DLZ updates "denied"

Charles Tryon charles.tryon at gmail.com
Mon Jan 9 20:31:04 MST 2012


That's executing an entire external shell script to get a kerberos ticket
to do the update every time you get a DHCP request.  Are you saying that
the DHCP daemon doesn't have the capability to doing updates on a DLZ based
server by itself???

The HOWTO mentions the /usr/local/samba/sbin/samba_dnsupdate tool.  Is this
how attached Windows clients get updated?  If so, then is there any way to
update DNS for Linux or other clients which get leases?

(I thought that the DLZ was supposed to make this EASIER to get working.
:-P)


On Mon, Jan 9, 2012 at 5:51 PM, Michael Wood <esiotrot at gmail.com> wrote:

> This might help. Otherwise just search for things like isc dhcpd,
> dynamic dns updates and kerberos.
>
> blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
> On 10/01/2012, Charles Tryon <charles.tryon at gmail.com> wrote:
> > On Mon, Jan 9, 2012 at 5:02 PM, Amitay Isaacs <amitay at gmail.com> wrote:
> >
> >> Hi Charles,
> >>
> >>
> >> On Tue, Jan 10, 2012 at 8:08 AM, Charles Tryon <charles.tryon at gmail.com
> >
> >> wrote:
> >> > Well, I completely rebuilt my Samba4 server, this time based on
> Fedora16
> >> so
> >> > that I would take advantage of the updated bind 9.8.  I believe I have
> >> > successfully configured my DNS according to the Samba4 HOWTO, pointing
> >> > to
> >> > the config file generated by the S4 provision step.  I can look up the
> >> > various A and SVR records generated by the provision step, and have
> >> > successfully manually added definitions for other machines on my
> network
> >> > using the samba-tool commands.
> >> >
> >> > My problem is that I STILL can't get DHCP leases to update DNS.  I've
> >> seen
> >> > a lot of different references on the Internet for the DHCP settings,
> >> > some
> >> > of which contradict each other, so it's likely I have problems in that
> >> > setup.
> >> >
> >> > This is what I get:
> >> >
> >> > Jan  9 15:47:10 samba dhcpd: DHCPACK on 192.168.2.181 to
> >> 08:00:27:6f:7e:c9
> >> > (mint) via eth0
> >> > Jan  9 15:47:10 samba dhcpd[31106]: DHCPACK on 192.168.2.181 to
> >> > 08:00:27:6f:7e:c9 (mint) via eth0
> >> > Jan  9 15:47:10 samba dhcpd: Unable to add forward map from
> >> > mint.bbaggins.net to 192.168.2.181: not found
> >> > Jan  9 15:47:10 samba dhcpd[31106]: Unable to add forward map from
> >> > mint.bbaggins.net to 192.168.2.181: not found
> >> >
> >> > DHCP config:
> >> >
> >> > authoratative;
> >> > option      domain-name     "bbaggins.net";
> >> > option      nis-domain      "bbaggins.net";
> >> > option      subnet-mask     255.255.255.0;
> >> > option      broadcast-address   192.168.2.255;
> >> > option      domain-name-servers 192.168.2.6;
> >> > option      ntp-servers     brenen.bbaggins.net;
> >> > default-lease-time      9200;
> >> > max-lease-time          14400;
> >> > ddns-updates            on;
> >> > ddns-update-style       interim;
> >> > ddns-domainname         "bbaggins.net";
> >> > ddns-rev-domainname     "in-addr.arpa";
> >> > ignore     client-updates;
> >> > update-optimization     false;
> >> >
> >> > subnet  192.168.2.0     netmask 255.255.255.0
> >> > {
> >> > allow client-updates;
> >> > authoritative;
> >> > option  routers 192.168.2.1;
> >> > range   192.168.2.100  192.168.2.200;
> >> > }
> >> >
> >> > ----------------------------------
> >> > If I configure the ddns-style to "OFF", then I get a different failure
> >> mode:
> >> >
> >> > Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on
> >> zone
> >> > bbaggins.net
> >> > Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65186:
> update '
> >> > bbaggins.net/IN' denied
> >> > Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction
> on
> >> > zone bbaggins.net
> >> > Jan  9 15:27:13 samba named[30891]: samba_dlz: starting transaction on
> >> zone
> >> > bbaggins.net
> >> > Jan  9 15:27:13 samba named[30891]: samba_dlz: failed to create
> session
> >> info
> >> > Jan  9 15:27:13 samba named[30891]: client 192.168.2.169#65098:
> updating
> >> > zone 'bbaggins.net/NONE': update failed: rejected by secure update
> >> (REFUSED)
> >> > Jan  9 15:27:13 samba named[30891]: samba_dlz: cancelling transaction
> on
> >> > zone bbaggins.net
> >> >
> >> >
> >> > ----------------------------------
> >> > My /etc/named.conf is mostly from the default one provided by Fedora,
> >> aside
> >> > from the tkey-gssapi-keytab line and the "include" pointing to the
> Samba
> >> > named.conf at the bottom.  The generated conf just points to the DLZ
> >> > database file in the samba modules dir:
> >> >
> >> > options {
> >> >        listen-on port 53 { 127.0.0.1; 192.168.2.0/24; };
> >> > listen-on-v6 port 53 { ::1; };
> >> > directory "/var/named";
> >> > dump-file "/var/named/data/cache_dump.db";
> >> >        statistics-file "/var/named/data/named_stats.txt";
> >> >        memstatistics-file "/var/named/data/named_mem_stats.txt";
> >> >        allow-query { localhost; 192.168.2.0/24; };
> >> > recursion yes;
> >> > dnssec-enable yes;
> >> > dnssec-validation yes;
> >> > dnssec-lookaside auto;
> >> > bindkeys-file "/etc/named.iscdlv.key";
> >> > managed-keys-directory "/var/named/dynamic";
> >> >
> >> > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >> > };
> >> > logging {
> >> >        channel default_debug {
> >> >                file "data/named.run";
> >> >                severity dynamic;
> >> >        };
> >> > };
> >> > zone "." IN {
> >> > type hint;
> >> > file "named.ca";
> >> > };
> >> >
> >> > include "/usr/local/samba/private/named.conf";
> >> >
> >> > include "/etc/named.rfc1912.zones";
> >> > include "/etc/named.root.key";
> >> >
> >> > ----------------------------------
> >> > So, what am I still doing wrong???
> >> >
> >>
> >> Samba DLZ module supports only secure updates via kerberos tickets.
> >> From your DHCP
> >> configuration it appears that you have not configured secure updates.
> >>
> >
> > OK...  That much I could kind of guess.  I didn't see anywhere in the
> > Samba4 HOWTO saying how to configure the DHCP side to use secure updates.
> >  It lists the changes for bind, but not DHCP.  Any pointers on where to
> > find that?
> >
> >
> >
> >>
> >> Amitay.
> >>
> >
> >
> >
> > --
> >     Charles Tryon
> > _________________________________________________________________________
> >       "It's the job that's never started that takes longest to finish."
> >                                  -- Samwise Gamgee
> >
>
>
> --
> Michael Wood <esiotrot at gmail.com>
>



-- 
    Charles Tryon
_________________________________________________________________________
      "It's the job that's never started that takes longest to finish."
                                 -- Samwise Gamgee


More information about the samba-technical mailing list