[Samba] Active Directory dynamic DNS update

Richard Connon richard at connon.me.uk
Tue Dec 17 16:27:02 MST 2013

On 17/12/13 23:02, steve wrote:
> On Tue, 2013-12-17 at 16:31 +0000, Richard Connon wrote:
>> On 17/12/13 12:57, steve wrote:
>>> On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
>>>> Hi,
>>>> I'm trying to work out an issue with dynamic DNS update when I join my
>>>> samba 3.6 client to my samba 4 AD domain.
>>>> The issue seems to be the client machine attempting to assert its
>>>> "local" domain name in its DNS update rather than using its hostname
>>>> combined with the AD domain name as, for example, windows would.
>>>> Is there a way to tell samba to send dynamic DNS updates for
>>>> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
>>>> Regards,
>>>> Richard
>>> Hi
>>> The only time a DNS update will register is when you first join the
>>> domain. Otherwise, Samba sends no dns update requests. If you want the
>>> clients to update their dns entries as windows clients do, use sssd. It
>>> will update the client as and when it is needed. I think from your
>>> question that it is the join itself which gives a dns error.
>>> The best way to overcome this is to unjoin the client and then simply
>>> put:
>>> hostname.ad-domain-name hostname
>>> I.P.OF.DC dc.ad-domain-name dc
>>> into /etc/hosts
>>> Then fiddle with the other files I mentioned and make sure that:
>>> hostname
>>> returns:
>>> hostname
>>> and that:
>>> hostname -f
>>> returns:
>>> hostname.ad-domain-name
>>> Now join the domain and the dns will register.
>>> HTH
>>> Steve
>> Hi, thanks for the advice, I was going to be looking at sssd for auth 
>> anyway so I'll look into having it do the DNS updates too.
>> I've now changed as you said so that hostname -f returns the AD domain 
>> name and the DNS fails with a new error:
> hostname -f _must_ return hostname.AD-domain-name _not_ just the domain.
> so still wrong. 
>> DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
> Hi again
> Nope. Still not right. This error tells us that the DC still does not
> know the hostname of the machine which is trying to join.
>> The samba4 log shows the following:
>> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone 
>> ad-domain-name
>> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
>> Dec 17 14:53:20 dc named[20868]: client updating zone 
>> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
>> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on 
>> zone ad-domain-name
>> Any idea what might be happening now?
> Yes. A previous join has failed. There are stale DNS records which have
> to be removed manually. We proceeded as follows:
> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
> Steve

Hi, thanks for your further input. I have looked into your hypothesis
but it doesn't appear to be true.
There are no DNs in the LDB database relating to "hostname"
Issuing "ldbsearch --url=/var/lib/samna/private/sam.ldb | grep hostname"
shows only CN=hostname,CN=Computers,DC=ad,DC=domain,DC=name

Hopefully someone can shed some further light on what's going wrong here.

More information about the samba mailing list