Sites and DNS
amitay at gmail.com
Tue Mar 27 05:02:20 MDT 2012
On Tue, Mar 27, 2012 at 9:17 PM, Kev Latimer <klatimer at tolent.co.uk> wrote:
> On 27/03/2012 10:42, Kai Blin wrote:
> On 2012-03-27 11:04, Kev Latimer wrote:
> Hi Kev,
> Okay, reprovisioned, debug level set to 2 in smb.conf, made sure it's
> all working okay, renamed default site, stopped Samba, cleared log.samba
> to remove any guff (mainly my XP test machine trying so desperately to
> find it's AV update source!), started up again and manually ran
> samba_dnsupdate. Resulting log file for the few seconds it took to give
> the FORMERR again is nearly 800k, which is over the pastbin max so I've
> gzipped and uploaded it to my personal webspace here:
> http://www.kevnet.org.uk/samba4/log.samba.gz (probably not strictly good
> netiquette but hope that's okay).
> Great, got it. So what's happening is this:
> samba_dnsupdate tries to negotiate a TKEY exchange for a
> cryptographically signed update, but the internal server doesn't
> understand that record type yet (in master, working on this stuff right
> now). Because the server thinks the record type is invalid, it returns
> FORMERR. This should hopefully be fixed soon, but in the meantime, try
> the following workaround:
> In smb.conf, set
> nsupdate command = nsupdate
> allow dns updates = True
> That will allow unsigned dns updates to you zone, so it's not the most
> secure option, but it should work.
> Makes sense. I was aware it didn't support signed updates yet but I think I
> assumed that DNS records that exposed elements of the directory (ie. sites,
> dc, gc etc.) were handled through directly manipulating the directory (RPC?)
> with DNS just exposing the result. I think I'd discounted signing as an
> issue in this case I was seeing the same result with BIND9_DLZ.
Do you have the named log where dynamic updates did not work?
You can start named manually and redirect the logs to a file.
/usr/sbin/named -u named -f -g | tee log.named
And try running samba_dnsupdate. The log should tell us why it's not working.
> I've applied your workaround and samba_dnsupdate completes cleanly and sites
> are showing in DNS. Renamed Default-First-Site-Name is showing, as well as
> Default-First-Site-Name itself, which was a surprise but I assume this will
> clear over time through whatever built-in scavenging is present.
samba_dnsupdate script only adds missing entries or corrects wrong
entries. It does not at this stage remove any entries. So as you have
observed, the old names with Default-First-Site-Name would remain.
Currently there is no way to remove them.
> I'd like to try using the internal DNS server as my first choice but while
> I've some experience with BIND and it's config, I can't seem to find any
> docs on how to do basic config for the internal server, such as record
> scavenging, forwarders etc.? I've cheekily tried to perform changes in the
> properties box of the DNS MMC (!) without success so I assume this set
> via.smb.conf - can you clarify any settings that can be made or if this is
> documented somewhere and I've not been looking properly? I'd be more than
> happy to compile any info I can find on the samba4 wiki if it's of any help?
Some of the DNS properties (e.g. forwarders) are not stored in the AD
and have no RPC mechanism to set it. They are stored in the registry.
We still need to add mechanism to store non-AD information and make
use of it.
More information about the samba-technical