S4 and BIND

Andrew Bartlett abartlet at samba.org
Fri Jun 8 04:54:38 MDT 2012

On Fri, 2012-06-08 at 20:48 +1000, Andrew Bartlett wrote:
> On Fri, 2012-06-08 at 16:04 +0800, titantoppler at gmail.com wrote:
> > Hi list,
> > 
> > I've been trying to set up another S4 DC on my network.
> > 
> > My old set up was a single S4 DC (alpha 12) running DNS as well. I
> > subsequently hived off the DNS service to a dedicated box by copying the
> > zone files and the dns.keytab file from the original S4 DC to the new box.
> > 
> > It seemed to work fine, though as no DNS updates from the original S4 DC
> > were needed I am just guessing here.
> > 
> > I successfully installed S4 (alpha 21) last night on another box. I joined
> > it to the domain using the instructions from here (
> > https://wiki.samba.org/index.php/Samba4/HOWTO/Join_a_domain_as_a_DC)
> > 
> > On starting S4, however, I get an error message that says:
> > [2012/06/05 09:39:52,  0]
> > ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
> >   /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> > 
> > What is the problem here?
> > 
> > I have exported the new dns.keytab and restarted BIND, but to no avail. My
> > BIND version is 9.8.1
> Have you included all the options (the gss options in particular, but
> also the configuration for the DLZ plugin) in your named.conf as
> directed by provision?

(ignore this, I re-read your message just a moment too late). 

So, the issue here is in part due to the way you split off the DNS, and
partly due to how old alpha12 is.

A second DC in the domain needs to update a number of extra records,
beyond what the options in alpha12 permitted.  For the flatfile, we
generate a list of extra principals who are allowed to update the DNS
records for the DC.

But we handle this better in the bind9_dlz case, as there we can process
the ACL internally. 

So, at this point your best option for a migration would be to copy the
zone files to your new DC, run samba_upgradedns to place that zone into
the DNS partition, and then start bind9_dlz on that new DC.   It should
continue to accept DNS updates from your original DC. 

Also note that alpha12 is quite old, and while you certainly should run
a dbcheck, you might be caught in the nasty spot where we need an
upgradeprovision, but an upgradeprovision isn't recommended any
more :-(. 

I hope this is of more help,

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list