Samba4 DNS Updates - Linux Clients - Is it possible?

Amitay Isaacs amitay at gmail.com
Tue Jan 24 19:45:54 MST 2012 

Hi Daniele,

On Fri, Jan 20, 2012 at 9:15 PM, Daniele Dario <d.dario76 at gmail.com> wrote:
> Hi Amitay,
>
> On Thu, 2012-01-19 at 11:36 +1100, Amitay Isaacs wrote:
>> Hi Daniele,
>>
>>
>> On Thu, Jan 19, 2012 at 1:13 AM, Daniele Dario <d.dario76 at gmail.com> wrote:
>> > Hi,
>> >
>> >
>> > I'm running samba Version 4.0.0alpha18-GIT-90f06d6 with bind 9.9.0b1
>> > from PPA on an ubuntu server 11.04 x86 (on XenServer 5.6 fp1).
>> >
>> > Looking on named logs I found something similar
>> > 18-Jan-2012 14:41:35.027 database: info: samba_dlz: starting transaction
>> > on zone saitelitalia.local
>> > 18-Jan-2012 14:41:35.029 database: error: samba_dlz: failed to create
>> > session info
>> > 18-Jan-2012 14:41:35.030 update: info: client 192.168.12.12#53508/key
>> > activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
>> > update failed: rejected by secure update (REFUSED)
>> > 18-Jan-2012 14:41:35.030 database: info: samba_dlz: cancelling
>> > transaction on zone saitelitalia.local
>> >
>> > from /usr/local/samba/var/log.samba at same time I have
>> > [2012/01/18 14:41:34,
>> > 3] ../lib/ldb-samba/ldb_wrap.c:316(ldb_wrap_connect)
>> >  ldb_wrap open of secrets.ldb
>> > [2012/01/18 14:41:34,
>> > 3] ../source4/smb_server/smb/negprot.c:390(reply_nt1)
>> >  using SPNEGO
>> > [2012/01/18 14:41:34,
>> > 3] ../source4/smb_server/smb/negprot.c:519(smbsrv_reply_negprot)
>> >  Selected protocol [5][NT LM 0.12]
>> > [2012/01/18 14:41:35,
>> > 3] ../source4/smbd/service_stream.c:63(stream_terminate_connection)
>> >  Terminating connection - 'ldapsrv_call_loop:
>> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>> > [2012/01/18 14:41:35,
>> > 3] ../source4/smbd/process_single.c:104(single_terminate)
>> >  single_terminate: reason[ldapsrv_call_loop:
>> > tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>> >
>> > where activity is a WinXP SP3 x86 machine
>> >
>> > Running samba-tool dns query kdc01 saitelitalia.local @ A -U
>> > administrator I read that activity has no records and no children
>> > ...
>> > Name=activity, Records=0, Children=0
>> > ...
>> >
>> > could this be the cause of the failure to update?
>> >
>> > BTW, if I try samba-tool dns delete kdc01 saitelitalia.local activity A
>> > '' -U administrator I get ERROR: Record does not exist
>> > but trying to add the record it fails saying
>> > ERROR(runtime): uncaught exception - (9711,
>> > 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>> >  File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> > line 167, in _run
>> >    return self.run(*args, **kwargs)
>> >  File
>> > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/dns.py", line
>> > 863, in run
>> >    None)
>> >
>> > nslookup seems to work correctly
>> > [root at kdc01:~]# nslookup activity
>> > Server:         192.168.12.5
>> > Address:        192.168.12.5#53
>> >
>> > Name:   activity.saitelitalia.local
>> > Address: 192.168.12.12
>> >
>> > [root at kdc01:~]# nslookup 192.168.12.12
>> > Server:         192.168.12.5
>> > Address:        192.168.12.5#53
>> >
>> > 12.12.168.192.in-addr.arpa      name = activity.saitelitalia.local.
>> >
>> > The same happens for another host which is an ubuntu server 10.04
>> > running samba 3.4.7 and joined to the domain.
>> >
>> > How can I remove the dummy records?
>> >
>> > Thanks, Daniele.
>> >
>>
>> Since version 4.0.0alpha18-GIT-90f06d6 there has been a patch
>> (6a1201a67b36bc1bb3214ee911b130c4affb8dec) that
>> fixes the problem in creating session info after changes in the
>> authentication layer in samba.
>>
>> Can you check if the problem persists with the latest git master?
>>
>> Amitay.
>
> with latest git master it seems OK for some machines.
>
> 20-Jan-2012 11:05:59.456 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:05:59.457 update-security: error: client
> 192.168.12.209#64878: update 'saitelitalia.local/IN' denied
> 20-Jan-2012 11:05:59.457 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
> 20-Jan-2012 11:05:59.495 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:05:59.500 database: info: samba_dlz: allowing update of
> signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
> tcpaddr= type=A
> key=1244-ms-7.82-1f3024ac.ab22022c-401d-11e1-afb1-1c4bd67a8de5/160/0
> 20-Jan-2012 11:05:59.503 database: info: samba_dlz: allowing update of
> signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
> tcpaddr= type=A
> key=1244-ms-7.82-1f3024ac.ab22022c-401d-11e1-afb1-1c4bd67a8de5/160/0
> 20-Jan-2012 11:05:59.504 update: info: client 192.168.12.209#60619/key
> antoniodm\$\@SAITELITALIA.LOCAL: updating zone
> 'saitelitalia.local/NONE': deleting rrset at
> 'antoniodm.saitelitalia.local' A
> 20-Jan-2012 11:05:59.519 database: info: samba_dlz: subtracted rdataset
> antoniodm.saitelitalia.local 'antoniodm.saitelitalia.local.     1200    IN      A
> 192.168.12.209'
> 20-Jan-2012 11:05:59.521 update: info: client 192.168.12.209#60619/key
> antoniodm\$\@SAITELITALIA.LOCAL: updating zone
> 'saitelitalia.local/NONE': adding an RR at
> 'antoniodm.saitelitalia.local' A
> 20-Jan-2012 11:05:59.527 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
>
> antoniodm is an XP box.
> For other XP boxes the update still fails
>
> 20-Jan-2012 11:10:03.080 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:10:03.081 update-security: error: client
> 192.168.12.56#60235: update 'saitelitalia.local/IN' denied
> 20-Jan-2012 11:10:03.081 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
> 20-Jan-2012 11:10:03.110 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 20-Jan-2012 11:10:03.114 database: info: samba_dlz: disallowing update
> of signer=ua01\$\@SAITELITALIA.LOCAL name=ua01.saitelitalia.local type=A
> error=insufficient access rights
> 20-Jan-2012 11:10:03.114 update: info: client 192.168.12.56#60543/key
> ua01\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
> update failed: rejected by secure update (REFUSED)
> 20-Jan-2012 11:10:03.115 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local
>
> but it says that signer has insufficient access rights: what rights
> should I change or look for?
>
> Daniele.
>

The fix for DNS updates failing is in the master.

Amitay.

More information about the samba-technical mailing list