Sites and DNS
Kev Latimer
klatimer at tolent.co.uk
Tue Mar 27 08:43:02 MDT 2012
On 27/03/2012 12:02, Amitay Isaacs wrote:
> On Tue, Mar 27, 2012 at 9:17 PM, Kev Latimer<klatimer at tolent.co.uk> wrote:
>> On 27/03/2012 10:42, Kai Blin wrote:
>>
>> On 2012-03-27 11:04, Kev Latimer wrote:
>>
>> Hi Kev,
>>
>> Okay, reprovisioned, debug level set to 2 in smb.conf, made sure it's
>> all working okay, renamed default site, stopped Samba, cleared log.samba
>> to remove any guff (mainly my XP test machine trying so desperately to
>> find it's AV update source!), started up again and manually ran
>> samba_dnsupdate. Resulting log file for the few seconds it took to give
>> the FORMERR again is nearly 800k, which is over the pastbin max so I've
>> gzipped and uploaded it to my personal webspace here:
>> http://www.kevnet.org.uk/samba4/log.samba.gz (probably not strictly good
>> netiquette but hope that's okay).
>>
>> Great, got it. So what's happening is this:
>>
>> samba_dnsupdate tries to negotiate a TKEY exchange for a
>> cryptographically signed update, but the internal server doesn't
>> understand that record type yet (in master, working on this stuff right
>> now). Because the server thinks the record type is invalid, it returns
>> FORMERR. This should hopefully be fixed soon, but in the meantime, try
>> the following workaround:
>>
>> In smb.conf, set
>>
>> nsupdate command = nsupdate
>> allow dns updates = True
>>
>> That will allow unsigned dns updates to you zone, so it's not the most
>> secure option, but it should work.
>>
>> Makes sense. I was aware it didn't support signed updates yet but I think I
>> assumed that DNS records that exposed elements of the directory (ie. sites,
>> dc, gc etc.) were handled through directly manipulating the directory (RPC?)
>> with DNS just exposing the result. I think I'd discounted signing as an
>> issue in this case I was seeing the same result with BIND9_DLZ.
> Do you have the named log where dynamic updates did not work?
> You can start named manually and redirect the logs to a file.
>
> /usr/sbin/named -u named -f -g | tee log.named
>
> And try running samba_dnsupdate. The log should tell us why it's not working.
Well isn't that odd... it's running exactly as it should. I've just
done my rename and samba_dnsupdate adds the site names perfectly in
DNS. I wonder if I've inadvertently broken my earlier one, I had been
doing a lot of messing trying to get ISC DHCP playing nicely with secure
updates (which I eventually succeeded with, with a slightly modified
version of Sergey's script from http://pastebin.com/cNeVQdh3) for my
non-AD clients.
All I can do is backtrack here then, apologies to Amitay :-/
>
>> I've applied your workaround and samba_dnsupdate completes cleanly and sites
>> are showing in DNS. Renamed Default-First-Site-Name is showing, as well as
>> Default-First-Site-Name itself, which was a surprise but I assume this will
>> clear over time through whatever built-in scavenging is present.
> samba_dnsupdate script only adds missing entries or corrects wrong
> entries. It does not at this stage remove any entries. So as you have
> observed, the old names with Default-First-Site-Name would remain.
> Currently there is no way to remove them.
Okay, makes sense. Nothing wrong with a little housekeeping anyway!
How often does samba_dnsupdate run and what's the criteria? Should I be
cron'ing it or do the samba binaries invoke it when needed?
> Amitay.
Cheers,
Kev
--
Kev
More information about the samba-technical
mailing list