[Samba] Samba4.08 & DDNS update-security error

Oleg Ruso soy_siberiano at yahoo.com
Mon Dec 2 04:45:40 MST 2013 

Hi List!
Want to ask community for a help....
Got a  FreeBSD 9.2-RELEASE system with Samba4.0.8 Dc + AD. the BIND 9.9.4 as a DNS service .
I trying to build dynamic  DNS updating, but now i am in the deadlock. 
------------------------------------------------------------------------
The Bind starting correctly:
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'gssapi_spnego' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'gssapi_krb5' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'sasl-DIGEST-MD5' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'schannel' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'spnego' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'ntlmssp' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'krb5' registered
Dec  2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered
Dec  2 05:12:11 Dn named[33323]: command channel listening on 0.0.0.0#953
------------------------------------------------------------------------
But 
samba_dnsupdate --verbose --all-names
got en errores:

02-Dec-2013 01:41:39.287 database: info: samba_dlz: starting transaction on zone smbdomain.local
02-Dec-2013 01:41:39.288 update-security: error: client 192.168.0.4#49344: update 'smbdomain.local/IN' denied
02-Dec-2013 01:41:39.289 database: info: samba_dlz: cancelling transaction on zone smbdomain.local
02-Dec-2013 01:41:39.309 database: info: samba_dlz: starting transaction on zone smbdomain.local
02-Dec-2013 01:41:39.309 update-security: error: client 192.168.0.4#37771: update 'smbdomain.local/IN' denied
-------------------------------------------------------------------------------------------------------------
Probably, the check authenticity protocols are no available.......

After that I checked the maintenance of zones

# dig axfr smbdomain.local

; <<>> DiG 9.8.6-P1 <<>> axfr smbdomain.local
;; global options: +cmd
smbdomain.local.        3600    IN      SOA     dn.smbdomain.local. hostmaster.smbdomain.local. 1 900 600 86400 0
smbdomain.local.        900     IN      NS      dn.smbdomain.local.
smbdomain.local.        900     IN      A       192.168.0.4
dn.smbdomain.local.     900     IN      A       192.168.0.4
_msdcs.smbdomain.local. 900     IN      NS      dn.smbdomain.local.
_gc._tcp.smbdomain.local. 900   IN      SRV     0 100 3268 dn.smbdomain.local.
_ldap._tcp.smbdomain.local. 900 IN      SRV     0 100 389 dn.smbdomain.local.
_kpasswd._udp.smbdomain.local. 900 IN   SRV     0 100 464 dn.smbdomain.local.
_kpasswd._tcp.smbdomain.local. 900 IN   SRV     0 100 464 dn.smbdomain.local.
_kerberos._udp.smbdomain.local. 900 IN  SRV     0 100 88 dn.smbdomain.local.
_kerberos._tcp.smbdomain.local. 900 IN  SRV     0 100 88 dn.smbdomain.local.
ForestDnsZones.smbdomain.local. 900 IN  A       192.168.0.4
DomainDnsZones.smbdomain.local. 900 IN  A       192.168.0.4
_ldap._tcp.ForestDnsZones.smbdomain.local. 900 IN SRV 0 100 389 dn.smbdomain.local.
_ldap._tcp.DomainDnsZones.smbdomain.local. 900 IN SRV 0 100 389 dn.smbdomain.local.
_gc._tcp.Default-First-Site-Name._sites.smbdomain.local. 900 IN SRV 0 100 3268 dn.smbdomain.local.
_ldap._tcp.Default-First-Site-Name._sites.smbdomain.local. 900 IN SRV 0 100 389 dn.smbdomain.local.
_kerberos._tcp.Default-First-Site-Name._sites.smbdomain.local. 900 IN SRV 0 100 88 dn.smbdomain.local.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smbdomain.local. 900 IN SRV 0 100 389 dn.smbdomain.local.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smbdomain.local. 900 IN SRV 0 100 389 dn.smbdomain.local.
smbdomain.local.        3600    IN      SOA     dn.smbdomain.local. hostmaster.smbdomain.local. 1 900 600 86400 0
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 26 23:16:03 OMST 2013
;; XFR size: 21 records (messages 1, bytes 962)

------------------------------------------------------------------------
I tried to check zone updating manually for a local zone:

nsupdate -k Ksmbdomain.local.+157+31840.key  upd_file
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;smbdomain.local.               IN      SOA

;; UPDATE SECTION:
smbdomain.local.        0       ANY     A
smbdomain.local.        86400   IN      A       192.168.0.4

update failed: REFUSED

------------------------------------------------------------------------
.... REFUSED.....

The part of my named.conf

.......................

key "rndc-key" {
        algorithm hmac-md5;
        secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};

key "smbdomain.local" {
  algorithm hmac-md5;
  secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};

controls {
    inet * allow { 192.168.0.0/28; 127.0.0.1; } keys { "smbdomain.local"; "rndc-key"; };
        };

options {
	.......
	allow-update { key rndc-key;  key smbdomain.local; };
	......
	tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
        tkey-gssapi-credential "DNS/dn.smbdomain.local at SMBDOMAIN.LOCAL";
        tkey-domain "SMBDOMAIN.LOCAL";

	};

	......zones......

dlz "AD DNS Zone"   {
database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d 3";
                 };
-------------------------------------------------------------------------------
It is written allow-update must be specified in zone sections, but in this case, 
named-checkconf speaks about an unknown option. Obviously, this bind version requires to specify 
allow-update in option section.

 May be specify me some information source about freeBSD

Thanks

More information about the samba mailing list