[Samba] Active Directory dynamic DNS update

steve steve at steve-ss.com
Wed Dec 18 00:52:27 MST 2013


On Tue, 2013-12-17 at 23:27 +0000, Richard Connon wrote:
> 
> On 17/12/13 23:02, steve wrote:
> > On Tue, 2013-12-17 at 16:31 +0000, Richard Connon wrote:
> >> On 17/12/13 12:57, steve wrote:
> >>> On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
> >>>> Hi,
> >>>>
> >>>> I'm trying to work out an issue with dynamic DNS update when I join my
> >>>> samba 3.6 client to my samba 4 AD domain.
> >>>>
> >>>> The issue seems to be the client machine attempting to assert its
> >>>> "local" domain name in its DNS update rather than using its hostname
> >>>> combined with the AD domain name as, for example, windows would.
> >>>>
> >>>> Is there a way to tell samba to send dynamic DNS updates for
> >>>> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
> >>>>
> >>>> Regards,
> >>>> Richard
> >>>
> >>> Hi
> >>> The only time a DNS update will register is when you first join the
> >>> domain. Otherwise, Samba sends no dns update requests. If you want the
> >>> clients to update their dns entries as windows clients do, use sssd. It
> >>> will update the client as and when it is needed. I think from your
> >>> question that it is the join itself which gives a dns error.
> >>>
> >>> The best way to overcome this is to unjoin the client and then simply
> >>> put:
> >>> 127.0.0.1 hostname.ad-domain-name hostname
> >>> I.P.OF.DC dc.ad-domain-name dc
> >>> into /etc/hosts
> >>>
> >>> Then fiddle with the other files I mentioned and make sure that:
> >>> hostname
> >>> returns:
> >>> hostname
> >>> and that:
> >>> hostname -f
> >>> returns:
> >>> hostname.ad-domain-name
> >>>
> >>> Now join the domain and the dns will register.
> >>> HTH
> >>> Steve
> >>>
> >>
> >> Hi, thanks for the advice, I was going to be looking at sssd for auth 
> >> anyway so I'll look into having it do the DNS updates too.
> >>
> >> I've now changed as you said so that hostname -f returns the AD domain 
> >> name and the DNS fails with a new error:
> > hostname -f _must_ return hostname.AD-domain-name _not_ just the domain.
> > so still wrong. 
> >>
> >> DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
> > 
> > Hi again
> > Nope. Still not right. This error tells us that the DC still does not
> > know the hostname of the machine which is trying to join.
> > 
> > 
> > 
> >>
> >> The samba4 log shows the following:
> >>
> >> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone 
> >> ad-domain-name
> >> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
> >> Dec 17 14:53:20 dc named[20868]: client 192.0.2.1#60404: updating zone 
> >> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
> >> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on 
> >> zone ad-domain-name
> >>
> >> Any idea what might be happening now?
> >>
> > 
> > Yes. A previous join has failed. There are stale DNS records which have
> > to be removed manually. We proceeded as follows:
> > 
> > http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
> > 
> > HTH
> > Steve
> > 
> 
> Hi, thanks for your further input. I have looked into your hypothesis
> but it doesn't appear to be true.
> There are no DNs in the LDB database relating to "hostname"
> Issuing "ldbsearch --url=/var/lib/samna/private/sam.ldb | grep hostname"
> shows only CN=hostname,CN=Computers,DC=ad,DC=domain,DC=name

Exactly! hostname has not registered in DNS. That's exactly your
problem. We now also know that all previous join attempts have failed to
register in DNS. The client is not sending the correct hostname during
the join. The only way we have found to combat that is the solution
which we have already posted. Forget dhcp for now. Further, from what
you have written, your hostname and hostname -f commands are not
returning correctly which in turn leads us to believe that you have not
added the entries to /etc/hosts.
> 
> Hopefully someone can shed some further light on what's going wrong here.

It will still work as you have it. Until dhcp decides otherwise;)

Steve




More information about the samba mailing list