[Samba] dynamic DNS Updates still failing, re-installed 9 more times, tried everything I could think of, now bald.

Giedrius giedrius+samba at su.lt
Sun Jun 2 23:21:55 MDT 2013

2013.06.03 01:14, Andrew Bartlett rašė:
> On Sun, 2013-06-02 at 23:50 +0300, Giedrius wrote:
>> 2013.06.02 16:16, Andrew Bartlett rašė:
>>> On Sun, 2013-06-02 at 11:52 +0200, steve wrote:
>>>> On Sun, 2013-06-02 at 01:46 -0700, Gary Maurizi wrote:
>>>>> This is a follow up to my previous...
>>>>> Thomas, I have tried everything else I can think of, I WAS  able to get
>>>>> further debugging information out of samba, winbind, bind9_dlz, and whats
>>>>> going wrong in this process for us, but I am not a developer I have no way
>>>>> of knowing if this will be useful to you or anyone but I figure I should
>>>>> put it out so someday this can get fixed, Thanks:
>>>> Hi Gary
>>>> I'm no expert but I have dyndns working on openSUSE with 9.9 both from
>>>> win7 and Linux clients. Maybe strip your config down to just this, then
>>>> add the other stuff afterwards if you get it going?
>>>> 1. Make sure that named is not running chrooted. That was a real gotcha
>>>> for me: it's default on openSUSE.
>>> This certainly could be the major issue here.  I can imagine this
>>> causing no end of drama if folks don't check for it. 
>>>> 2. for now, chown -R named.named /var/lib/named
>>> I certainly agree, for now (try and restore a more secure set of
>>> permissions later, but it is very worthwhile to test and rule out). 
>>>> 3. Use minimum options /etc/named.conf
>>>> options {
>>>> 	directory "/var/lib/named";
>>>> 	managed-keys-directory "/var/lib/named/dyn";
>>>> 	notify no;
>>>> 	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>>>> };
>>>> include  "/usr/local/samba/private/named.conf";
>> Also add:
>>          tkey-domain "<KRB5 REALM>";
>>          tkey-gssapi-credential "<DNS principal>";
>>          BIND9 in openSUSE seems to require this to enable GSSAPI
> If that's required, then I think you have an older version of bind that
> is known to be incredibly painful to configure for GSS-TSIG. 
>>          Also try hard-linking /usr/local/samba/private/dns.keytab to
>> /etc/krb5.keytab....
> I really wouldn't do that. 
>>          Somewhere in the mailing lists there was a report bind9 is
>> always using system default keytab
>>          If you get errors loading krb5 principal after specifying
>> tkey-gssapi-credential, you might need to regenerate the dns.keytab
>> (changed password ?)
> Which version is this?
BIND 9.9.2-P2
Without /etc/krb5.keytab the following error is seen in the syslog:
    named[27908]: configuring TKEY: failure
    named[27908]: reloading configuration failed: failure
Did not check if this is due to some limitation or if there are any
implicit environment variables

Without principal specifying DNS/<domain realm> DNS updates are
rejected.... this might be the leftovers from earlier:
    DNS conversion INTERNAL->DLZ->FLATFILE or transfer to other DC: 
dns-<old_dc_name> user in DB and principal with old FQDN.
    Had to regenerate dns.keytab for it to event work.

[OT] is it event possible to change SOA in samba ???
      FSMO was transfered to other DC with seize success-error bug,  
but SOA as of /samba-tool dns query/ still points to <old>.<realm>
> Andrew Bartlett

More information about the samba mailing list