[Samba] Active Directory dynamic DNS update

Richard Connon richard at connon.me.uk
Wed Dec 18 02:05:53 MST 2013

On 18/12/13 07:52, steve wrote:
> On Tue, 2013-12-17 at 23:27 +0000, Richard Connon wrote:
>> On 17/12/13 23:02, steve wrote:
>>> On Tue, 2013-12-17 at 16:31 +0000, Richard Connon wrote:
>>>> On 17/12/13 12:57, steve wrote:
>>>>> On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
>>>>>> Hi,
>>>>>> I'm trying to work out an issue with dynamic DNS update when I join my
>>>>>> samba 3.6 client to my samba 4 AD domain.
>>>>>> The issue seems to be the client machine attempting to assert its
>>>>>> "local" domain name in its DNS update rather than using its hostname
>>>>>> combined with the AD domain name as, for example, windows would.
>>>>>> Is there a way to tell samba to send dynamic DNS updates for
>>>>>> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
>>>>>> Regards,
>>>>>> Richard
>>>>> Hi
>>>>> The only time a DNS update will register is when you first join the
>>>>> domain. Otherwise, Samba sends no dns update requests. If you want the
>>>>> clients to update their dns entries as windows clients do, use sssd. It
>>>>> will update the client as and when it is needed. I think from your
>>>>> question that it is the join itself which gives a dns error.
>>>>> The best way to overcome this is to unjoin the client and then simply
>>>>> put:
>>>>> hostname.ad-domain-name hostname
>>>>> I.P.OF.DC dc.ad-domain-name dc
>>>>> into /etc/hosts
>>>>> Then fiddle with the other files I mentioned and make sure that:
>>>>> hostname
>>>>> returns:
>>>>> hostname
>>>>> and that:
>>>>> hostname -f
>>>>> returns:
>>>>> hostname.ad-domain-name
>>>>> Now join the domain and the dns will register.
>>>>> HTH
>>>>> Steve
>>>> Hi, thanks for the advice, I was going to be looking at sssd for auth 
>>>> anyway so I'll look into having it do the DNS updates too.
>>>> I've now changed as you said so that hostname -f returns the AD domain 
>>>> name and the DNS fails with a new error:
>>> hostname -f _must_ return hostname.AD-domain-name _not_ just the domain.
>>> so still wrong. 
>>>> DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
>>> Hi again
>>> Nope. Still not right. This error tells us that the DC still does not
>>> know the hostname of the machine which is trying to join.
>>>> The samba4 log shows the following:
>>>> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone 
>>>> ad-domain-name
>>>> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
>>>> Dec 17 14:53:20 dc named[20868]: client updating zone 
>>>> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
>>>> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on 
>>>> zone ad-domain-name
>>>> Any idea what might be happening now?
>>> Yes. A previous join has failed. There are stale DNS records which have
>>> to be removed manually. We proceeded as follows:
>>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
>>> HTH
>>> Steve
>> Hi, thanks for your further input. I have looked into your hypothesis
>> but it doesn't appear to be true.
>> There are no DNs in the LDB database relating to "hostname"
>> Issuing "ldbsearch --url=/var/lib/samna/private/sam.ldb | grep hostname"
>> shows only CN=hostname,CN=Computers,DC=ad,DC=domain,DC=name
> Exactly! hostname has not registered in DNS. That's exactly your
> problem. We now also know that all previous join attempts have failed to
> register in DNS. The client is not sending the correct hostname during
> the join. The only way we have found to combat that is the solution
> which we have already posted. Forget dhcp for now. Further, from what
> you have written, your hostname and hostname -f commands are not
> returning correctly which in turn leads us to believe that you have not
> added the entries to /etc/hosts.

hostname and hostname -f do return correctly.
hostname returns "hostname" and hostname -f returns
"hostname -A" still returns "hostname.local-domain-name" because the
current IP address of the non-loopback interface was not in /etc/hosts
Adding that causes "hostname -A" to also return
"hostname.ad-domain-name" but does not fix the DNS update issue.

Since the client-side error I'm receiving now does say:
DNS update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
This suggests to me that it is trying to update the correct name.

Is there any other reason this error could occur?

>> Hopefully someone can shed some further light on what's going wrong here.
> It will still work as you have it. Until dhcp decides otherwise;)
> Steve

More information about the samba mailing list