[Samba] BIND-DLZ refuses to update

Andrew Bartlett abartlet at samba.org
Sat Sep 29 04:26:01 MDT 2012

On Sat, 2012-09-29 at 14:06 +0400, Dmitry Khromov wrote:
> On Sat, 29 Sep 2012 13:21:21 +1000
> Andrew Bartlett <abartlet at samba.org> wrote:
> > The only suggestion I have here is to try turning up the debug level in
> > the smb.conf
> > named[12365]: client view realdns: update 'klin.kifato-mk.com/IN' denied
> Excuse me, should had it done in the first place.
> # sbin/samba -d 10 -i -M single 2> /tmp/smb_err.log | tee /tmp/smb_stdout.log
> ...
> Kerberos: TGS-REQ authtime: 2012-09-29T13:39:44 starttime: 2012-09-29T13:39:47 endtime: 2012-09-29T23:39:44 renew till: unset
> Received krb5 UDP packet of length 160 from ipv4:
> Received KDC packet of length 156 from ipv4:
> Kerberos: AS-REQ named at KLIN.KIFATO-MK.COM from ipv4: for krbtgt/KLIN.KIFATO-MK.COM at KLIN.KIFATO-MK.COM

> Kerberos: UNKNOWN -- named at KLIN.KIFATO-MK.COM: no such entry found in hdb
> /usr/local/samba/sbin/samba_dnsupdate: dns_tkey_negotiategss: TKEY is unacceptable 

For some unknown reason nsupdate is attempting to get a ticket as user
'named'.  This is why it fails.

Now, of course you want to know why it does this, but as far as I can
see it's internal to BIND's nsupdate utility.  For a number of reasons
we expect to replace this with a Samba-internal command/library soon,
but not before Samba 4.0. 

Andrew Bartlett

Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list