[Samba] V4 - New Install - Missing Zone File

Amitay Isaacs amitay at gmail.com
Sat Mar 3 08:03:06 MST 2012


On Sat, Mar 3, 2012 at 2:13 PM, JDFire <jdfire at cox.net> wrote:
> Hi Amitay,
>
> On Feb 27, 2012, at 11:37 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>
>> Hi Jeremy,
>>
>> On Sat, Feb 25, 2012 at 12:57 PM, JDFire <jdfire at cox.net> wrote:
>>> Hi Amitay
>>>
>>> On Feb 23, 2012, at 10:28 PM, Amitay Isaacs <amitay at gmail.com> wrote:
>>>
>>>> Hi Jeremy,
>>>>
>>>> On Thu, Feb 23, 2012 at 4:54 PM, Jeremy Davis <jdavis4102 at gmail.com> wrote:
>>>>>
>>>>>
>>>>> On 02/22/2012 10:48 PM, Amitay Isaacs wrote:
>>>>>>
>>>>>> On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>>>>  wrote:
>>>>>>>
>>>>>>> Hello Amitay,
>>>>>>>
>>>>>>>
>>>>>>> On 02/22/2012 10:07 PM, Amitay Isaacs wrote:
>>>>>>>>
>>>>>>>> Hi Jeremy,
>>>>>>>>
>>>>>>>> On Thu, Feb 23, 2012 at 3:29 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>>>>>>  wrote:
>>>>>>>>>
>>>>>>>>> Hello Amitay,
>>>>>>>>>
>>>>>>>>> On 02/22/2012 02:34 PM, Amitay Isaacs wrote:
>>>>>>>>>>
>>>>>>>>>> Hi Jeremy,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> That error message needs to be fixed. :)
>>>>>>>>>>
>>>>>>>>>> Looks like "nsupdate" command is not in the path. samba_dnsupdate
>>>>>>>>>> script uses nsupdate to dynamically update DNS entries.
>>>>>>>>>>
>>>>>>>>>> Try adding "nsupdate command = /path/to/nsupdate" in smb.conf.
>>>>>>>>>>
>>>>>>>>>> Amitay.
>>>>>>>>>>
>>>>>>>>> Thank you SO MUCH for getting me this far!! :) That looks like it fixed
>>>>>>>>> that
>>>>>>>>> issue but I have now ran into a denied error message for bind. Below
>>>>>>>>> you
>>>>>>>>> can
>>>>>>>>> find my logs for both samba_dnsupdate and bind. Seems like the
>>>>>>>>> dns.keytab
>>>>>>>>> file is not correct or something. I have tried to put allow-update {
>>>>>>>>> 192.168.30.1; } in my options section of my named.conf with no luck.
>>>>>>>>>
>>>>>>>> I forgot to mention that nsupdate command should also include -g flag to
>>>>>>>> force
>>>>>>>> secure (kerberos) updates.
>>>>>>>>
>>>>>>>>    nsupdate command = /path/to/nsupdate -g
>>>>>>>>
>>>>>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>>>>>
>>>>>>>> Amitay.
>>>>>>>>
>>>>>>> I added the -g to the smb.conf and restarted samba and named but it
>>>>>>> doesn't
>>>>>>> seem to do anything. Could this be an issue with kerberos? I am able to
>>>>>>> authenticate with my Windows machine and via the command line using the
>>>>>>> tests on the samba4 wiki. Any ideas as to what this could be?
>>>>>>
>>>>>> What happens when you run samba_dnsupdate --verbose?
>>>>>> What's the output from BIND?
>>>>>>
>>>>>> Amitay.
>>>>>>
>>>>>
>>>>> Well, the samba_dnsupdate logs are the same but bind is now showing a little
>>>>> different error.
>>>>>
>>>>>
>>>>> samba-dnsupdate:
>>>>>
>>>>> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491',
>>>>> 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1',
>>>>> '192.168.7.30', '192.168.30.1']
>>>>> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
>>>>> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
>>>>> Looking for DNS entry AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as
>>>>> bob-dc.com.
>>>>> Failed to find matching DNS entry AAAA bob-dc.com
>>>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>> Looking for DNS entry AAAA dc1.bob-dc.com
>>>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
>>>>> Failed to find matching DNS entry AAAA dc1.bob-dc.com
>>>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as
>>>>> gc._msdcs.bob-dc.com.
>>>>> Looking for DNS entry AAAA gc._msdcs.bob-dc.com
>>>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
>>>>> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com
>>>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>> Looking for DNS entry CNAME
>>>>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as
>>>>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
>>>>> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as
>>>>> _kpasswd._tcp.bob-dc.com.
>>>>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com
>>>>> dc1.bob-dc.com 464
>>>>> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as
>>>>> _kpasswd._udp.bob-dc.com.
>>>>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com
>>>>> dc1.bob-dc.com 464
>>>>> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as
>>>>> _kerberos._tcp.bob-dc.com.
>>>>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com
>>>>> dc1.bob-dc.com 88
>>>>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com
>>>>> 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
>>>>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>>>>> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
>>>>> Looking for DNS entry SRV
>>>>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>>>>> as _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
>>>>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>>>>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>>>>> Looking for DNS entry SRV
>>>>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 88 as
>>>>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>>>>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>>>>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 88
>>>>> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as
>>>>> _kerberos._udp.bob-dc.com.
>>>>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com
>>>>> dc1.bob-dc.com 88
>>>>> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as
>>>>> _ldap._tcp.bob-dc.com.
>>>>> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com
>>>>> dc1.bob-dc.com 389
>>>>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>>>>> as _ldap._tcp.dc._msdcs.bob-dc.com.
>>>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>>>>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com
