Sites and DNS

Kev Latimer klatimer at tolent.co.uk
Tue Mar 27 04:17:27 MDT 2012 

On 27/03/2012 10:42, Kai Blin wrote:
> On 2012-03-27 11:04, Kev Latimer wrote:
>
> Hi Kev,
>
>> Okay, reprovisioned, debug level set to 2 in smb.conf, made sure it's
>> all working okay, renamed default site, stopped Samba, cleared log.samba
>> to remove any guff (mainly my XP test machine trying so desperately to
>> find it's AV update source!), started up again and manually ran
>> samba_dnsupdate.  Resulting log file for the few seconds it took to give
>> the FORMERR again is nearly 800k, which is over the pastbin max so I've
>> gzipped and uploaded it to my personal webspace here:
>> http://www.kevnet.org.uk/samba4/log.samba.gz (probably not strictly good
>> netiquette but hope that's okay).
> Great, got it. So what's happening is this:
>
> samba_dnsupdate tries to negotiate a TKEY exchange for a
> cryptographically signed update, but the internal server doesn't
> understand that record type yet (in master, working on this stuff right
> now). Because the server thinks the record type is invalid, it returns
> FORMERR. This should hopefully be fixed soon, but in the meantime, try
> the following workaround:
>
> In smb.conf, set
>
> nsupdate command = nsupdate
> allow dns updates = True
>
> That will allow unsigned dns updates to you zone, so it's not the most
> secure option, but it should work.
Makes sense.  I was aware it didn't support signed updates yet but I 
think I assumed that DNS records that exposed elements of the directory 
(ie. sites, dc, gc etc.) were handled through directly manipulating the 
directory (RPC?) with DNS just exposing the result.  I think I'd 
discounted signing as an issue in this case I was seeing the same result 
with BIND9_DLZ.

I've applied your workaround and samba_dnsupdate completes cleanly and 
sites are showing in DNS.  Renamed Default-First-Site-Name is showing, 
as well as Default-First-Site-Name itself, which was a surprise but I 
assume this will clear over time through whatever built-in scavenging is 
present.

I'd like to try using the internal DNS server as my first choice but 
while I've some experience with BIND and it's config, I can't seem to 
find any docs on how to do basic config for the internal server, such as 
record scavenging, forwarders etc.?  I've cheekily tried to perform 
changes in the properties box of the DNS MMC (!) without success so I 
assume this set via.smb.conf - can you clarify any settings that can be 
made or if this is documented somewhere and I've not been looking 
properly?  I'd be more than happy to compile any info I can find on the 
samba4 wiki if it's of any help?
> Cheers,
> Kai
Thanks again for looking into this for me.  While insecure updates 
aren't perfect, it's a step in the right direction for getting 
out-of-the-box functionality.  Good luck for getting signed updates 
working, look forward to seeing the results :-)  I'll keep on with my 
testing and with any luck, I'll be able to share some replicated DNS 
results, with sites, very soon.

Cheers,

Kev

-- 
Kev

More information about the samba-technical mailing list