[Samba] Active Directory dynamic DNS update

Richard Connon richard at connon.me.uk
Tue Dec 17 09:31:36 MST 2013 

On 17/12/13 12:57, steve wrote:
> On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
>> Hi,
>>
>> I'm trying to work out an issue with dynamic DNS update when I join my
>> samba 3.6 client to my samba 4 AD domain.
>>
>> The issue seems to be the client machine attempting to assert its
>> "local" domain name in its DNS update rather than using its hostname
>> combined with the AD domain name as, for example, windows would.
>>
>> Is there a way to tell samba to send dynamic DNS updates for
>> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
>>
>> Regards,
>> Richard
>
> Hi
> The only time a DNS update will register is when you first join the
> domain. Otherwise, Samba sends no dns update requests. If you want the
> clients to update their dns entries as windows clients do, use sssd. It
> will update the client as and when it is needed. I think from your
> question that it is the join itself which gives a dns error.
>
> The best way to overcome this is to unjoin the client and then simply
> put:
> 127.0.0.1 hostname.ad-domain-name hostname
> I.P.OF.DC dc.ad-domain-name dc
> into /etc/hosts
>
> Then fiddle with the other files I mentioned and make sure that:
> hostname
> returns:
> hostname
> and that:
> hostname -f
> returns:
> hostname.ad-domain-name
>
> Now join the domain and the dns will register.
> HTH
> Steve
>

Hi, thanks for the advice, I was going to be looking at sssd for auth 
anyway so I'll look into having it do the DNS updates too.

I've now changed as you said so that hostname -f returns the AD domain 
name and the DNS fails with a new error:

DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE

The samba4 log shows the following:

Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone 
ad-domain-name
Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
Dec 17 14:53:20 dc named[20868]: client 192.0.2.1#60404: updating zone 
'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on 
zone ad-domain-name

Any idea what might be happening now?

More information about the samba mailing list