[Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.

Giedrius giedrius+samba at su.lt
Sun Jun 2 14:50:02 MDT 2013

2013.06.02 16:16, Andrew Bartlett rašė:
> On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
>> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
>>> This is a follow up to my previous...
>>> Thomas, I have tried everything else I can think of, I WAS  able to get
>>> further debugging information out of samba, winbind, bind9_dlz, and whats
>>> going wrong in this process for us, but I am not a developer I have no way
>>> of knowing if this will be useful to you or anyone but I figure I should
>>> put it out so someday this can get fixed, Thanks:
>> Hi Gary
>> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
>> win7 and Linux clients. Maybe strip your config down to just this, then
>> add the other stuff afterwards if you get it going?
>> 1. Make sure that named is not running chrooted. That was a real gotcha
>> for me: it's default on openSUSE.
> This certainly could be the major issue here.  I can imagine this
> causing no end of drama if folks don't check for it. 
>> 2. for now, chown -R named.named /var/lib/named
> I certainly agree, for now (try and restore a more secure set of
> permissions later, but it is very worthwhile to test and rule out). 
>> 3. Use minimum options /etc/named.conf
>> options {
>> 	directory "/var/lib/named";
>> 	managed-keys-directory "/var/lib/named/dyn";
>> 	notify no;
>> 	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>> };
>> include  "/usr/local/samba/private/named.conf";
Also add:
         tkey-domain "<KRB5 REALM>";
         tkey-gssapi-credential "<DNS principal>";

         BIND9 in openSUSE seems to require this to enable GSSAPI

         Also try hard-linking /usr/local/samba/private/dns.keytab to
         Somewhere in the mailing lists there was a report bind9 is
always using system default keytab
         If you get errors loading krb5 principal after specifying
tkey-gssapi-credential, you might need to regenerate the dns.keytab
(changed password ?)

>> Good luck.
>> Steve
> Indeed.  We know BIND9 can be a real pain to get right, and that's why
> the internal DNS server effort started.  That also has challenges (due
> to available developer attention), but is an indication of how seriously
> we take this challenge. 
> Andrew Bartlett

More information about the samba mailing list