Secure Dynamic DNS updates using machine account.
hemanth.thummala at nutanix.com
Fri Jun 10 08:21:55 UTC 2016
Thanks Uri and Andrew for your responses.
On 6/10/16, 1:06 AM, "Andrew Bartlett" <abartlet at samba.org> wrote:
>Is the join DNS update happening as administrator? That would then own
>the record, and prevent the machine from updating it's own record.
Yes. We have figured that out today. That’s exactly the issue. We were using administrator credentials to register the initial set of Ips. Later secure updates using machine credentials were failing due to not having permissions to update the record.
Issue got fixed as soon as we started using machine account for initial records and make it as owner. We are not actually depending on the dns update in net ads join process. We are running specific commands to set our own combination for cluster. So we have modified those commands to use -P to fix the issue.
>DNS update should be done as the machine. If that is the issue, we may
>need to patch Samba in that regard.
Agree. This needs to be changed. We should use machine account instead of administrator credentials.
More information about the samba-technical