DNS updates denied?
Charles Tryon
charles.tryon at gmail.com
Thu Jan 26 11:28:58 MST 2012
On Thu, Jan 26, 2012 at 12:22 PM, Charles Tryon <charles.tryon at gmail.com>wrote:
>
>
> On Wed, Jan 25, 2012 at 5:10 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>
>> Hi Charles,
>>
>> On Thu, Jan 26, 2012 at 6:35 AM, Charles Tryon <charles.tryon at gmail.com>
>> wrote:
>> > DNS Policy question: I've finally found a way for DHCP on my Samba
>> system
>> > to securely update the DNS records (bind9.8/DLZ) using a script to get a
>> > proper Kerberos ticket. The odd part is that the Windows boxes
>> themselves
>> > are trying to update their own records every time they renew the DHCP
>> > lease... and they are getting denied. Is that because of the fact that
>> > they didn't originally *create* the A, AAAA and PTR records?
>>
>> Windows does update the forward and reverse (if the zone is available)
>> DNS names
>> when it joins the domain. The issue with DHCP updating the names is which
>> user
>> is updating the names. If the names are created as dns-admin or
>> administrator,
>> then windows machines will not be able to update the names, as they will
>> not
>> have the permissions to update the names created by dns-admins or
>> administrator.
>>
>> So it might be easier to leave the updates to be handled by windows, as
>> they are
>> created using the machine account and can be updated by windows. The issue
>> then would be that if you have any samba servers joining domain, they
>> will not be
>> updating the domain as there is no code in samba to update it's own dns
>> entry.
>>
>
> Amitay,
> Good point, as long as we can get the clients to update DNS correctly,
> which I have not yet been able to get to work. I believe there is a fix in
> place for this, though I haven't been able to test it yet.
>
> The problem is when you are in a mixed environment along with Linux
> and/or Mac DHCP clients. I'm not sure if the Mac clients try to
> automatically update the DNS when they get an address from DHCP, and I'm
> sure Linux clients don't do this by default. Is there a way around this?
>
Curious point... I went in to the server and (a) removed the update
script, and (b) removed the existing DNS record for the client (samba-tool
dns delete ...). My expectation was that, with the DNS record gone, the
client would recreate its own A record. However, what I am seeing in the
logs is a denied update request for the AAAA record, and no indication that
it is trying to update its A record. My dhcpd.conf file is:
authoratative;
option domain-name "bbaggins.net";
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.2.255;
option domain-name-servers samba.bbaggins.net;
option ntp-servers brenen.bbaggins.net;
default-lease-time 9200;
max-lease-time 14400;
ddns-updates off;
ddns-domainname "bbaggins.net";
ddns-rev-domainname "in-addr.arpa";
subnet 192.168.2.0 netmask 255.255.255.0
{
option routers 192.168.2.1;
allow client-updates;
authoritative;
range 192.168.2.100 192.168.2.200;
option ip-forwarding off;
}
What am I missing here???
> Amitay.
>>
>
>
--
Charles Tryon
_________________________________________________________________________
“Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
- Ralph D. Winter
More information about the samba-technical
mailing list