Samba4 DNS Updates - Linux Clients - Is it possible?

Thu Jan 19 03:37:04 MST 2012

On 19/01/2012 09:01, Mike Howard wrote:
> On 19/01/2012 00:29, Amitay Isaacs wrote:
>> Hi Mike,
>>
>> On Wed, Jan 18, 2012 at 11:17 PM, Mike 
>> Howard<mike at dewberryfields.co.uk>  wrote:
>>> Hi All,
>>>
>>> I've asked on the lists about this before, I've searched the lists and
>>> trawled the net but all without any real answers. I have samba4 
>>> setup as the
>>> PDC and bind 9.8.1-P1 built and working. I have windows clients 
>>> joining the
>>> domain and DNS is updated, an extract from the system log confirms 
>>> this;
>>>
>>> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: starting transaction on 
>>> zone
>>> mydomain.co.uk
>>> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
>>> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
>>> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
>>> Jan 15 06:30:04 ns1 named[15752]: samba_dlz: allowing update of
>>> signer=vpc1\$\@mydomain.CO.UK name=vpc1.mydomain.co.uk tcpaddr= type=A
>>> key=1080-ms-7.484-9db71388.b7bfb2e0-2731-11e1-b889-8ef61d81d4c1/160/0
>>> Jan 15 06:30:04 ns1 named[15752]: client 192.168.3.50#55501: 
>>> updating zone
>>> 'mydomain.co.uk/NONE': deleting rrset at 'vpc1.mydomain.co.uk' A
>>>
>> This confirms that windows used secure (kerberos) dynamic update to
>> update the record.
>>
>>> Joining with a linux client DNS update fails (system log extract);
>>>
>>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: starting transaction on 
>>> zone
>>> mydomain.co.uk
>>> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: 
>>> updating zone
>>> 'mydomain.co.uk/NONE': update unsuccessful: wheezy.mydomain.co.uk/A: 
>>> 'RRset
>>> exists (value dependent)' prerequisite not satisfied (NXRRSET)
>>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction 
>>> on zone
>>> mydomain.co.ukJan 18 10:23:34 ns1 named[30891]: samba_dlz: starting
>>> transaction on zone mydomain.co.uk
>>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: spnego update failed
>>> Jan 18 10:23:34 ns1 named[30891]: client 192.168.3.152#51434: 
>>> updating zone
>>> 'mydomain.co.uk/NONE': update failed: rejected by secure update 
>>> (REFUSED)
>>> Jan 18 10:23:34 ns1 named[30891]: samba_dlz: cancelling transaction 
>>> on zone
>>> mydomain.co.uk
>>>
>>> Samba log extract;
>>>
>>> [2012/01/18 10:48:55,  3]
>>> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
>>> Kerberos: TGS-REQ WHEEZY$@mydomain.CO.UK from 
>>> ipv4:192.168.3.152:46715 for
>>> dns/ns1.mydomain.co.uk at mydomain.CO.UK [canonicalize, renewable, 
>>> forwardable]
>>> [2012/01/18 10:48:55,  3]
>>> ../source4/auth/kerberos/krb5_init_context.c:69(smb_krb5_debug_wrapper)
>>> Kerberos: TGS-REQ authtime: 2012-01-18T10:48:55 starttime:
>>> 2012-01-18T10:48:55 endtime: 2012-01-18T20:48:55 renew till:
>>> 2012-01-19T10:48:55
>>> [2012/01/18 10:48:55,  3]
>>> ../source4/smbd/service_stream.c:63(stream_terminate_connection) 
>>> Terminating
>>> connection - 'ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
>>> NT_STATUS_CONNECTION_DISCONNECTED'
>>> [2012/01/18 10:48:55,  3]
>>> ../source4/smbd/process_single.c:104(single_terminate) 
>>> single_terminate:
>>> reason[ldapsrv_call_loop: tstream_read_pdu_blob_recv() -
>>> NT_STATUS_CONNECTION_DISCONNECTED]
>>> [2012/01/18 10:49:00,  4]
>>> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>>> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:05 2012 GMT
>>> [2012/01/18 10:49:05,  4]
>>> ../source4/dsdb/repl/drepl_notify.c:463(dreplsrv_notify_schedule)
>>> dreplsrv_notify_schedule(5) scheduled for: Wed Jan 18 10:49:11 2012 GMT
>>>
>>>
>>> So, before I waste any more time on this, can anybody confirm that 
>>> it is
>>> actually supposed to work, that it is possible and that they have it
>>> working? If it's not possible, anybody got any suggestions as to an
>>> alternative?
>>
Hi All,

Ok, as the setup of secure DDNS is so straightforward, I'm gonna go back 
to that.

Apart from not including the Samba4 bits in my named configuration, Is 
there anything I can/need to do on the Samba4 side of things to tell it 
"hey, don't worry about it, I got it covered"?

Cheers,
Mike.
-- 
Any question is easy if you know the answer!