[Samba] V4 - New Install - Missing Zone File

Jeremy Davis jdavis4102 at gmail.com
Thu Feb 23 09:31:59 MST 2012


On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>  wrote:
>>>
>>>
>>>> I forgot to mention that nsupdate command should also include -g 
>>>> flag to
>>>> force
>>>> secure (kerberos) updates.
>>>>
>>>>     nsupdate command = /path/to/nsupdate -g
>>>>
>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>
>>>> Amitay.
>>>>
>>> I added the -g to the smb.conf and restarted samba and named but it 
>>> doesn't
>>> seem to do anything. Could this be an issue with kerberos? I am able to
>>> authenticate with my Windows machine and via the command line using the
>>> tests on the samba4 wiki. Any ideas as to what this could be?
>> What happens when you run samba_dnsupdate --verbose?
>> What's the output from BIND?
>>
>> Amitay.
>>
Well, the samba_dnsupdate logs are the same but bind is now showing a 
little different error.
> samba-dnsupdate:
>
> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491', 
> 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1', 
> '192.168.7.30', '192.168.30.1']
> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
> Looking for DNS entry AAAA bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as bob-dc.com.
> Failed to find matching DNS entry AAAA bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Looking for DNS entry AAAA dc1.bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
> Failed to find matching DNS entry AAAA dc1.bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as 
> gc._msdcs.bob-dc.com.
> Looking for DNS entry AAAA gc._msdcs.bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Looking for DNS entry CNAME 
> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com 
> as 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 
> as _kpasswd._tcp.bob-dc.com.
> Checking 0 100 464 dc1.bob-dc.com. against SRV 
> _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464
> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 
> as _kpasswd._udp.bob-dc.com.
> Checking 0 100 464 dc1.bob-dc.com. against SRV 
> _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464
> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 
> as _kerberos._tcp.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV 
> _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88
> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com 
> dc1.bob-dc.com 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV 
> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
> Looking for DNS entry SRV 
> _kerberos._tcp.default-first-site-name._sites.bob-dc.com 
> dc1.bob-dc.com 88 as 
> _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV 
> _kerberos._tcp.default-first-site-name._sites.bob-dc.com 
> dc1.bob-dc.com 88
> Looking for DNS entry SRV 
> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
> dc1.bob-dc.com 88 as 
> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV 
> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
> dc1.bob-dc.com 88
> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 
> as _kerberos._udp.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV 
> _kerberos._udp.bob-dc.com dc1.bob-dc.com 88
> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as 
> _ldap._tcp.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com 
> dc1.bob-dc.com 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com 
> dc1.bob-dc.com 389 as _ldap._tcp.dc._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV 
> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com 
> dc1.bob-dc.com 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV 
> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com 
> dc1.bob-dc.com 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV 
> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
> Looking for DNS entry SRV 
> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 
> 389 as _ldap._tcp.default-first-site-name._sites.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV 
> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
> Looking for DNS entry SRV 
> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
> dc1.bob-dc.com 389 as 
> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV 
> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
> dc1.bob-dc.com 389
> Looking for DNS entry SRV 
> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com 
> dc1.bob-dc.com 3268 as 
> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV 
> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com 
> dc1.bob-dc.com 3268
> Looking for DNS entry SRV 
> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com 
> dc1.bob-dc.com 389 as 
> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV 
> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com 
> dc1.bob-dc.com 389
> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as 
> _gc._tcp.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com 
> dc1.bob-dc.com 3268
> Looking for DNS entry SRV 
> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268 
> as _gc._tcp.default-first-site-name._sites.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV 
> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as 
> gc._msdcs.bob-dc.com.
> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> bob-dc.com.        900    IN    AAAA    
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for AAAA dc1.bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc1.bob-dc.com.    900    IN    AAAA    
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for AAAA gc._msdcs.bob-dc.com 
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.bob-dc.com.    900    IN    AAAA    
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for A bob-dc.com 192.168.30.1
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> bob-dc.com.        900    IN    A    192.168.30.1
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc1.bob-dc.com.    900    IN    A    192.168.30.1
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.bob-dc.com.    900    IN    A    192.168.30.1
>
> update failed: REFUSED
> Failed nsupdate: 2
> Failed update of 6 entries
>
>
> bind logs:
>
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating 
> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
> (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating 
> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
> (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
> zone _msdcs.bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating 
> zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure 
> update (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
> zone _msdcs.bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating 
> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
> (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
> zone bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on 
> zone bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating 
> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
> (REFUSED)
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on 
> zone bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on 
> zone _msdcs.bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating 
> zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure 
> update (REFUSED)
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on 
> zone _msdcs.bob-dc.com
>

Forgot to copy the samba list on the latest logs. Also I just saw 
Steve's email. I can say that samba is in the path as I used samba to 
start the samba service. I also double checked that everything is in the 
path. The above logs are the current logs that I am getting after adding 
the -g option as requested by Amitay.


More information about the samba mailing list