Sites and DNS

Kev Latimer klatimer at
Tue Mar 27 09:15:12 MDT 2012

On 27/03/2012 12:02, Amitay Isaacs wrote:
> On Tue, Mar 27, 2012 at 9:17 PM, Kev Latimer<klatimer at>  wrote:
>> On 27/03/2012 10:42, Kai Blin wrote:
>> On 2012-03-27 11:04, Kev Latimer wrote:
>> Hi Kev,
>> Okay, reprovisioned, debug level set to 2 in smb.conf, made sure it's
>> all working okay, renamed default site, stopped Samba, cleared log.samba
>> to remove any guff (mainly my XP test machine trying so desperately to
>> find it's AV update source!), started up again and manually ran
>> samba_dnsupdate.  Resulting log file for the few seconds it took to give
>> the FORMERR again is nearly 800k, which is over the pastbin max so I've
>> gzipped and uploaded it to my personal webspace here:
>> (probably not strictly good
>> netiquette but hope that's okay).
>> Great, got it. So what's happening is this:
>> samba_dnsupdate tries to negotiate a TKEY exchange for a
>> cryptographically signed update, but the internal server doesn't
>> understand that record type yet (in master, working on this stuff right
>> now). Because the server thinks the record type is invalid, it returns
>> FORMERR. This should hopefully be fixed soon, but in the meantime, try
>> the following workaround:
>> In smb.conf, set
>> nsupdate command = nsupdate
>> allow dns updates = True
>> That will allow unsigned dns updates to you zone, so it's not the most
>> secure option, but it should work.
>> Makes sense.  I was aware it didn't support signed updates yet but I think I
>> assumed that DNS records that exposed elements of the directory (ie. sites,
>> dc, gc etc.) were handled through directly manipulating the directory (RPC?)
>> with DNS just exposing the result.  I think I'd discounted signing as an
>> issue in this case I was seeing the same result with BIND9_DLZ.
> Do you have the named log where dynamic updates did not work?
> You can start named manually and redirect the logs to a file.
> /usr/sbin/named -u named -f -g | tee log.named
> And try running samba_dnsupdate. The log should tell us why it's not working.
Need to backtrack on myself now, as I've just spotted the error while I 
added my second DC and subsequently, site.  Only Default-First-Site-Name 
and the renamed site are showing in DNS, my new and any subsequent sites 
are not although they show in MMC Sites and Services.  samba_dnsupdate 
returns no errors and the the log redirect above yields no clues.  Seems 
to start up just fine and I can resolve SRV records against  It's BIND 9.8.1-P1 taken from Debian testing 
and built against stable if that makes any difference.

Nothing in log.samba either.  Anywhere else I can look?  Does 
samba_dnsupdate have an interactive/foreground mode?

This is BIND9 DLZ, _not_ the internal DNS server.  Haven't tried adding 
another site with internal yet...




More information about the samba-technical mailing list