Samba 4.12 rc3: bind DNS say "named: client update denied"

Alexander Bokovoy ab at samba.org
Sun Mar 15 06:40:50 UTC 2020 

On la, 14 maalis 2020, Rowland penny via samba-technical wrote:
> On 14/03/2020 15:23, Dario Lesca via samba-technical wrote:
> > Il giorno sab, 14/03/2020 alle 14.15 +0000, Rowland penny via samba-
> > technical ha scritto:
> > 
> > Thanks Rowland, forgive me if I can't understand, but...
> > 
> > > the Computers A record should be added the first  time Samba is
> > > run.
> > The A record is added into DNS zone only "first time Samba is run"
> > or also whenever when I join a Computer to domain ?
> Both ;-), the record should be added when you join a Samba DC, but if it
> isn't, then samba_dnsupdate should add it the first time Samba is run on a
> DC.

samba_dnsupdate calls either nsupdate or samba-tool internally.
Alternatively, it supports using existing text file for DNS entries.
nsupdate relies on DNS server ability to dynamically update zones. Since
Samba bind_dlz implementation does not provide ACLs support for the
zones it manages, dynamically updating those zones does not work, as I
said in the beginning. It is a Samba's problem.

We do not test real dnsupdate use in autotest because we unconditionally
specify --use-dns-faking in selftest/wscript:cmd_testonly(). It results
in passing --use-dns-faking to selftest/selftest.pl and that leads in
setting SAMBA_DNS_FAKING=1 when provisioning AD DCs environments. As
result, selftest/target/Samba4.pm will pass '--use-file' to
samba_dnsupdate instead of forcing it to use nsupdate or samba-tool.

        if ($ENV{SAMBA_DNS_FAKING}) {
                $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
                $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
                $ctx->{samba_dnsupdate} = $python_cmd .  $ctx->{samba_dnsupdate};
        } else {
                $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces";
                $ctx->{samba_dnsupdate} = $python_cmd .  $ctx->{samba_dnsupdate};
                $ctx->{use_resolv_wrapper} = 1;
        }

When samba_dnsupdate is called with --use-file, it then will skip
calling actual nsupdate:

def call_nsupdate(d, op="add"):
    """call nsupdate for an entry."""
    global ccachename, nsupdate_cmd, krb5conf

    assert(op in ["add", "delete"])

    if opts.use_file is not None:
        if opts.verbose:
            print("Use File instead of nsupdate for %s (%s)" % (d, op))

    ......



> > I have restart Samba many times but none of the missing Computer name
> > present into Samba Computer list are been added into DNS zone
> > 
> > and then, how does it traslate Computer list into DNS, if the IP of
> > computer in Computer list does not exist?
> > 
> > This is my situation:
> > 
> > [root at addc1 ~]# samba-tool computer list
> > WIN10B$
> > ADDC1$
> > centos8$
> > WIN10A$
> > 
> > [root at addc1 ~]# samba-tool dns query \
> > > addc1.fedora.loc fedora.loc @ ALL -Uadministrator
> >   Name=, Records=3, Children=0
> >      SOA: serial=7, refresh=900, retry=600, expire=86400, minttl=3600,
> > ns=addc1.fedora.loc., email=hostmaster.fedora.loc. (flags=600000f0,
> > serial=7, ttl=3600)
> >      NS: addc1.fedora.loc. (flags=600000f0, serial=4, ttl=900)
> >      A: 192.168.122.100 (flags=600000f0, serial=4, ttl=900)
> >    Name=_msdcs, Records=0, Children=0
> >    Name=_sites, Records=0, Children=1
> >    Name=_tcp, Records=0, Children=4
> >    Name=_udp, Records=0, Children=2
> >    Name=addc1, Records=1, Children=0
> >      A: 192.168.122.100 (flags=f0, serial=1, ttl=900)
> >    Name=centos8, Records=1, Children=0
> >      A: 192.168.122.11 (flags=f0, serial=2, ttl=900)
> >    Name=DomainDnsZones, Records=0, Children=2
> >    Name=ForestDnsZones, Records=0, Children=2
> >    Name=test, Records=1, Children=0
> >      A: 192.168.122.33 (flags=f0, serial=5, ttl=3600)
> > 
> > Like you say, win10a and win10b are not present into DNS zone
> 
> Ahh, a Windows DC will not have samba_dnsupdate, you will probably have to
> create the records manually with samba-tool or ADUC
> 
> > What am I doing wrong
> You are using the Fedora packages to provision a DC, it looks like you might
> just have found another reason not use them for a DC ;-)

This is completely unrelated. As I said before, it is issue with
bind_dlz module. Authentication works fine, as witnessed by Dario's
logs. Authorization doesn't work because bind_dlz doesn't provide any
and there is no way to set it up otherwise.




-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list