[Samba] Samba 4.1 acting as RODC, how to fix TSIG and configure DNS?

Michael Brown michael at netdirect.ca
Mon Nov 18 11:57:31 MST 2013 

I've set up a lab for testing Samba 4.1 as an RODC emulating a satellite 
office setup, using the sernet packages on SLES11SP2.

## Problem 1
samba_dnsupdate is failing:
==> /var/log/samba/log.samba <==
[2013/11/18 13:22:37.416193, 0] 
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
[2013/11/18 13:22:37.416396, 0] 
../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
/usr/sbin/samba_dnsupdate: update failed: REFUSED

Complete output from samba_dnsupdate --verbose --all-names is here:
http://paste.ubuntu.com/6438840/

...
Calling nsupdate for A sles-bree.main.adlab.netdirect.ca 10.0.2.11
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
sles-bree.main.adlab.netdirect.ca. 900 IN A 10.0.2.11

Calling nsupdate for A gc._msdcs.main.adlab.netdirect.ca 10.0.2.11
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.main.adlab.netdirect.ca. 900 IN A 10.0.2.11

; TSIG error with server: tsig verify failure
update failed: REFUSED
Failed nsupdate: 2

I have no idea what to do to fix this. No apparmor complaints, the time 
is correct, not sure where to go next.

What should I do?

## Problem 2
The Samba server will also need to provide DHCP and DNS service for the 
local network.

It looks like the internal DNS server doesn't do any caching or 
recursion so I'm pondering about how to best (read: simplest that works) 
configure the environment.

(I saw this note: "# If recursive queries = yes is set, the following is 
also needed" but that option doesn't yet exist in samba: 'Unknown 
parameter encountered: "recursive queries"'

What I'm thinking is:
* configure samba4 to use the usual internal DNS server
* set up bind:
* have it listen on a secondary IP
* forward requests for anything under my root AD dns domain to samba
* forward requests for reverse zones in AD to samba
* recurse normally for other domains
* advantage: caching

or:

* configure samba4 to use the usual internal DNS server
* set up bind:
* have it listen on a secondary IP
* set in smb.conf: dns forwarder = <bind ip address>

Does one of these make more sense than the other? What are people doing?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth

More information about the samba mailing list