[Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
Andrew Bartlett
abartlet at samba.org
Sun Jun 2 16:14:00 MDT 2013
On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
> 2013.06.02 16:16, Andrew Bartlett rašė:
> > On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
> >> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
> >>> This is a follow up to my previous...
> >>>
> >>> Thomas, I have tried everything else I can think of, I WAS able to get
> >>> further debugging information out of samba, winbind, bind9_dlz, and whats
> >>> going wrong in this process for us, but I am not a developer I have no way
> >>> of knowing if this will be useful to you or anyone but I figure I should
> >>> put it out so someday this can get fixed, Thanks:
> >>
> >> Hi Gary
> >> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
> >> win7 and Linux clients. Maybe strip your config down to just this, then
> >> add the other stuff afterwards if you get it going?
> >>
> >> 1. Make sure that named is not running chrooted. That was a real gotcha
> >> for me: it's default on openSUSE.
> > This certainly could be the major issue here. I can imagine this
> > causing no end of drama if folks don't check for it.
> >
> >> 2. for now, chown -R named.named /var/lib/named
> > I certainly agree, for now (try and restore a more secure set of
> > permissions later, but it is very worthwhile to test and rule out).
> >
> >> 3. Use minimum options /etc/named.conf
> >>
> >> options {
> >> directory "/var/lib/named";
> >> managed-keys-directory "/var/lib/named/dyn";
> >> notify no;
> >> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> >> };
> >> include "/usr/local/samba/private/named.conf";
> Also add:
> tkey-domain "<KRB5 REALM>";
> tkey-gssapi-credential "<DNS principal>";
>
> BIND9 in openSUSE seems to require this to enable GSSAPI
If that's required, then I think you have an older version of bind that
is known to be incredibly painful to configure for GSS-TSIG.
> Also try hard-linking /usr/local/samba/private/dns.keytab to
> /etc/krb5.keytab....
I really wouldn't do that.
> Somewhere in the mailing lists there was a report bind9 is
> always using system default keytab
> If you get errors loading krb5 principal after specifying
> tkey-gssapi-credential, you might need to regenerate the dns.keytab
> (changed password ?)
Which version is this?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list