Samba4 DNS Updates - Linux Clients - Is it possible?

Daniele Dario d.dario76 at gmail.com
Wed Jan 18 07:13:49 MST 2012 

Hi,

On Wed, 2012-01-18 at 15:05 +0200, Michael Wood wrote:
> Hi
> 
> On 18 January 2012 14:17, Mike Howard <mike at dewberryfields.co.uk> wrote:
> > Hi All,
> >
> > I've asked on the lists about this before, I've searched the lists and
> > trawled the net but all without any real answers. I have samba4 setup as the
> > PDC and bind 9.8.1-P1 built and working. I have windows clients joining the
> > domain and DNS is updated, an extract from the system log confirms this;
> >
> > Jan 15 06:30:04 ns1 named[15752]: samba_dlz: starting transaction on zone
> > mydomain.co.uk
> > Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
> > signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
> > key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
> > Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
> > signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
> > key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
> > Jan 15 06:30:04 ns1 named[15752]: client 192.168.3.50#55501: updating zone
> > 'mydomain.co.uk/NONE': deleting rrset at 'vpc1.mydomain.co.uk' A
> >
> > Joining with a linux client DNS update fails (system log extract);
> >
> > Jan 18 10:23:34 ns1 named[30891]: samba_dlz: starting transaction on zone
> > mydomain.co.uk
> > Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
> > 'mydomain.co.uk/NONE': update unsuccessful: wheezy.mydomain.co.uk/A: 'RRset
> > exists (value dependent)' prerequisite not satisfied (NXRRSET)
> 
> As far as I remember, this means that there was already an entry for
> wheezy.mydomain.co.uk and bind refused to update it because there's a
> pre-requisite (somewhere) that says there must not be an entry for the
> host when the host tries to update.
> 
> This could be a red herring, though.  i.e. this pre-requisite might
> not apply if something else is done differently.  It might be worth
> trying to delete the DNS entry before joining, though, to see if it
> makes a difference.
> 
> > Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
> > mydomain.co.ukJan 18 10:23:34 ns1 named[30891]: samba_dlz: starting
> > transaction on zone mydomain.co.uk
> > Jan 18 10:23:34 ns1 named[30891]: samba_dlz: spnego update failed
> > Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
> > 'mydomain.co.uk/NONE': update failed: rejected by secure update (REFUSED)
> 
> Not sure what would be the cause of this.
> 
> > Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
> > mydomain.co.uk
> >
> > Samba log extract;
> >
> > [2012/01/18 10:48:55,  3]
> > ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> > Kerberos: TGS-REQ WHEEZY$@mydomain.CO.UK from ipv4:192.168.3.152:46715 for
> > dns/ns1.mydomain.co.uk at mydomain.CO.UK [canonicalize, renewable, forwardable]
> > [2012/01/18 10:48:55,  3]
> > ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> > Kerberos: TGS-REQ authtime: 2012-01-18T10:48:55 starttime:
> > 2012-01-18T10:48:55 endtime: 2012-01-18T20:48:55 renew till:
> > 2012-01-19T10:48:55
> > [2012/01/18 10:48:55,  3]
> > ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating
> > connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED'
> > [2012/01/18 10:48:55,  3]
> > ../source4/smbd/process_single.c:104(single_terminate) single_terminate:
> > reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> > NT_STATUS_CONNECTION_DISCONNECTED]
> > [2012/01/18 10:49:00,  4]
> > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> > dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:05 2012 GMT
> > [2012/01/18 10:49:05,  4]
> > ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> > dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:11 2012 GMT
> >
> >
> > So, before I waste any more time on this, can anybody confirm that it is
> > actually supposed to work, that it is possible and that they have it
> > working? If it's not possible, anybody got any suggestions as to an
> > alternative?
> 
> I don't need this, so I haven't tried.  Sorry :)
> 

I'm running samba Version 4.0.0alpha18-GIT-90f06d6 with bind 9.9.0b1
from PPA on an ubuntu server 11.04 x86 (on XenServer 5.6 fp1).

Looking on named logs I found something similar
18-Jan-2012 14:41:35.027 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
18-Jan-2012 14:41:35.029 database: error: samba_dlz: failed to create
session info
18-Jan-2012 14:41:35.030 update: info: client 192.168.12.12#53508/key
activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
update failed: rejected by secure update (REFUSED)
18-Jan-2012 14:41:35.030 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local

from /usr/local/samba/var/log.samba at same time I have 
[2012/01/18 14:41:34,
3] ../lib/ldb-samba/ldb_wrap.c:316(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2012/01/18 14:41:34,
3] ../source4/smb_server/smb/negprot.c:390(reply_nt1)
  using SPNEGO
[2012/01/18 14:41:34,
3] ../source4/smb_server/smb/negprot.c:519(smbsrv_reply_negprot)
  Selected protocol [5][NT LM 0.12]
[2012/01/18 14:41:35,
3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
  Terminating connection - 'ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2012/01/18 14:41:35,
3] ../source4/smbd/process_single.c:104(single_terminate)
  single_terminate: reason[ldapsrv_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]

where activity is a WinXP SP3 x86 machine

Running samba-tool dns query kdc01 saitelitalia.local @ A -U
administrator I read that activity has no records and no children
...
Name=activity, Records=0, Children=0
...

could this be the cause of the failure to update?

BTW, if I try samba-tool dns delete kdc01 saitelitalia.local activity A
'' -U administrator I get ERROR: Record does not exist
but trying to add the record it fails saying
ERROR(runtime): uncaught exception - (9711,
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 167, in _run
    return self.run(*args, **kwargs)
  File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
863, in run
    None)

nslookup seems to work correctly
[root at kdc01:~]# nslookup activity
Server:		192.168.12.5
Address:	192.168.12.5#53

Name:	activity.saitelitalia.local
Address: 192.168.12.12

[root at kdc01:~]# nslookup 192.168.12.12
Server:		192.168.12.5
Address:	192.168.12.5#53

12.12.168.192.in-addr.arpa	name = activity.saitelitalia.local.

The same happens for another host which is an ubuntu server 10.04
running samba 3.4.7 and joined to the domain.

How can I remove the dummy records?

Thanks, Daniele.

More information about the samba-technical mailing list