Samba4 DNS Updates - Linux Clients - Is it possible?

Wed Jan 18 17:29:16 MST 2012

Hi Mike,

On Wed, Jan 18, 2012 at 11:17 PM, Mike Howard <mike at dewberryfields.co.uk> wrote:
> Hi All,
>
> I've asked on the lists about this before, I've searched the lists and
> trawled the net but all without any real answers. I have samba4 setup as the
> PDC and bind 9.8.1-P1 built and working. I have windows clients joining the
> domain and DNS is updated, an extract from the system log confirms this;
>
> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: starting transaction on zone
> mydomain.co.uk
> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
> Jan 15 06:30:04 ns1 named[15752]: client 192.168.3.50#55501: updating zone
> 'mydomain.co.uk/NONE': deleting rrset at 'vpc1.mydomain.co.uk' A
>

This confirms that windows used secure (kerberos) dynamic update to
update the record.

> Joining with a linux client DNS update fails (system log extract);
>
> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: starting transaction on zone
> mydomain.co.uk
> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
> 'mydomain.co.uk/NONE': update unsuccessful: wheezy.mydomain.co.uk/A: 'RRset
> exists (value dependent)' prerequisite not satisfied (NXRRSET)
> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
> mydomain.co.ukJan 18 10:23:34 ns1 named[30891]: samba_dlz: starting
> transaction on zone mydomain.co.uk
> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: spnego update failed
> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
> 'mydomain.co.uk/NONE': update failed: rejected by secure update (REFUSED)
> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
> mydomain.co.uk
>
> Samba log extract;
>
> [2012/01/18 10:48:55,  3]
> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ WHEEZY$@mydomain.CO.UK from ipv4:192.168.3.152:46715 for
> dns/ns1.mydomain.co.uk at mydomain.CO.UK [canonicalize, renewable, forwardable]
> [2012/01/18 10:48:55,  3]
> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
> Kerberos: TGS-REQ authtime: 2012-01-18T10:48:55 starttime:
> 2012-01-18T10:48:55 endtime: 2012-01-18T20:48:55 renew till:
> 2012-01-19T10:48:55
> [2012/01/18 10:48:55,  3]
> ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating
> connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED'
> [2012/01/18 10:48:55,  3]
> ../source4/smbd/process_single.c:104(single_terminate) single_terminate:
> reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
> NT_STATUS_CONNECTION_DISCONNECTED]
> [2012/01/18 10:49:00,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:05 2012 GMT
> [2012/01/18 10:49:05,  4]
> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:11 2012 GMT
>
>
> So, before I waste any more time on this, can anybody confirm that it is
> actually supposed to work, that it is possible and that they have it
> working? If it's not possible, anybody got any suggestions as to an
> alternative?

>From the log for linux client doing an update, it does try to do
secure update, but
fails to create session info. This can happen if linux client is
unable to use the
correct key to authenticate. Have you configured your DHCP server
on linux client to do dynamic update?

Amitay.