[Samba] Active Directory dynamic DNS update
richard at connon.me.uk
Tue Dec 17 16:27:02 MST 2013
On 17/12/13 23:02, steve wrote:
> On Tue, 2013-12-17 at 16:31 +0000, Richard Connon wrote:
>> On 17/12/13 12:57, steve wrote:
>>> On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
>>>> I'm trying to work out an issue with dynamic DNS update when I join my
>>>> samba 3.6 client to my samba 4 AD domain.
>>>> The issue seems to be the client machine attempting to assert its
>>>> "local" domain name in its DNS update rather than using its hostname
>>>> combined with the AD domain name as, for example, windows would.
>>>> Is there a way to tell samba to send dynamic DNS updates for
>>>> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
>>> The only time a DNS update will register is when you first join the
>>> domain. Otherwise, Samba sends no dns update requests. If you want the
>>> clients to update their dns entries as windows clients do, use sssd. It
>>> will update the client as and when it is needed. I think from your
>>> question that it is the join itself which gives a dns error.
>>> The best way to overcome this is to unjoin the client and then simply
>>> 127.0.0.1 hostname.ad-domain-name hostname
>>> I.P.OF.DC dc.ad-domain-name dc
>>> into /etc/hosts
>>> Then fiddle with the other files I mentioned and make sure that:
>>> and that:
>>> hostname -f
>>> Now join the domain and the dns will register.
>> Hi, thanks for the advice, I was going to be looking at sssd for auth
>> anyway so I'll look into having it do the DNS updates too.
>> I've now changed as you said so that hostname -f returns the AD domain
>> name and the DNS fails with a new error:
> hostname -f _must_ return hostname.AD-domain-name _not_ just the domain.
> so still wrong.
>> DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
> Hi again
> Nope. Still not right. This error tells us that the DC still does not
> know the hostname of the machine which is trying to join.
>> The samba4 log shows the following:
>> Dec 17 14:53:20 dc named: samba_dlz: starting transaction on zone
>> Dec 17 14:53:20 dc named: samba_dlz: spnego update failed
>> Dec 17 14:53:20 dc named: client 192.0.2.1#60404: updating zone
>> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
>> Dec 17 14:53:20 dc named: samba_dlz: cancelling transaction on
>> zone ad-domain-name
>> Any idea what might be happening now?
> Yes. A previous join has failed. There are stale DNS records which have
> to be removed manually. We proceeded as follows:
Hi, thanks for your further input. I have looked into your hypothesis
but it doesn't appear to be true.
There are no DNs in the LDB database relating to "hostname"
Issuing "ldbsearch --url=/var/lib/samna/private/sam.ldb | grep hostname"
shows only CN=hostname,CN=Computers,DC=ad,DC=domain,DC=name
Hopefully someone can shed some further light on what's going wrong here.
More information about the samba