samba_dnsupdate: update failed: NOTAUTH
Rowland Penny
repenny241155 at gmail.com
Mon Aug 10 12:14:03 UTC 2015
On 10/08/15 02:44, Carlos Miguel Bustillo Rodriguez wrote:
> Hello list:
>
> I tested on VirtualBox virtual machine and I get the same error message when start Samba in the second DC.
>
> I noted also that during provision or joining as additional DC the permissions in /var/lib/samba/private must be fixed to 755 because bind9 is not able to load /var/lib/samba/private/named.conf
>
> Regards, Carlos
> ________________________________________
> From: Carlos Miguel Bustillo Rodriguez [cbustillo at uclv.edu.cu]
> Sent: Thursday, August 06, 2015 23:08
> To: Samba Technical
> Subject: samba_dnsupdate: update failed: NOTAUTH
>
> Hello list:
>
> I noted a strange behaviour of Samba 4.2.3 (Sernet Package) on Proxmox, with OpenVZ CT (Debian 8.1 amd64), when Samba update the initial records.
>
> The problem is in the second DC. The join process is successful but when I start Samba, the following message are showed:
>
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
>
> In details:
>
> /usr/sbin/smbd: smbd version 4.2.3-SerNet-Debian-7.jessie started.
> /usr/sbin/smbd: Copyright Andrew Tridgell and the Samba Team 1992-2014
> /usr/sbin/winbindd: initialize_winbindd_cache: clearing cache and re-creating with version number 2
> TLS self-signed keys generated OK
> /usr/sbin/winbindd: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
> /usr/sbin/smbd: STATUS=daemon 'smbd' finished starting up and ready to serve connections
> /usr/sbin/smbd: Unable to connect to CUPS server localhost:631 - Bad file descriptor
> /usr/sbin/smbd: failed to retrieve printer list: NT_STATUS_UNSUCCESSFUL
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> Replicated 2 objects (0 linked attributes) for DC=ForestDnsZones,DC=my,DC=domain,DC=com
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> Replicated 2 objects (0 linked attributes) for DC=DomainDnsZones,DC=my,DC=domain,DC=com
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> Replicated 0 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> /usr/sbin/samba_dnsupdate: update failed: NOTAUTH
> Replicated 1 objects (0 linked attributes) for CN=Configuration,DC=my,DC=domain,DC=com
> ../source4/dsdb/repl/drepl_ridalloc.c:239: Requesting more RIDs from RID Manager
> Replicated 0 objects (0 linked attributes) for DC=ForestDnsZones,DC=my,DC=domain,DC=com
> Replicated 0 objects (0 linked attributes) for DC=DomainDnsZones,DC=my,DC=domain,DC=com
> added nTDSConnection object 'CN=1a1bfd5f-ce62-48a8-8875-c27aba24acee,CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=my,DC=domain,DC=com'
> Replicated 0 objects (0 linked attributes) for CN=Configuration,DC=my,DC=domain,DC=com
> Replicated 0 objects (0 linked attributes) for DC=my,DC=domain,DC=com
> Replicated 0 objects (0 linked attributes) for CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
> Replicated 3 objects (0 linked attributes) for CN=RID Manager$,CN=System,DC=my,DC=domain,DC=com
> Replicated 3 objects (0 linked attributes) for DC=my,DC=domain,DC=com
>
> When I run:
>
> samba_dnsupdate --verbose --all-names
>
> Are showed a lot of records that can't be updated:
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc2.my.domain.com. 900 IN A 192.168.0.10
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> my.domain.com. 900 IN A 192.168.0.10
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.dc._msdcs.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.38a5d6e2-12bf-4ef5-99e9-18ef375b3d97.domains._msdcs.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._udp.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.dc._msdcs.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kpasswd._tcp.my.domain.com. 900 IN SRV 0 100 464 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kpasswd._udp.my.domain.com. 900 IN SRV 0 100 464 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> 4558f91b-6730-4046-947d-8d00686167bf._msdcs.my.domain.com. 900 IN CNAME dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com. 900 IN SRV 0 100 88 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.my.domain.com. 900 IN A 192.168.0.10
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.my.domain.com. 900 IN SRV 0 100 3268 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.gc._msdcs.my.domain.com. 900 IN SRV 0 100 3268 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _gc._tcp.Default-First-Site-Name._sites.my.domain.com. 900 IN SRV 0 100 3268 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.com. 900 IN SRV 0 100 3268 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> DomainDnsZones.my.domain.com. 900 IN A 192.168.0.10
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.DomainDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ForestDnsZones.my.domain.com. 900 IN A 192.168.0.10
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.ForestDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.com. 900 IN SRV 0 100 389 dc2.my.domain.com.
