DNS updates denied?

Charles Tryon charles.tryon at gmail.com
Thu Jan 26 11:28:58 MST 2012

On Thu, Jan 26, 2012 at 12:22 PM, Charles Tryon <charles.tryon at gmail.com>wrote:

> On Wed, Jan 25, 2012 at 5:10 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>> Hi Charles,
>> On Thu, Jan 26, 2012 at 6:35 AM, Charles Tryon <charles.tryon at gmail.com>
>> wrote:
>> > DNS Policy question:  I've finally found a way for DHCP on my Samba
>> system
>> > to securely update the DNS records (bind9.8/DLZ) using a script to get a
>> > proper Kerberos ticket.  The odd part is that the Windows boxes
>> themselves
>> > are trying to update their own records every time they renew the DHCP
>> > lease... and they are getting denied.  Is that because of the fact that
>> > they didn't originally *create* the A, AAAA and PTR records?
>> Windows does update the forward and reverse (if the zone is available)
>> DNS names
>> when it joins the domain. The issue with DHCP updating the names is which
>> user
>> is updating the names. If the names are created as dns-admin or
>> administrator,
>> then windows machines will not be able to update the names, as they will
>> not
>> have the permissions to update the names created by dns-admins or
>> administrator.
>> So it might be easier to leave the updates to be handled by windows, as
>> they are
>> created using the machine account and can be updated by windows. The issue
>> then would be that if you have any samba servers joining domain, they
>> will not be
>> updating the domain as there is no code in samba to update it's own dns
>> entry.
> Amitay,
>   Good point, as long as we can get the clients to update DNS correctly,
> which I have not yet been able to get to work.  I believe there is a fix in
> place for this, though I haven't been able to test it yet.
>   The problem is when you are in a mixed environment along with Linux
> and/or Mac DHCP clients.  I'm not sure if the Mac clients try to
> automatically update the DNS when they get an address from DHCP, and I'm
> sure Linux clients don't do this by default.  Is there a way around this?

Curious point...  I went in to the server and (a) removed the update
script, and (b) removed the existing DNS record for the client (samba-tool
dns delete ...).  My expectation was that, with the DNS record gone, the
client would recreate its own A record.  However, what I am seeing in the
logs is a denied update request for the AAAA record, and no indication that
it is trying to update its A record.  My dhcpd.conf file is:

option      domain-name         "bbaggins.net";
option      subnet-mask;
option      broadcast-address;
option      domain-name-servers samba.bbaggins.net;
option      ntp-servers         brenen.bbaggins.net;
default-lease-time              9200;
max-lease-time                  14400;
ddns-updates            off;
ddns-domainname         "bbaggins.net";
ddns-rev-domainname     "in-addr.arpa";

subnet     netmask
        option  routers;
        allow client-updates;
        option ip-forwarding off;

What am I missing here???

> Amitay.

    Charles Tryon
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list