DNS updates denied?

Charles Tryon charles.tryon at gmail.com
Thu Jan 26 11:41:17 MST 2012 

What do you use for credentials?  I tried running it as both my user and as
root, and it gave me an error:
  tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor
code may provide more information, Minor = Credentials cache file
'/tmp/krb5cc_0' not found.

That Linux box is NOT joined to the Windows domain, so it doesn't have its
own account.  I don't see any reason to join it to the domain, since all
I'm trying to do is keep DNS up to date.



On Thu, Jan 26, 2012 at 12:58 PM, Michael Croes <mycroes at gmail.com> wrote:

> It's possible to manually invoke nsupdate -g on Linux clients to update
> the dns records. I did this for a couple of servers and also for all
> records for my second DC. It's doable with just a couple of clients...
> Regards,
>
> Michael
> Op 26 jan. 2012 18:22 schreef "Charles Tryon" <charles.tryon at gmail.com>
> het volgende:
>
> On Wed, Jan 25, 2012 at 5:10 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>>
>> > Hi Charles,
>> >
>> > On Thu, Jan 26, 2012 at 6:35 AM, Charles Tryon <charles.tryon at gmail.com
>> >
>> > wrote:
>> > > DNS Policy question:  I've finally found a way for DHCP on my Samba
>> > system
>> > > to securely update the DNS records (bind9.8/DLZ) using a script to
>> get a
>> > > proper Kerberos ticket.  The odd part is that the Windows boxes
>> > themselves
>> > > are trying to update their own records every time they renew the DHCP
>> > > lease... and they are getting denied.  Is that because of the fact
>> that
>> > > they didn't originally *create* the A, AAAA and PTR records?
>> >
>> > Windows does update the forward and reverse (if the zone is available)
>> DNS
>> > names
>> > when it joins the domain. The issue with DHCP updating the names is
>> which
>> > user
>> > is updating the names. If the names are created as dns-admin or
>> > administrator,
>> > then windows machines will not be able to update the names, as they will
>> > not
>> > have the permissions to update the names created by dns-admins or
>> > administrator.
>> >
>> > So it might be easier to leave the updates to be handled by windows, as
>> > they are
>> > created using the machine account and can be updated by windows. The
>> issue
>> > then would be that if you have any samba servers joining domain, they
>> > will not be
>> > updating the domain as there is no code in samba to update it's own dns
>> > entry.
>> >
>>
>> Amitay,
>>  Good point, as long as we can get the clients to update DNS correctly,
>> which I have not yet been able to get to work.  I believe there is a fix
>> in
>> place for this, though I haven't been able to test it yet.
>>
>>  The problem is when you are in a mixed environment along with Linux
>> and/or Mac DHCP clients.  I'm not sure if the Mac clients try to
>> automatically update the DNS when they get an address from DHCP, and I'm
>> sure Linux clients don't do this by default.  Is there a way around this?
>>
>>
>>
>>
>> > Amitay.
>> >
>>
>>
>>
>> --
>>    Charles Tryon
>> _________________________________________________________________________
>>  “Risks are not to be evaluated in terms of the probability of success,
>> but in terms of the value of the goal.”
>>                - Ralph D. Winter
>>
>


-- 
    Charles Tryon
_________________________________________________________________________
  “Risks are not to be evaluated in terms of the probability of success,
but in terms of the value of the goal.”
                - Ralph D. Winter

More information about the samba-technical mailing list