Samba4 DNS Updates - Linux Clients - Is it possible?

Mike Howard mike at dewberryfields.co.uk
Thu Jan 19 02:01:02 MST 2012 

On 19/01/2012 00:29, Amitay Isaacs wrote:
> Hi Mike,
>
> On Wed, Jan 18, 2012 at 11:17 PM, Mike Howard<mike at dewberryfields.co.uk>  wrote:
>> Hi All,
>>
>> I've asked on the lists about this before, I've searched the lists and
>> trawled the net but all without any real answers. I have samba4 setup as the
>> PDC and bind 9.8.1-P1 built and working. I have windows clients joining the
>> domain and DNS is updated, an extract from the system log confirms this;
>>
>> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: starting transaction on zone
>> mydomain.co.uk
>> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
>> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
>> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
>> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
>> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
>> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
>> Jan 15 06:30:04 ns1 named[15752]: client 192.168.3.50#55501: updating zone
>> 'mydomain.co.uk/NONE': deleting rrset at 'vpc1.mydomain.co.uk' A
>>
> This confirms that windows used secure (kerberos) dynamic update to
> update the record.
>
>> Joining with a linux client DNS update fails (system log extract);
>>
>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: starting transaction on zone
>> mydomain.co.uk
>> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
>> 'mydomain.co.uk/NONE': update unsuccessful: wheezy.mydomain.co.uk/A: 'RRset
>> exists (value dependent)' prerequisite not satisfied (NXRRSET)
>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
>> mydomain.co.ukJan 18 10:23:34 ns1 named[30891]: samba_dlz: starting
>> transaction on zone mydomain.co.uk
>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: spnego update failed
>> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: updating zone
>> 'mydomain.co.uk/NONE': update failed: rejected by secure update (REFUSED)
>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction on zone
>> mydomain.co.uk
>>
>> Samba log extract;
>>
>> [2012/01/18 10:48:55,  3]
>> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
>> Kerberos: TGS-REQ WHEEZY$@mydomain.CO.UK from ipv4:192.168.3.152:46715 for
>> dns/ns1.mydomain.co.uk at mydomain.CO.UK [canonicalize, renewable, forwardable]
>> [2012/01/18 10:48:55,  3]
>> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
>> Kerberos: TGS-REQ authtime: 2012-01-18T10:48:55 starttime:
>> 2012-01-18T10:48:55 endtime: 2012-01-18T20:48:55 renew till:
>> 2012-01-19T10:48:55
>> [2012/01/18 10:48:55,  3]
>> ../source4/smbd/service_stream.c:63(stream_terminate_connection) Terminating
>> connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_DISCONNECTED'
>> [2012/01/18 10:48:55,  3]
>> ../source4/smbd/process_single.c:104(single_terminate) single_terminate:
>> reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
>> NT_STATUS_CONNECTION_DISCONNECTED]
>> [2012/01/18 10:49:00,  4]
>> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:05 2012 GMT
>> [2012/01/18 10:49:05,  4]
>> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:11 2012 GMT
>>
>>
>> So, before I waste any more time on this, can anybody confirm that it is
>> actually supposed to work, that it is possible and that they have it
>> working? If it's not possible, anybody got any suggestions as to an
>> alternative?
>  From the log for linux client doing an update, it does try to do
> secure update, but
> fails to create session info. This can happen if linux client is
> unable to use the
> correct key to authenticate. Have you configured your DHCP server
> on linux client to do dynamic update?
>
> Amitay.
Hi Amitay,

The DHCP server is on the same box as Samba4 and provides for all the 
clients on the network, including the windows clients which are working 
(updating) fine. Did you mean have I configured the linux clients? I 
originally didn't do anything special on the linux clients because I 
hadn't done anything special on the windows clients. I have since 
configured the linux clients , in their dhcpclient.conf, to send 
'fqdn.fqdn' (and associated parameters) but still no joy.

I'm leaning towards giving up on Samba4's DNS and return to the more 
resilient, standard secure DDNS setup. As the wiki states that DDNS is 
optional, I must assume from that the AD aspects of Samba4 will work 
just fine along side my secure DDNS setup.

Cheers,
Mike.

-- 
Any question is easy if you know the answer!

More information about the samba-technical mailing list