[Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.

steve steve at steve-ss.com
Sun Jun 2 16:05:40 MDT 2013

On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
> 2013.06.02 16:16, Andrew Bartlett rašė:
> > On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
> >> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
> >>> This is a follow up to my previous...
> >>>
> >>> Thomas, I have tried everything else I can think of, I WAS  able to get
> >>> further debugging information out of samba, winbind, bind9_dlz, and whats
> >>> going wrong in this process for us, but I am not a developer I have no way
> >>> of knowing if this will be useful to you or anyone but I figure I should
> >>> put it out so someday this can get fixed, Thanks:
> >>
> >> Hi Gary
> >> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
> >> win7 and Linux clients. Maybe strip your config down to just this, then
> >> add the other stuff afterwards if you get it going?
> >>
> >> 1. Make sure that named is not running chrooted. That was a real gotcha
> >> for me: it's default on openSUSE.
> > This certainly could be the major issue here.  I can imagine this
> > causing no end of drama if folks don't check for it. 
> >
> >> 2. for now, chown -R named.named /var/lib/named
> > I certainly agree, for now (try and restore a more secure set of
> > permissions later, but it is very worthwhile to test and rule out). 
> >
> >> 3. Use minimum options /etc/named.conf
> >>
> >> options {
> >> 	directory "/var/lib/named";
> >> 	managed-keys-directory "/var/lib/named/dyn";
> >> 	notify no;
> >> 	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >> };
> >> include  "/usr/local/samba/private/named.conf";
> Also add:
>          tkey-domain "<KRB5 REALM>";
>          tkey-gssapi-credential "<DNS principal>";
>          BIND9 in openSUSE seems to require this to enable GSSAPI
>          Also try hard-linking /usr/local/samba/private/dns.keytab to
> /etc/krb5.keytab....
>          Somewhere in the mailing lists there was a report bind9 is
> always using system default keytab
>          If you get errors loading krb5 principal after specifying
> tkey-gssapi-credential, you might need to regenerate the dns.keytab
> (changed password ?)

openSUSE 12.3
This is the first time in many years where the SUSE/openSUSE bind has
_almost_ worked out of the box. They will not entertain non chrooted

I've tested it. It's OK without tkey-domain nor tkey-gssapi-credential

I am trying to present as minimal a setup for the OP. I think in
situations such as these, it is important to get bind working choose
what. For that we must cut it down to an absolute minimal install with
security settings wide open. once it's working, then we can. . .

I think that DNS is still our weakest link and I'm really pleased to see
the devs looking through the end user list occasionally. Until the
internal DNS is ready, we're stuck with bind. Let's try and make it as
painless as possible for ourselves.


More information about the samba mailing list