[Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.
Andrew Bartlett
abartlet at samba.org
Sun Jun 2 16:16:58 MDT 2013
On Mon, 2013-06-03 at 00:05 +0200, steve wrote:
> On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
> > 2013.06.02 16:16, Andrew Bartlett rašė:
> > > On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
> > >> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
> > >>> This is a follow up to my previous...
> > >>>
> > >>> Thomas, I have tried everything else I can think of, I WAS able to get
> > >>> further debugging information out of samba, winbind, bind9_dlz, and whats
> > >>> going wrong in this process for us, but I am not a developer I have no way
> > >>> of knowing if this will be useful to you or anyone but I figure I should
> > >>> put it out so someday this can get fixed, Thanks:
> > >>
> > >> Hi Gary
> > >> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
> > >> win7 and Linux clients. Maybe strip your config down to just this, then
> > >> add the other stuff afterwards if you get it going?
> > >>
> > >> 1. Make sure that named is not running chrooted. That was a real gotcha
> > >> for me: it's default on openSUSE.
> > > This certainly could be the major issue here. I can imagine this
> > > causing no end of drama if folks don't check for it.
> > >
> > >> 2. for now, chown -R named.named /var/lib/named
> > > I certainly agree, for now (try and restore a more secure set of
> > > permissions later, but it is very worthwhile to test and rule out).
> > >
> > >> 3. Use minimum options /etc/named.conf
> > >>
> > >> options {
> > >> directory "/var/lib/named";
> > >> managed-keys-directory "/var/lib/named/dyn";
> > >> notify no;
> > >> tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > >> };
> > >> include "/usr/local/samba/private/named.conf";
> > Also add:
> > tkey-domain "<KRB5 REALM>";
> > tkey-gssapi-credential "<DNS principal>";
> >
> > BIND9 in openSUSE seems to require this to enable GSSAPI
> >
> > Also try hard-linking /usr/local/samba/private/dns.keytab to
> > /etc/krb5.keytab....
> > Somewhere in the mailing lists there was a report bind9 is
> > always using system default keytab
> > If you get errors loading krb5 principal after specifying
> > tkey-gssapi-credential, you might need to regenerate the dns.keytab
> > (changed password ?)
>
> Hi
> openSUSE 12.3
> This is the first time in many years where the SUSE/openSUSE bind has
> _almost_ worked out of the box. They will not entertain non chrooted
> installs.
This is somehow totally disabled?
> I've tested it. It's OK without tkey-domain nor tkey-gssapi-credential
Good.
> I am trying to present as minimal a setup for the OP. I think in
> situations such as these, it is important to get bind working choose
> what. For that we must cut it down to an absolute minimal install with
> security settings wide open. once it's working, then we can. . .
>
> I think that DNS is still our weakest link and I'm really pleased to see
> the devs looking through the end user list occasionally. Until the
> internal DNS is ready, we're stuck with bind. Let's try and make it as
> painless as possible for ourselves.
The only way we can really improve it (as far as I'm currently aware) is
to take the bind binary, and launch it with a custom config file inside
'samba' like we do smbd, pointing only at our DNS zone, and with chroot
etc disabled.
That should, in theory, get us most of the control we get with the
internal server. Someone needs to write the patches however, and it
would mean we gain yet another DNS mode (which may be more trouble than
it's worth - I don't know).
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba
mailing list