08:00:27:6f:7e:c9 (mint) via eth0
>> > Jan  9 15:47:10 samba dhcpd: Unable to add forward map from
>> > mint.bbaggins.net to 192.168.2.181: not found
>> > Jan  9 15:47:10 samba dhcpd[31106]: Unable to add forward map from
>> > mint.bbaggins.net to 192.168.2.181: not found
>> >
>> > DHCP config:
>> >
>> > authoratative;
>> > option      domain-name     "bbaggins.net";
>> > option      nis-domain      "bbaggins.net";
>> > option      subnet-mask     255.255.255.0;
>> > option      broadcast-address   192.168.2.255;
>> > option      domain-name-servers 192.168.2.6;
>> > option      ntp-servers     brenen.bbaggins.net;
>> > default-lease-time      9200;
>> > max-lease-time          14400;
>> > ddns-updates            on;
>> > ddns-update-style       interim;
>> > ddns-domainname         "bbaggins.net";
>> > ddns-rev-domainname     "in-addr.arpa";
>> > ignore     client-updates;
>> > update-optimization     false;
>> >
>> > subnet  192.168.2.0     netmask 255.255.255.0
>> > {
>> > allow client-updates;
>> > authoritative;
>> > option  routers 192.168.2.1;
>> > range   192.168.2.100  192.168.2.200;
>> > }
>> >
>> > ----------------------------------
>> > If I configure the ddns-style to "OFF", then I get a different failure
>> mode:
>> >
>> > Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on
>> zone
>> > bbaggins.net
>> > Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65186: update '
>> > bbaggins.net/IN' denied
>> > Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction on
>> > zone bbaggins.net
>> > Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on
>> zone
>> > bbaggins.net
>> > Jan  9 15:27:13 samba named[30891]: samba_dlz: failed to create session
>> info
>> > Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65098: updating
>> > zone 'bbaggins.net/NONE': update failed: rejected by secure update
>> (REFUSED)
>> > Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction on
>> > zone bbaggins.net
>> >
>> >
>> > ----------------------------------
>> > My /etc/named.conf is mostly from the default one provided by Fedora,
>> aside
>> > from the tkey-gssapi-keytab line and the "include" pointing to the Samba
>> > named.conf at the bottom.  The generated conf just points to the DLZ
>> > database file in the samba modules dir:
>> >
>> > options {
>> >        listen-on port 53 { 127.0.0.1; 192.168.2.0/24; };
>> > listen-on-v6 port 53 { ::1; };
>> > directory "/var/named";
>> > dump-file "/var/named/data/cache_dump.db";
>> >        statistics-file "/var/named/data/named_stats.txt";
>> >        memstatistics-file "/var/named/data/named_mem_stats.txt";
>> >        allow-query { localhost; 192.168.2.0/24; };
>> > recursion yes;
>> > dnssec-enable yes;
>> > dnssec-validation yes;
>> > dnssec-lookaside auto;
>> > bindkeys-file "/etc/named.iscdlv.key";
>> > managed-keys-directory "/var/named/dynamic";
>> >
>> > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> > };
>> > logging {
>> >        channel default_debug {
>> >                file "data/named.run";
>> >                severity dynamic;
>> >        };
>> > };
>> > zone "." IN {
>> > type hint;
>> > file "named.ca";
>> > };
>> >
>> > include "/usr/local/samba/private/named.conf";
>> >
>> > include "/etc/named.rfc1912.zones";
>> > include "/etc/named.root.key";
>> >
>> > ----------------------------------
>> > So, what am I still doing wrong???
>> >
>>
>> Samba DLZ module supports only secure updates via kerberos tickets.
>> From your DHCP
>> configuration it appears that you have not configured secure updates.
>>
>
> OK...  That much I could kind of guess.  I didn't see anywhere in the
> Samba4 HOWTO saying how to configure the DHCP side to use secure updates.
>  It lists the changes for bind, but not DHCP.  Any pointers on where to
> find that?
>
>
>
>>
>> Amitay.
>>
>
>
>
> --
>     Charles Tryon
> _________________________________________________________________________
>       "It's the job that's never started that takes longest to finish."
>                                  -- Samwise Gamgee
>


-- 
Michael Wood <esiotrot at gmail.com>

More information about the samba-technical mailing list