[Samba] Samba 4.1 acting as RODC, how to fix TSIG and configure DNS?

Rowland Penny rowlandpenny at googlemail.com
Mon Nov 18 12:05:25 MST 2013 

On 18/11/13 18:57, Michael Brown wrote:
> I've set up a lab for testing Samba 4.1 as an RODC emulating a 
> satellite office setup, using the sernet packages on SLES11SP2.
>
> ## Problem 1
> samba_dnsupdate is failing:
> ==> /var/log/samba/log.samba <==
> [2013/11/18 13:22:37.416193, 0] 
> ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
> [2013/11/18 13:22:37.416396, 0] 
> ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: update failed: REFUSED
>
> Complete output from samba_dnsupdate --verbose --all-names is here:
> http://paste.ubuntu.com/6438840/
>
> ...
> Calling nsupdate for A sles-bree.main.adlab.netdirect.ca 10.0.2.11
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> sles-bree.main.adlab.netdirect.ca. 900 IN A 10.0.2.11
>
> Calling nsupdate for A gc._msdcs.main.adlab.netdirect.ca 10.0.2.11
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.main.adlab.netdirect.ca. 900 IN A 10.0.2.11
>
> ; TSIG error with server: tsig verify failure
> update failed: REFUSED
> Failed nsupdate: 2
>
> I have no idea what to do to fix this. No apparmor complaints, the 
> time is correct, not sure where to go next.
>
> What should I do?
>
> ## Problem 2
> The Samba server will also need to provide DHCP and DNS service for 
> the local network.
>
> It looks like the internal DNS server doesn't do any caching or 
> recursion so I'm pondering about how to best (read: simplest that 
> works) configure the environment.
>
> (I saw this note: "# If recursive queries = yes is set, the following 
> is also needed" but that option doesn't yet exist in samba: 'Unknown 
> parameter encountered: "recursive queries"'
>
> What I'm thinking is:
> * configure samba4 to use the usual internal DNS server
> * set up bind:
> * have it listen on a secondary IP
> * forward requests for anything under my root AD dns domain to samba
> * forward requests for reverse zones in AD to samba
> * recurse normally for other domains
> * advantage: caching
>
> or:
>
> * configure samba4 to use the usual internal DNS server
> * set up bind:
> * have it listen on a secondary IP
> * set in smb.conf: dns forwarder = <bind ip address>
>
> Does one of these make more sense than the other? What are people doing?
>
> M.
>
Hi, if you are going to set up bind, you might as well use it instead of 
the internal dns and you can then set up dhcp to work with it.

Rowland

More information about the samba mailing list