samba_dnsupdate: update failed: NOTAUTH

Carlos Miguel Bustillo Rodriguez cbustillo at uclv.edu.cu
Mon Aug 10 01:44:12 UTC 2015 

Hello list:

I tested on VirtualBox virtual machine and I get the same error message when start Samba in the second DC.

I noted also that during provision or joining as additional DC the permissions in /var/lib/samba/private must be fixed to 755 because bind9 is not able to load /var/lib/samba/private/named.conf

Regards, Carlos
________________________________________
From: Carlos Miguel Bustillo  Rodriguez [cbustillo at uclv.edu.cu]
Sent: Thursday, August 06, 2015 23:08
To: Samba Technical
Subject: samba_dnsupdate: update failed: NOTAUTH

Hello list:

I noted a strange behaviour of Samba 4.2.3 (Sernet Package) on Proxmox, with OpenVZ CT (Debian 8.1 amd64), when Samba update the initial records.

The problem is in the second DC. The join process is successful but when I start Samba, the following message are showed:

/usr/sbin/samba_dnsupdate: update failed: NOTAUTH

In details:

/usr/sbin/smbd: smbd version 4.2.3-SerNet-Debian-7.jessie started.
/usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2014
/usr/sbin/winbindd: initialize_winbindd_cache: clearing cache and re-creating with version number 2
TLS self-signed keys generated OK
/usr/sbin/winbindd: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
/usr/sbin/smbd: STATUS=daemon 'smbd' finished starting up and ready to serve connections
/usr/sbin/smbd: Unable to connect to CUPS server localhost:631 - Bad file descriptor
/usr/sbin/smbd: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
Replicated 2 objects (0 linked attributes) for DC=ForestDnsZones,DC=my,DC=domain,DC=com
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=my,DC=domain,DC=com
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
Replicated 0 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
/usr/sbin/samba_dnsupdate: update failed: NOTAUTH
Replicated 1 objects (0 linked attributes) for CN=Configuration,DC=my,DC=domain,DC=com
../source4/dsdb/repl/drepl_ridalloc.c:239: Requesting more RIDs from RID Manager
Replicated 0 objects (0 linked attributes) for DC=ForestDnsZones,DC=my,DC=domain,DC=com
Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=my,DC=domain,DC=com
added nTDSConnection object 'CN=1a1bfd5f-ce62-48a8-8875-c27aba24acee,CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com'
Replicated 0 objects (0 linked attributes) for CN=Configuration,DC=my,DC=domain,DC=com
Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
Replicated 0 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
Replicated 3 objects (0 linked attributes) for CN=RID Manager$,CN=System,DC=my,DC=domain,DC=com
Replicated 3 objects (0 linked attributes) for DC=my,DC=domain,DC=com

When I run:

samba_dnsupdate --verbose --all-names

Are showed a lot of records that can't be updated:

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc2.my.domain.com.      900     IN      A       192.168.0.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
my.domain.com.          900     IN      A       192.168.0.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.my.domain.com.       900     IN      SRV     0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.my.domain.com. 900 IN SRV  0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.38a5d6e2-12bf-4ef5-99e9-18ef375b3d97.domains._msdcs.my.domain.com. 900       IN SRV 0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.my.domain.com. 900       IN      SRV     0 100 88 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.my.domain.com. 900       IN      SRV     0 100 88 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.my.domain.com. 900        IN      SRV     0 100 464 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.my.domain.com. 900        IN      SRV     0 100 464 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
4558f91b-6730-4046-947d-8d00686167bf._msdcs.my.domain.com. 900 IN       CNAME dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com. 900 IN       SRV 0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com. 900 IN SRV       0 100 88 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.my.domain.com.        900     IN      A       192.168.0.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.my.domain.com. 900     IN      SRV     0 100 3268 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.my.domain.com. 900 IN SRV  0 100 3268 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.my.domain.com. 900 IN SRV       0 100 3268 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.com. 900 IN       SRV 0 100 3268 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.my.domain.com. 900       IN      A       192.168.0.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.my.domain.com. 900       IN      A       192.168.0.10

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.

Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.

IPs: ['192.168.0.10']
Calling nsupdate for A dc2.my.domain.com 192.168.0.10 (add)
Failed nsupdate: 2
Calling nsupdate for A my.domain.com 192.168.0.10 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.38a5d6e2-12bf-4ef5-99e9-18ef375b3d97.domains._msdcs.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.my.domain.com dc2.my.domain.com 88 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._udp.my.domain.com dc2.my.domain.com 88 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.com dc2.my.domain.com 88 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._tcp.my.domain.com dc2.my.domain.com 464 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kpasswd._udp.my.domain.com dc2.my.domain.com 464 (add)
Failed nsupdate: 2
Calling nsupdate for CNAME 4558f91b-6730-4046-947d-8d00686167bf._msdcs.my.domain.com dc2.my.domain.com (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.my.domain.com dc2.my.domain.com 88 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com dc2.my.domain.com 88 (add)
Failed nsupdate: 2
Calling nsupdate for A gc._msdcs.my.domain.com 192.168.0.10 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.my.domain.com dc2.my.domain.com 3268 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.com dc2.my.domain.com 3268 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.my.domain.com dc2.my.domain.com 3268 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.com dc2.my.domain.com 3268 (add)
Failed nsupdate: 2
Calling nsupdate for A DomainDnsZones.my.domain.com 192.168.0.10 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for A ForestDnsZones.my.domain.com 192.168.0.10 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.com dc2.my.domain.com 389 (add)
Failed nsupdate: 2
Failed update of 26 entries

My /etc/resolv.conf look like as:

domain my.domain.com
nameserver 192.168.0.9

Where 192.168.0.9 is my first DC. If I change the line nameserver for:

nameserver 192.168.0.10

Where 192.168.0.10 is my second DC (recently joined) the errors not showed when I run:

samba_dnsupdate --verbose

At this point all work at 100%!!

Regards, Carlos

Universidad Central "Marta Abreu" de Las Villas.
Fundada el 30 de noviembre de 1952. Visítenos en:  http://www.uclv.edu.cu



Universidad Central "Marta Abreu" de Las Villas.
Fundada el 30 de noviembre de 1952. Visítenos en:  http://www.uclv.edu.cu

More information about the samba-technical mailing list