[Samba] V4 - New Install - Missing Zone File

Jeremy Davis JDFire at cox.net
Thu Feb 23 16:09:07 MST 2012


Hello All,

On 02/23/2012 09:31 AM, Jeremy Davis wrote:
> On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>  
> wrote:
>>>>
>>>>
>>>>> I forgot to mention that nsupdate command should also include -g 
>>>>> flag to
>>>>> force
>>>>> secure (kerberos) updates.
>>>>>
>>>>>     nsupdate command = /path/to/nsupdate -g
>>>>>
>>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>>
>>>>> Amitay.
>>>>>
>>>> I added the -g to the smb.conf and restarted samba and named but it 
>>>> doesn't
>>>> seem to do anything. Could this be an issue with kerberos? I am 
>>>> able to
>>>> authenticate with my Windows machine and via the command line using 
>>>> the
>>>> tests on the samba4 wiki. Any ideas as to what this could be?
>>> What happens when you run samba_dnsupdate --verbose?
>>> What's the output from BIND?
>>>
>>> Amitay.
>>>
> Well, the samba_dnsupdate logs are the same but bind is now showing a 
> little different error.
>> samba-dnsupdate:
>>
>> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491', 
>> 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1', 
>> '192.168.7.30', '192.168.30.1']
>> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
>> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
>> Looking for DNS entry AAAA bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as bob-dc.com.
>> Failed to find matching DNS entry AAAA bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry AAAA dc1.bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
>> Failed to find matching DNS entry AAAA dc1.bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as 
>> gc._msdcs.bob-dc.com.
>> Looking for DNS entry AAAA gc._msdcs.bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
>> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry CNAME 
>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com 
>> as 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
>> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 
>> as _kpasswd._tcp.bob-dc.com.
>> Checking 0 100 464 dc1.bob-dc.com. against SRV 
>> _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464
>> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 
>> as _kpasswd._udp.bob-dc.com.
>> Checking 0 100 464 dc1.bob-dc.com. against SRV 
>> _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464
>> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 
>> as _kerberos._tcp.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV 
>> _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV 
>> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV 
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com 
>> dc1.bob-dc.com 88 as 
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV 
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com 
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV 
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 88 as 
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV 
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 
>> as _kerberos._udp.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV 
>> _kerberos._udp.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as 
>> _ldap._tcp.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com 
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 389 as _ldap._tcp.dc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV 
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 
>> 389 as _ldap._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV 
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 389 as 
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV 
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 3268 as 
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com 
>> dc1.bob-dc.com 3268
>> Looking for DNS entry SRV 
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com 
>> dc1.bob-dc.com 389 as 
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV 
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com 
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as 
>> _gc._tcp.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com 
>> dc1.bob-dc.com 3268
>> Looking for DNS entry SRV 
>> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 
>> 3268 as _gc._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV 
>> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
>> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
>> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
>> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
>> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as 
>> gc._msdcs.bob-dc.com.
>> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
>> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> bob-dc.com.        900    IN    AAAA    
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for AAAA dc1.bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> dc1.bob-dc.com.    900    IN    AAAA    
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for AAAA gc._msdcs.bob-dc.com 
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.bob-dc.com.    900    IN    AAAA    
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> bob-dc.com.        900    IN    A    192.168.30.1
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> dc1.bob-dc.com.    900    IN    A    192.168.30.1
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.bob-dc.com.    900    IN    A    192.168.30.1
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 6 entries
>>
>>
>> bind logs:
>>
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating 
>> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
>> (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating 
>> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
>> (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
>> zone _msdcs.bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating 
>> zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure 
>> update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
>> zone _msdcs.bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating 
>> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
>> (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating 
>> zone 'bob-dc.com/NONE': update failed: rejected by secure update 
>> (REFUSED)
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on 
>> zone bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on 
>> zone _msdcs.bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating 
>> zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure 
>> update (REFUSED)
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on 
>> zone _msdcs.bob-dc.com
>>
>
> Forgot to copy the samba list on the latest logs. Also I just saw 
> Steve's email. I can say that samba is in the path as I used samba to 
> start the samba service. I also double checked that everything is in 
> the path. The above logs are the current logs that I am getting after 
> adding the -g option as requested by Amitay.

One note I would like to add to this. When I add new machines to the 
domain I am able to login and do everything like create users. But I 
can't resolve the newly added server on any system that is joined to the 
domain.

If anyone has any more ideas please feel free to let me know. Thank you 
so much for your help so far and hope we can get this resolved.

Regards,
Jeremy


More information about the samba mailing list