[Samba] Dynamic DNS updates not working with BIND DLZ

Stephen Jones lloydsystems at fastmail.com.au
Wed Apr 10 20:22:55 MDT 2013


A while ago I setup Samba4 on CentOS 6.  Samba version was 4.0.0 using
the RPM from SOGo.  I used the DLZ BIND backend with BIND 9.8.

I tested with a Windows 7 VM client.  When I joined the client to the
domain it was automatically added to the AD DNS and appeared in the
Windows DNS Manager.  The VM had a static IP, but if I changed the IP
address that change was automatically reflected in the DNS entry.

I am now adding new real clients to the domain and find that they are
not added to the AD domain DNS.  The client has a dynamic IP, but I have
tried changing to a fixed IP address and it makes no difference.

The only changes I can recall between the initial setup and now are:

1. Samba upgrade to 4.0.1.  After upgrading I followed the procedure and
samba-tool dbcheck --cross-ncs --fix
samba-tool ntacl sysvolreset
The upgrade changed the permissions of /var/lib/samba4/private back to
root:root 700, which is no good, so I changed back to root:named 750.
I also added "server services = -dns" to smb.conf as per the
instructions because internal DNS is now default.

2. Tested OpenChange.  But, prior to doing anything I backed up entire
/var/lib/samba4 directory.  When I removed OpenChange (as it is just not
stable yet) I removed /var/lib/samba4 and replaced it with the backup. 
So this should not have any effect.

I have checked everything against my notes made when installing Samba4
and can't find anything wrong.  In terms of DNS, /etc/named.conf
include "/var/lib/samba4/private/named.conf";
which loads the DLZ module for BIND 9.8.
The /etc/named.conf also has in the options
tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab";
Permissions of files:
/var/lib/samba4/private/named.conf  root:named 640
/var/lib/samba4/private/dns.keytab  root:named 640
/var/lib/samba4/private/dns/  root:named 770

It all seems OK (I think), but no dynamic DNS updates.  There is nothing
in the samba.log file to suggest a problem.  The system log has messages 
client <IP address>: update 'example.local/IN' denied
samba_dlz: cancelling transaction on zone example.local

Is there something I need to set in smb.conf?  I see there are new
options like "allow dns updates" and "dns update command", which I do
not have specifically set, but I don't know if these only apply to Samba
internal DNS.  There is still really no documentation about smb.conf for

Can someone please explain what might be wrong or what I should look


Stephen Jones
  Stephen Jones
  lloydsystems at fastmail.com.au

More information about the samba mailing list