[Samba] DNS frustration

Scott Goodwin scott at mimicsimulation.com
Wed Oct 9 14:44:18 MDT 2013 

Ah, by golly, I think that may do it! I hadn't found that url yet, so mega
thanks for the link.
Because nsupdate will be run from the server (as opposed to the clients,
which is where the failed kerberos dns updates are coming from), I think
this will work.  I mean, I can update dns records just fine if I do it from
the command line on the server -- it's only when remote clients attempt
updates that it fails.

I'll give this a whirl and post my results.
There is hope!


*Scott Goodwin*
IT Lead
Mimic Technologies, Inc
811 First Avenue, Suite 408  |  Seattle, WA 98104
phone: 1.800.918.1670  |  direct: 206.456.9180
fax: 206.623.3491  |  cell: 206.355.7767



On Wed, Oct 9, 2013 at 1:36 PM, Rowland Penny
<rowlandpenny at googlemail.com>wrote:

> On 09/10/13 20:15, Scott Goodwin wrote:
>
>> Thanks for the advice Steve. I had actually tried this before, and it did
>> work temporarily, but after a few hours, the updates starting failing
>> again.
>> This is so weird! Why is this happening?  I have nothing but respect for
>> the samba team and all their hard work, but egads, I just can't figure out
>> why such a critical issue is still running rampant.  (Ok, so it's not
>> critical in the sense that all your clients are down, and they can't work.
>> But heck, every time a pc gets a new dhcp lease, I have to change it by
>> hand, and that becomes a maintenance nightmare).
>> I'm being completely serious when I say this: how do larger companies that
>> have rolled out samba4 cope with this issue? Is there some workaround I'm
>> not aware of?
>>
>>
>> *Scott Goodwin*
>>
>> IT Lead
>> Mimic Technologies, Inc
>> 811 First Avenue, Suite 408  |  Seattle, WA 98104
>> phone: 1.800.918.1670  |  direct: 206.456.9180
>> fax: 206.623.3491  |  cell: 206.355.7767
>>
>>
>>
>> On Tue, Oct 8, 2013 at 11:56 PM, steve <steve at steve-ss.com> wrote:
>>
>>  On Tue, 2013-10-08 at 22:59 -0700, Scott Goodwin wrote:
>>>
>>>  * Samba4 with BIND_DLZ (with windows clients updating AD via kerberos)
>>>> Dammit this is so close! But Windows client dns updates do not work.
>>>>   Actually, they worked at first, then they stopped working. Errors like
>>>> this:
>>>> Oct  8 21:38:16 earl named[7695]: samba_dlz: starting transaction on
>>>> zone
>>>> mydomain.com
>>>> Oct  8 21:38:16 earl named[7695]: client 10.2.2.227#52980: update '
>>>> mydomain.com/IN' denied
>>>> Oct  8 21:38:16 earl named[7695]: samba_dlz: cancelling transaction on
>>>>
>>> zone
>>>
>>>> mydomain.com
>>>> This is a decidedly ubiquitous problem out there, and one can google on
>>>> this for hours, with no solid fixes or answers.  Per this guy's
>>>> advice<
>>>>
>>> http://article.gmane.org/**gmane.network.samba.general/**131081/match=<http://article.gmane.org/gmane.network.samba.general/131081/match=>
>>> >I
>>>
>>>> downloaded and compiled bind 9.8, and also 9.9 (just for good measure)
>>>> using the proper flags ( --with-dlopen=yes,
>>>>   --with-gssapi=/usr/include/**gssapi, and WITHOUT the flag
>>>> --disable-isc-spnego). After I did this, it actually worked for a few
>>>> hours!  Then all of a sudden, stopped working with the above errors
>>>> littering my named.log again.
>>>>
>>> Hi
>>> Do you have CNAME's? If not, then it's just because you've tried
>>> different Samba versions but with the same dns records. Try deleting the
>>> old machine record so that a new one corresponding to your new install
>>> will recreate it at the next update request. I don't know your domain
>>> names and finding the DN for the machine took some working out, but I've
>>> an example here:
>>>
>>> http://linuxcostablanca.**blogspot.com.es/2013/09/**
>>> samba4-bind9dlz-stale-dns-**records-with.html<http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html>
>>> HTH
>>> Steve
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/**mailman/options/samba<https://lists.samba.org/mailman/options/samba>
>>>
>>>  Hi, try starting here: http://blog.michael.kuron-**
> germany.de/2011/02/isc-dhcpd-**dynamic-dns-updates-against-**
> secure-microsoft-dns/<http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/>
>
> Rowland
>

More information about the samba mailing list