Samba4 DNS Updates - Linux Clients - Is it possible?

Fri Jan 20 03:15:37 MST 2012

Hi Amitay,

On Thu, 2012-01-19 at 11:36 +1100, Amitay Isaacs wrote:
> Hi Daniele,
> 
> 
> On Thu, Jan 19, 2012 at 1:13 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
> > Hi,
> >
> >
> > I'm running samba Version 4.0.0alpha18-GIT-90f06d6 with bind 9.9.0b1
> > from PPA on an ubuntu server 11.04 x86 (on XenServer 5.6 fp1).
> >
> > Looking on named logs I found something similar
> > 18-Jan-2012 14:41:35.027 database: info: samba_dlz: starting transaction
> > on zone saitelitalia.local
> > 18-Jan-2012 14:41:35.029 database: error: samba_dlz: failed to create
> > session info
> > 18-Jan-2012 14:41:35.030 update: info: client 192.168.12.12#53508/key
> > activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
> > update failed: rejected by secure update (REFUSED)
> > 18-Jan-2012 14:41:35.030 database: info: samba_dlz: cancelling
> > transaction on zone saitelitalia.local
> >
> > from /usr/local/samba/var/log.samba at same time I have
> > [2012/01/18 14:41:34,
> > 3] ../lib/ldb-samba/ldb_wrap.c:316(ldb_wrap_connect)
> >  ldb_wrap open of secrets.ldb
> > [2012/01/18 14:41:34,
> > 3] ../source4/smb_server/smb/negprot.c:390(reply_nt1)
> >  using SPNEGO
> > [2012/01/18 14:41:34,
> > 3] ../source4/smb_server/smb/negprot.c:519(smbsrv_reply_negprot)
> >  Selected protocol [5][NT LM 0.12]
> > [2012/01/18 14:41:35,
> > 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
> >  Terminating connection - 'ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> > [2012/01/18 14:41:35,
> > 3] ../source4/smbd/process_single.c:104(single_terminate)
> >  single_terminate: reason[ldapsrv_call_loop:
> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> >
> > where activity is a WinXP SP3 x86 machine
> >
> > Running samba-tool dns query kdc01 saitelitalia.local @ A -U
> > administrator I read that activity has no records and no children
> > ...
> > Name=activity, Records=0, Children=0
> > ...
> >
> > could this be the cause of the failure to update?
> >
> > BTW, if I try samba-tool dns delete kdc01 saitelitalia.local activity A
> > '' -U administrator I get ERROR: Record does not exist
> > but trying to add the record it fails saying
> > ERROR(runtime): uncaught exception - (9711,
> > 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> > line 167, in _run
> >    return self.run(*args, **kwargs)
> >  File
> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
> > 863, in run
> >    None)
> >
> > nslookup seems to work correctly
> > [root at kdc01:~]# nslookup activity
> > Server:         192.168.12.5
> > Address:        192.168.12.5#53
> >
> > Name:   activity.saitelitalia.local
> > Address: 192.168.12.12
> >
> > [root at kdc01:~]# nslookup 192.168.12.12
> > Server:         192.168.12.5
> > Address:        192.168.12.5#53
> >
> > 12.12.168.192.in-addr.arpa      name = activity.saitelitalia.local.
> >
> > The same happens for another host which is an ubuntu server 10.04
> > running samba 3.4.7 and joined to the domain.
> >
> > How can I remove the dummy records?
> >
> > Thanks, Daniele.
> >
> 
> Since version 4.0.0alpha18-GIT-90f06d6 there has been a patch
> (6a1201a67b36bc1bb3214ee911b130c4affb8dec) that
> fixes the problem in creating session info after changes in the
> authentication layer in samba.
> 
> Can you check if the problem persists with the latest git master?
> 
> Amitay.

with latest git master it seems OK for some machines.

20-Jan-2012 11:05:59.456 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
20-Jan-2012 11:05:59.457 update-security: error: client
192.168.12.209#64878: update 'saitelitalia.local/IN' denied
20-Jan-2012 11:05:59.457 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local
20-Jan-2012 11:05:59.495 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
20-Jan-2012 11:05:59.500 database: info: samba_dlz: allowing update of
signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
tcpaddr= type=A
key=1244-ms-7.82-1f3024ac.ab22022c-401d-11e1-afb1-1c4bd67a8de5/160/0
20-Jan-2012 11:05:59.503 database: info: samba_dlz: allowing update of
signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
tcpaddr= type=A
key=1244-ms-7.82-1f3024ac.ab22022c-401d-11e1-afb1-1c4bd67a8de5/160/0
20-Jan-2012 11:05:59.504 update: info: client 192.168.12.209#60619/key
antoniodm\$\@SAITELITALIA.LOCAL: updating zone
'saitelitalia.local/NONE': deleting rrset at
'antoniodm.saitelitalia.local' A
20-Jan-2012 11:05:59.519 database: info: samba_dlz: subtracted rdataset
antoniodm.saitelitalia.local 'antoniodm.saitelitalia.local.	1200	IN	A
192.168.12.209'
20-Jan-2012 11:05:59.521 update: info: client 192.168.12.209#60619/key
antoniodm\$\@SAITELITALIA.LOCAL: updating zone
'saitelitalia.local/NONE': adding an RR at
'antoniodm.saitelitalia.local' A
20-Jan-2012 11:05:59.527 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local

antoniodm is an XP box.
For other XP boxes the update still fails

20-Jan-2012 11:10:03.080 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
20-Jan-2012 11:10:03.081 update-security: error: client
192.168.12.56#60235: update 'saitelitalia.local/IN' denied
20-Jan-2012 11:10:03.081 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local
20-Jan-2012 11:10:03.110 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
20-Jan-2012 11:10:03.114 database: info: samba_dlz: disallowing update
of signer=ua01\$\@SAITELITALIA.LOCAL name=ua01.saitelitalia.local type=A
error=insufficient access rights
20-Jan-2012 11:10:03.114 update: info: client 192.168.12.56#60543/key
ua01\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
update failed: rejected by secure update (REFUSED)
20-Jan-2012 11:10:03.115 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local

but it says that signer has insufficient access rights: what rights
should I change or look for?

Daniele.