>>>>> 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
>>>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
>>>>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com
>>>>> 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
>>>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
>>>>> Looking for DNS entry SRV
>>>>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 as
>>>>> _ldap._tcp.default-first-site-name._sites.bob-dc.com.
>>>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
>>>>> Looking for DNS entry SRV
>>>>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 389 as
>>>>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>>>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 389
>>>>> Looking for DNS entry SRV
>>>>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 3268 as
>>>>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
>>>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 3268
>>>>> Looking for DNS entry SRV
>>>>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 389 as
>>>>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
>>>>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>>>>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>>>>> dc1.bob-dc.com 389
>>>>> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as
>>>>> _gc._tcp.bob-dc.com.
>>>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com
>>>>> dc1.bob-dc.com 3268
>>>>> Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.bob-dc.com
>>>>> dc1.bob-dc.com 3268 as _gc._tcp.default-first-site-name._sites.bob-dc.com.
>>>>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>>>>> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
>>>>> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
>>>>> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
>>>>> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
>>>>> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
>>>>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as
>>>>> gc._msdcs.bob-dc.com.
>>>>> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
>>>>> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> bob-dc.com.        900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>>
>>>>> update failed: REFUSED
>>>>> Failed nsupdate: 2
>>>>> Calling nsupdate for AAAA dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> dc1.bob-dc.com.    900    IN    AAAA    2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>>
>>>>> update failed: REFUSED
>>>>> Failed nsupdate: 2
>>>>> Calling nsupdate for AAAA gc._msdcs.bob-dc.com
>>>>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> gc._msdcs.bob-dc.com.    900    IN    AAAA
>>>>>  2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>>>>
>>>>> update failed: REFUSED
>>>>> Failed nsupdate: 2
>>>>> Calling nsupdate for A bob-dc.com 192.168.30.1
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> bob-dc.com.        900    IN    A    192.168.30.1
>>>>>
>>>>> update failed: REFUSED
>>>>> Failed nsupdate: 2
>>>>> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> dc1.bob-dc.com.    900    IN    A    192.168.30.1
>>>>>
>>>>> update failed: REFUSED
>>>>> Failed nsupdate: 2
>>>>> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
>>>>> Outgoing update query:
>>>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>>>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>>>>> ;; UPDATE SECTION:
>>>>> gc._msdcs.bob-dc.com.    900    IN    A    192.168.30.1
>>>>>
>>>>> update failed: REFUSED
>>>>> Failed nsupdate: 2
>>>>> Failed update of 6 entries
>>>>>
>>>>>
>>>>> bind logs:
>>>>>
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating zone
>>>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating zone
>>>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>>>> _msdcs.bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating zone
>>>>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>>>> _msdcs.bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>>>>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating zone
>>>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>>>>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating zone
>>>>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>>>> bob-dc.com
>>>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>>>>> _msdcs.bob-dc.com
>>>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>>>>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating zone
>>>>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>>>>> _msdcs.bob-dc.com
>>>>>
>>>>
>>>> The problem is "spnego update failed". This step actually verifies the kerberos
>>>> ticket provided in dynamic update and that is failing for some reason.
>>>> I'll do some
>>>> testing and find out what's causing this.
>>>>
>>>>
>>>
>>> I see, leave it up to me to find possible bugs. :) Please let me know if you need any further information/testing. Thanks again for your help so far.
>>>
>>> Regards,
>>> Jeremy
>>
>> How was this samba4 instance provisioned? Did you use it upgradedns
>> script to upgrade the DNS provision? Or was it provisioned using
>> DLZ_BIND9 backend?
>>
>> Can you try running dynamic update manually as follows and monitor named log?
>>
>> $ kinit administrator at bob-dc.com
>> $ nsupdate -g
>>> server dc1.bob-dc.com
>>> update add foo.bob-dc.com 3600 A 1.2.3.4
>>> show
>>> send
>
> I am just checking in to see if you need anything else from me or if you may have found the problem. Thanks again for your help so far and look forward to getting this issue resolved.
>

The only reason I can think why dynamic dns updates are not working is
related to having wrong keytab for dns. Can you try a fresh provision
with the latest git tree and check if it works?

Amitay.


More information about the samba-technical mailing list