[Samba] Active Directory dynamic DNS update

Rowland Penny rowlandpenny at googlemail.com
Wed Dec 18 04:28:30 MST 2013

On 18/12/13 09:05, Richard Connon wrote:
> On 18/12/13 07:52, steve wrote:
>> On Tue, 2013-12-17 at 23:27 +0000, Richard Connon wrote:
>>> On 17/12/13 23:02, steve wrote:
>>>> On Tue, 2013-12-17 at 16:31 +0000, Richard Connon wrote:
>>>>> On 17/12/13 12:57, steve wrote:
>>>>>> On Tue, 2013-12-17 at 10:02 +0000, Richard Connon wrote:
>>>>>>> Hi,
>>>>>>> I'm trying to work out an issue with dynamic DNS update when I join my
>>>>>>> samba 3.6 client to my samba 4 AD domain.
>>>>>>> The issue seems to be the client machine attempting to assert its
>>>>>>> "local" domain name in its DNS update rather than using its hostname
>>>>>>> combined with the AD domain name as, for example, windows would.
>>>>>>> Is there a way to tell samba to send dynamic DNS updates for
>>>>>>> <hostname>.<AD domain name> rather than <hostname>.<local domain name>
>>>>>>> Regards,
>>>>>>> Richard
>>>>>> Hi
>>>>>> The only time a DNS update will register is when you first join the
>>>>>> domain. Otherwise, Samba sends no dns update requests. If you want the
>>>>>> clients to update their dns entries as windows clients do, use sssd. It
>>>>>> will update the client as and when it is needed. I think from your
>>>>>> question that it is the join itself which gives a dns error.
>>>>>> The best way to overcome this is to unjoin the client and then simply
>>>>>> put:
>>>>>> hostname.ad-domain-name hostname
>>>>>> I.P.OF.DC dc.ad-domain-name dc
>>>>>> into /etc/hosts
>>>>>> Then fiddle with the other files I mentioned and make sure that:
>>>>>> hostname
>>>>>> returns:
>>>>>> hostname
>>>>>> and that:
>>>>>> hostname -f
>>>>>> returns:
>>>>>> hostname.ad-domain-name
>>>>>> Now join the domain and the dns will register.
>>>>>> HTH
>>>>>> Steve
>>>>> Hi, thanks for the advice, I was going to be looking at sssd for auth
>>>>> anyway so I'll look into having it do the DNS updates too.
>>>>> I've now changed as you said so that hostname -f returns the AD domain
>>>>> name and the DNS fails with a new error:
>>>> hostname -f _must_ return hostname.AD-domain-name _not_ just the domain.
>>>> so still wrong.
>>>>> DNS Update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
>>>> Hi again
>>>> Nope. Still not right. This error tells us that the DC still does not
>>>> know the hostname of the machine which is trying to join.
>>>>> The samba4 log shows the following:
>>>>> Dec 17 14:53:20 dc named[20868]: samba_dlz: starting transaction on zone
>>>>> ad-domain-name
>>>>> Dec 17 14:53:20 dc named[20868]: samba_dlz: spnego update failed
>>>>> Dec 17 14:53:20 dc named[20868]: client updating zone
>>>>> 'ad-domain-name/NONE': update failed: rejected by secure update (REFUSED)
>>>>> Dec 17 14:53:20 dc named[20868]: samba_dlz: cancelling transaction on
>>>>> zone ad-domain-name
>>>>> Any idea what might be happening now?
>>>> Yes. A previous join has failed. There are stale DNS records which have
>>>> to be removed manually. We proceeded as follows:
>>>> http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
>>>> HTH
>>>> Steve
>>> Hi, thanks for your further input. I have looked into your hypothesis
>>> but it doesn't appear to be true.
>>> There are no DNs in the LDB database relating to "hostname"
>>> Issuing "ldbsearch --url=/var/lib/samna/private/sam.ldb | grep hostname"
>>> shows only CN=hostname,CN=Computers,DC=ad,DC=domain,DC=name
>> Exactly! hostname has not registered in DNS. That's exactly your
>> problem. We now also know that all previous join attempts have failed to
>> register in DNS. The client is not sending the correct hostname during
>> the join. The only way we have found to combat that is the solution
>> which we have already posted. Forget dhcp for now. Further, from what
>> you have written, your hostname and hostname -f commands are not
>> returning correctly which in turn leads us to believe that you have not
>> added the entries to /etc/hosts.
> hostname and hostname -f do return correctly.
> hostname returns "hostname" and hostname -f returns
> "hostname.ad-domain-name"
> "hostname -A" still returns "hostname.local-domain-name" because the
> current IP address of the non-loopback interface was not in /etc/hosts
> Adding that causes "hostname -A" to also return
> "hostname.ad-domain-name" but does not fix the DNS update issue.
> Since the client-side error I'm receiving now does say:
> DNS update for hostname.ad-domain-name failed: ERROR_DNS_INVALID_MESSAGE
> This suggests to me that it is trying to update the correct name.
> Is there any other reason this error could occur?
>>> Hopefully someone can shed some further light on what's going wrong here.
>> It will still work as you have it. Until dhcp decides otherwise;)
>> Steve
Hi, what does 'ldbsearch --url=/path/to/sam.ldb -b 
"DC=DomainDnsZones,DC=your,DC=realm" "(name=linuxclient)" return?


More information about the samba mailing list