Samba 4.12 rc3: bind DNS say "named: client update denied"
Alexander Bokovoy
ab at samba.org
Sun Mar 15 06:40:50 UTC 2020
On la, 14 maalis 2020, Rowland penny via samba-technical wrote:
> On 14/03/2020 15:23, Dario Lesca via samba-technical wrote:
> > Il giorno sab, 14/03/2020 alle 14.15 +0000, Rowland penny via samba-
> > technical ha scritto:
> >
> > Thanks Rowland, forgive me if I can't understand, but...
> >
> > > the Computers A record should be added the first time Samba is
> > > run.
> > The A record is added into DNS zone only "first time Samba is run"
> > or also whenever when I join a Computer to domain ?
> Both ;-), the record should be added when you join a Samba DC, but if it
> isn't, then samba_dnsupdate should add it the first time Samba is run on a
> DC.
samba_dnsupdate calls either nsupdate or samba-tool internally.
Alternatively, it supports using existing text file for DNS entries.
nsupdate relies on DNS server ability to dynamically update zones. Since
Samba bind_dlz implementation does not provide ACLs support for the
zones it manages, dynamically updating those zones does not work, as I
said in the beginning. It is a Samba's problem.
We do not test real dnsupdate use in autotest because we unconditionally
specify --use-dns-faking in selftest/wscript:cmd_testonly(). It results
in passing --use-dns-faking to selftest/selftest.pl and that leads in
setting SAMBA_DNS_FAKING=1 when provisioning AD DCs environments. As
result, selftest/target/Samba4.pm will pass '--use-file' to
samba_dnsupdate instead of forcing it to use nsupdate or samba-tool.
if ($ENV{SAMBA_DNS_FAKING}) {
$ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
$ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
$ctx->{samba_dnsupdate} = $python_cmd . $ctx->{samba_dnsupdate};
} else {
$ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces";
$ctx->{samba_dnsupdate} = $python_cmd . $ctx->{samba_dnsupdate};
$ctx->{use_resolv_wrapper} = 1;
}
When samba_dnsupdate is called with --use-file, it then will skip
calling actual nsupdate:
def call_nsupdate(d, op="add"):
"""call nsupdate for an entry."""
global ccachename, nsupdate_cmd, krb5conf
assert(op in ["add", "delete"])
if opts.use_file is not None:
if opts.verbose:
print("Use File instead of nsupdate for %s (%s)" % (d, op))
......
> > I have restart Samba many times but none of the missing Computer name
> > present into Samba Computer list are been added into DNS zone
> >
> > and then, how does it traslate Computer list into DNS, if the IP of
> > computer in Computer list does not exist?
> >
> > This is my situation:
> >
> > [root at addc1 ~]# samba-tool computer list
> > WIN10B$
> > ADDC1$
> > centos8$
> > WIN10A$
> >
> > [root at addc1 ~]# samba-tool dns query \
> > > addc1.fedora.loc fedora.loc @ ALL -Uadministrator
> > Name=, Records=3, Children=0
> > SOA: serial=7, refresh=900, retry=600, expire=86400, minttl=3600,
> > ns=addc1.fedora.loc., email=hostmaster.fedora.loc. (flags=600000f0,
> > serial=7, ttl=3600)
> > NS: addc1.fedora.loc. (flags=600000f0, serial=4, ttl=900)
> > A: 192.168.122.100 (flags=600000f0, serial=4, ttl=900)
> > Name=_msdcs, Records=0, Children=0
> > Name=_sites, Records=0, Children=1
> > Name=_tcp, Records=0, Children=4
> > Name=_udp, Records=0, Children=2
> > Name=addc1, Records=1, Children=0
> > A: 192.168.122.100 (flags=f0, serial=1, ttl=900)
> > Name=centos8, Records=1, Children=0
> > A: 192.168.122.11 (flags=f0, serial=2, ttl=900)
> > Name=DomainDnsZones, Records=0, Children=2
> > Name=ForestDnsZones, Records=0, Children=2
> > Name=test, Records=1, Children=0
> > A: 192.168.122.33 (flags=f0, serial=5, ttl=3600)
> >
> > Like you say, win10a and win10b are not present into DNS zone
>
> Ahh, a Windows DC will not have samba_dnsupdate, you will probably have to
> create the records manually with samba-tool or ADUC
>
> > What am I doing wrong
> You are using the Fedora packages to provision a DC, it looks like you might
> just have found another reason not use them for a DC ;-)
This is completely unrelated. As I said before, it is issue with
bind_dlz module. Authentication works fine, as witnessed by Dario's
logs. Authorization doesn't work because bind_dlz doesn't provide any
and there is no way to set it up otherwise.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list