Samba4 DNS Updates - Linux Clients - Is it possible?
Amitay Isaacs
amitay at gmail.com
Fri Jan 20 17:39:00 MST 2012
Hi Daniele,
On Fri, Jan 20, 2012 at 9:15 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> Hi Amitay,
>
> On Thu, 2012-01-19 at 11:36 +1100, Amitay Isaacs wrote:
>> Hi Daniele,
>>
>>
>> On Thu, Jan 19, 2012 at 1:13 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
>> > Hi,
>> >
>> >
>> > I'm running samba Version 4.0.0alpha18-GIT-90f06d6 with bind 9.9.0b1
>> > from PPA on an ubuntu server 11.04 x86 (on XenServer 5.6 fp1).
>> >
>> > Looking on named logs I found something similar
>> > 18-Jan-2012 14:41:35.027 database: info: samba_dlz: starting transaction
>> > on zone saitelitalia.local
>> > 18-Jan-2012 14:41:35.029 database: error: samba_dlz: failed to create
>> > session info
>> > 18-Jan-2012 14:41:35.030 update: info: client 192.168.12.12#53508/key
>> > activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
>> > update failed: rejected by secure update (REFUSED)
>> > 18-Jan-2012 14:41:35.030 database: info: samba_dlz: cancelling
>> > transaction on zone saitelitalia.local
>> >
>> > from /usr/local/samba/var/log.samba at same time I have
>> > [2012/01/18 14:41:34,
>> > 3] ../lib/ldb-samba/ldb_wrap.c:316(ldb_wrap_connect)
>> > ldb_wrap open of secrets.ldb
>> > [2012/01/18 14:41:34,
>> > 3] ../source4/smb_server/smb/negprot.c:390(reply_nt1)
>> > using SPNEGO
>> > [2012/01/18 14:41:34,
>> > 3] ../source4/smb_server/smb/negprot.c:519(smbsrv_reply_negprot)
>> > Selected protocol [5][NT LM 0.12]
>> > [2012/01/18 14:41:35,
>> > 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>> > Terminating connection - 'ldapsrv_call_loop:
>> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>> > [2012/01/18 14:41:35,
>> > 3] ../source4/smbd/process_single.c:104(single_terminate)
>> > single_terminate: reason[ldapsrv_call_loop:
>> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>> >
>> > where activity is a WinXP SP3 x86 machine
>> >
>> > Running samba-tool dns query kdc01 saitelitalia.local @ A -U
>> > administrator I read that activity has no records and no children
>> > ...
>> > Name=activity, Records=0, Children=0
>> > ...
>> >
>> > could this be the cause of the failure to update?
>> >
>> > BTW, if I try samba-tool dns delete kdc01 saitelitalia.local activity A
>> > '' -U administrator I get ERROR: Record does not exist
>> > but trying to add the record it fails saying
>> > ERROR(runtime): uncaught exception - (9711,
>> > 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>> > File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > line 167, in _run
>> > return self.run(*args, **kwargs)
>> > File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> > 863, in run
>> > None)
>> >
>> > nslookup seems to work correctly
>> > [root at kdc01:~]# nslookup activity
>> > Server: 192.168.12.5
>> > Address: 192.168.12.5#53
>> >
>> > Name: activity.saitelitalia.local
>> > Address: 192.168.12.12
>> >
>> > [root at kdc01:~]# nslookup 192.168.12.12
>> > Server: 192.168.12.5
>> > Address: 192.168.12.5#53
>> >
>> > 12.12.168.192.in-addr.arpa name = activity.saitelitalia.local.
>> >
>> > The same happens for another host which is an ubuntu server 10.04
>> > running samba 3.4.7 and joined to the domain.
>> >
>> > How can I remove the dummy records?
>> >
>> > Thanks, Daniele.
>> >
>>
>> Since version 4.0.0alpha18-GIT-90f06d6 there has been a patch
>> (6a1201a67b36bc1bb3214ee911b130c4affb8dec) that
>> fixes the problem in creating session info after changes in the
>> authentication layer in samba.
>>
>> Can you check if the problem persists with the latest git master?
>>
>> Amitay.
>
> with latest git master it seems OK for some machines.
>
> 20-Jan-2012 11:05:59.456 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:05:59.457 update-security: error: client
> 192.168.12.209#64878: update 'saitelitalia.local/IN' denied
> 20-Jan-2012 11:05:59.457 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
> 20-Jan-2012 11:05:59.495 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:05:59.500 database: info: samba_dlz: allowing update of
> signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
> tcpaddr= type=A
> key=1244-ms-7.82-1f3024ac.ab22022c-401d-11e1-afb1-1c4bd67a8de5/160/0
> 20-Jan-2012 11:05:59.503 database: info: samba_dlz: allowing update of
> signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
> tcpaddr= type=A
> key=1244-ms-7.82-1f3024ac.ab22022c-401d-11e1-afb1-1c4bd67a8de5/160/0
> 20-Jan-2012 11:05:59.504 update: info: client 192.168.12.209#60619/key
> antoniodm\$\@SAITELITALIA.LOCAL: updating zone
> 'saitelitalia.local/NONE': deleting rrset at
> 'antoniodm.saitelitalia.local' A
> 20-Jan-2012 11:05:59.519 database: info: samba_dlz: subtracted rdataset
> antoniodm.saitelitalia.local 'antoniodm.saitelitalia.local. 1200 IN A
> 192.168.12.209'
> 20-Jan-2012 11:05:59.521 update: info: client 192.168.12.209#60619/key
> antoniodm\$\@SAITELITALIA.LOCAL: updating zone
> 'saitelitalia.local/NONE': adding an RR at
> 'antoniodm.saitelitalia.local' A
> 20-Jan-2012 11:05:59.527 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
>
> antoniodm is an XP box.
> For other XP boxes the update still fails
>
> 20-Jan-2012 11:10:03.080 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:10:03.081 update-security: error: client
> 192.168.12.56#60235: update 'saitelitalia.local/IN' denied
> 20-Jan-2012 11:10:03.081 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
> 20-Jan-2012 11:10:03.110 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:10:03.114 database: info: samba_dlz: disallowing update
> of signer=ua01\$\@SAITELITALIA.LOCAL name=ua01.saitelitalia.local type=A
> error=insufficient access rights
> 20-Jan-2012 11:10:03.114 update: info: client 192.168.12.56#60543/key
> ua01\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
> update failed: rejected by secure update (REFUSED)
> 20-Jan-2012 11:10:03.115 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
>
> but it says that signer has insufficient access rights: what rights
> should I change or look for?
>
> Daniele.
>
I am able to reproduce this on windows XP joining samba domain. This
issue is related to the
security descriptors on DNS records. They are not exactly the same as
windows and I'm working
on them to get them as close to windows.
Amitay.
More information about the samba-technical
mailing list