Samba4 DNS Updates - Linux Clients - Is it possible?

Wed Jan 18 06:05:43 MST 2012

Hi

On 18 January 2012 14:17, Mike Howard <mike at dewberryfields.co.uk> wrote:
> Hi All,
>
> I've asked on the lists about this before, I've searched the lists and
> trawled the net but all without any real answers. I have samba4 setup as the
> PDC and bind 9.8.1-P1 built and working. I have windows clients joining the
> domain and DNS is updated, an extract from the system log confirms this;
>
> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: starting transaction on zone
> mydomain.co.uk
> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
> Jan 15 06:30:04 ns1 named[15752]: client 192.168.3.50#55501: updating zone
> 'mydomain.co.uk/NONE': deleting rrset at 'vpc1.mydomain.co.uk' A
>
> Joining with a linux client DNS update fails (system log extract);
>
> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: starting transaction on zone
> mydomain.co.uk
> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
> 'mydomain.co.uk/NONE': update unsuccessful: wheezy.mydomain.co.uk/A: 'RRset
> exists (value dependent)' prerequisite not satisfied (NXRRSET)

As far as I remember, this means that there was already an entry for
wheezy.mydomain.co.uk and bind refused to update it because there's a
pre-requisite (somewhere) that says there must not be an entry for the
host when the host tries to update.

This could be a red herring, though.  i.e. this pre-requisite might
not apply if something else is done differently.  It might be worth
trying to delete the DNS entry before joining, though, to see if it
makes a difference.

> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
> mydomain.co.ukJan 18 10:23:34 ns1 named[30891]: samba_dlz: starting
> transaction on zone mydomain.co.uk
> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: spnego update failed
> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
> 'mydomain.co.uk/NONE': update failed: rejected by secure update (REFUSED)

Not sure what would be the cause of this.

> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
> mydomain.co.uk
>
> Samba log extract;
>
> [2012/01/18 10:48:55,  3]
> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ WHEEZY$@mydomain.CO.UK from ipv4:192.168.3.152:46715 for
> dns/ns1.mydomain.co.uk at mydomain.CO.UK [canonicalize, renewable, forwardable]
> [2012/01/18 10:48:55,  3]
> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ authtime: 2012-01-18T10:48:55 starttime:
> 2012-01-18T10:48:55 endtime: 2012-01-18T20:48:55 renew till:
> 2012-01-19T10:48:55
> [2012/01/18 10:48:55,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating
> connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> [2012/01/18 10:48:55,  3]
> ../source4/smbd/process_single.c:104(single_terminate) single_terminate:
> reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> [2012/01/18 10:49:00,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:05 2012 GMT
> [2012/01/18 10:49:05,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:11 2012 GMT
>
>
> So, before I waste any more time on this, can anybody confirm that it is
> actually supposed to work, that it is possible and that they have it
> working? If it's not possible, anybody got any suggestions as to an
> alternative?

I don't need this, so I haven't tried.  Sorry :)

-- 
Michael Wood <esiotrot at gmail.com>