>
> IPs: ['192.168.0.10']
> Calling nsupdate for A dc2.my.domain.com 192.168.0.10 (add)
> Failed nsupdate: 2
> Calling nsupdate for A my.domain.com 192.168.0.10 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.dc._msdcs.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.38a5d6e2-12bf-4ef5-99e9-18ef375b3d97.domains._msdcs.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.my.domain.com dc2.my.domain.com 88 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._udp.my.domain.com dc2.my.domain.com 88 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.my.domain.com dc2.my.domain.com 88 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kpasswd._tcp.my.domain.com dc2.my.domain.com 464 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kpasswd._udp.my.domain.com dc2.my.domain.com 464 (add)
> Failed nsupdate: 2
> Calling nsupdate for CNAME 4558f91b-6730-4046-947d-8d00686167bf._msdcs.my.domain.com dc2.my.domain.com (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.my.domain.com dc2.my.domain.com 88 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.my.domain.com dc2.my.domain.com 88 (add)
> Failed nsupdate: 2
> Calling nsupdate for A gc._msdcs.my.domain.com 192.168.0.10 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _gc._tcp.my.domain.com dc2.my.domain.com 3268 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.gc._msdcs.my.domain.com dc2.my.domain.com 3268 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.my.domain.com dc2.my.domain.com 3268 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.my.domain.com dc2.my.domain.com 3268 (add)
> Failed nsupdate: 2
> Calling nsupdate for A DomainDnsZones.my.domain.com 192.168.0.10 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for A ForestDnsZones.my.domain.com 192.168.0.10 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.my.domain.com dc2.my.domain.com 389 (add)
> Failed nsupdate: 2
> Failed update of 26 entries
>
> My /etc/resolv.conf look like as:
>
> domain my.domain.com
> nameserver 192.168.0.9
>
> Where 192.168.0.9 is my first DC. If I change the line nameserver for:
>
> nameserver 192.168.0.10
>
> Where 192.168.0.10 is my second DC (recently joined) the errors not showed when I run:
>
> samba_dnsupdate --verbose
>
> At this point all work at 100%!!
>
> Regards, Carlos
>
> Universidad Central "Marta Abreu" de Las Villas.
> Fundada el 30 de noviembre de 1952. VisÃtenos en: http://www.uclv.edu.cu
>
>
>
> Universidad Central "Marta Abreu" de Las Villas.
> Fundada el 30 de noviembre de 1952. VisÃtenos en: http://www.uclv.edu.cu
>
>
>
How are you starting samba ? is this on a DC or a member server ?
I ask this because when I start samba on a DC, I get this:
Aug 10 13:07:10 dc03 samba[23933]: samba version
4.2.3-SerNet-Debian-7.wheezy started.
Aug 10 13:07:10 dc03 samba[23933]: Copyright Andrew Tridgell and the
Samba Team 1992-2014
Aug 10 13:07:11 dc03 samba[23934]: [2015/08/10 13:07:11.269691, 0]
../source4/smbd/server.c:488(binary_smbd_main)
Aug 10 13:07:11 dc03 samba[23934]: samba: using 'standard' process model
Aug 10 13:07:11 dc03 samba[23934]: [2015/08/10 13:07:11.380259, 0]
../lib/util/become_daemon.c:124(daemon_ready)
Aug 10 13:07:11 dc03 samba[23934]: STATUS=daemon 'samba' finished
starting up and ready to serve connections
Aug 10 13:07:11 dc03 winbindd[23963]: [2015/08/10 13:07:11.515363, 0]
../source3/winbindd/winbindd_cache.c:3235(initialize_winbindd_cache)
Aug 10 13:07:11 dc03 winbindd[23963]: initialize_winbindd_cache:
clearing cache and re-creating with version number 2
Aug 10 13:07:13 dc03 smbd[23954]: [2015/08/10 13:07:13.016492, 0]
../lib/util/become_daemon.c:124(daemon_ready)
Aug 10 13:07:13 dc03 winbindd[23963]: [2015/08/10 13:07:13.026568, 0]
../lib/util/become_daemon.c:124(daemon_ready)
Aug 10 13:07:13 dc03 winbindd[23963]: STATUS=daemon 'winbindd'
finished starting up and ready to serve connections
Aug 10 13:07:13 dc03 smbd[23954]: STATUS=daemon 'smbd' finished
starting up and ready to serve connections
This is a noticeably different from your log fragment.
Rowland
More information about the samba-technical
mailing list