[Samba] Active Directory dynamic DNS update

steve steve at steve-ss.com
Tue Dec 17 16:02:15 MST 2013


On Tue, 2013-12-17 at 16:31 +0000, Richard Connon wrote:
> On 17/12/13 12:57, steve wrote:
> > On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
> >> Hi,
> >>
> >> I'm trying to work out an issue with dynamic DNS update when I join my
> >> samba 3.6 client to my samba 4 AD domain.
> >>
> >> The issue seems to be the client machine attempting to assert its
> >> "local" domain name in its DNS update rather than using its hostname
> >> combined with the AD domain name as, for example, windows would.
> >>
> >> Is there a way to tell samba to send dynamic DNS updates for
> >> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
> >>
> >> Regards,
> >> Richard
> >
> > Hi
> > The only time a DNS update will register is when you first join the
> > domain. Otherwise, Samba sends no dns update requests. If you want the
> > clients to update their dns entries as windows clients do, use sssd. It
> > will update the client as and when it is needed. I think from your
> > question that it is the join itself which gives a dns error.
> >
> > The best way to overcome this is to unjoin the client and then simply
> > put:
> > 127.0.0.1 hostname.ad-domain-name hostname
> > I.P.OF.DC dc.ad-domain-name dc
> > into /etc/hosts
> >
> > Then fiddle with the other files I mentioned and make sure that:
> > hostname
> > returns:
> > hostname
> > and that:
> > hostname -f
> > returns:
> > hostname.ad-domain-name
> >
> > Now join the domain and the dns will register.
> > HTH
> > Steve
> >
> 
> Hi, thanks for the advice, I was going to be looking at sssd for auth 
> anyway so I'll look into having it do the DNS updates too.
> 
> I've now changed as you said so that hostname -f returns the AD domain 
> name and the DNS fails with a new error:
hostname -f _must_ return hostname.AD-domain-name _not_ just the domain.
so still wrong. 
> 
> DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE

Hi again
Nope. Still not right. This error tells us that the DC still does not
know the hostname of the machine which is trying to join.



> 
> The samba4 log shows the following:
> 
> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone 
> ad-domain-name
> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
> Dec 17 14:53:20 dc named[20868]: client 192.0.2.1#60404: updating zone 
> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on 
> zone ad-domain-name
> 
> Any idea what might be happening now?
> 

Yes. A previous join has failed. There are stale DNS records which have
to be removed manually. We proceeded as follows:

http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html

HTH
Steve




More information about the samba mailing list