[Samba] DNS frustration

Rowland Penny rowlandpenny at googlemail.com
Wed Oct 9 14:48:13 MDT 2013 

On 09/10/13 21:44, Scott Goodwin wrote:
> Ah, by golly, I think that may do it! I hadn't found that url yet, so 
> mega thanks for the link.
> Because nsupdate will be run from the server (as opposed to the 
> clients, which is where the failed kerberos dns updates are coming 
> from), I think this will work.  I mean, I can update dns records just 
> fine if I do it from the command line on the server -- it's only when 
> remote clients attempt updates that it fails.
>
> I'll give this a whirl and post my results.
> There is hope!
>
>
> *Scott Goodwin*
> IT Lead
> Mimic Technologies, Inc
> 811 First Avenue, Suite 408  |  Seattle, WA 98104
> phone: 1.800.918.1670  |  direct: 206.456.9180
> fax: 206.623.3491  |  cell: 206.355.7767
>
>
>
> On Wed, Oct 9, 2013 at 1:36 PM, Rowland Penny 
> <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote:
>
>     On 09/10/13 20:15, Scott Goodwin wrote:
>
>         Thanks for the advice Steve. I had actually tried this before,
>         and it did
>         work temporarily, but after a few hours, the updates starting
>         failing again.
>         This is so weird! Why is this happening?  I have nothing but
>         respect for
>         the samba team and all their hard work, but egads, I just
>         can't figure out
>         why such a critical issue is still running rampant.  (Ok, so
>         it's not
>         critical in the sense that all your clients are down, and they
>         can't work.
>         But heck, every time a pc gets a new dhcp lease, I have to
>         change it by
>         hand, and that becomes a maintenance nightmare).
>         I'm being completely serious when I say this: how do larger
>         companies that
>         have rolled out samba4 cope with this issue? Is there some
>         workaround I'm
>         not aware of?
>
>
>         *Scott Goodwin*
>
>         IT Lead
>         Mimic Technologies, Inc
>         811 First Avenue, Suite 408  |  Seattle, WA 98104
>         phone: 1.800.918.1670 <tel:1.800.918.1670>  |  direct:
>         206.456.9180 <tel:206.456.9180>
>         fax: 206.623.3491 <tel:206.623.3491>  |  cell: 206.355.7767
>         <tel:206.355.7767>
>
>
>
>         On Tue, Oct 8, 2013 at 11:56 PM, steve <steve at steve-ss.com
>         <mailto:steve at steve-ss.com>> wrote:
>
>             On Tue, 2013-10-08 at 22:59 -0700, Scott Goodwin wrote:
>
>                 * Samba4 with BIND_DLZ (with windows clients updating
>                 AD via kerberos)
>                 Dammit this is so close! But Windows client dns
>                 updates do not work.
>                   Actually, they worked at first, then they stopped
>                 working. Errors like
>                 this:
>                 Oct  8 21:38:16 earl named[7695]: samba_dlz: starting
>                 transaction on zone
>                 mydomain.com <http://mydomain.com>
>                 Oct  8 21:38:16 earl named[7695]: client
>                 10.2.2.227#52980: update '
>                 mydomain.com/IN <http://mydomain.com/IN>' denied
>                 Oct  8 21:38:16 earl named[7695]: samba_dlz:
>                 cancelling transaction on
>
>             zone
>
>                 mydomain.com <http://mydomain.com>
>                 This is a decidedly ubiquitous problem out there, and
>                 one can google on
>                 this for hours, with no solid fixes or answers.  Per
>                 this guy's
>                 advice<
>
>             http://article.gmane.org/gmane.network.samba.general/131081/match=>I
>
>                 downloaded and compiled bind 9.8, and also 9.9 (just
>                 for good measure)
>                 using the proper flags ( --with-dlopen=yes,
>                   --with-gssapi=/usr/include/gssapi, and WITHOUT the flag
>                 --disable-isc-spnego). After I did this, it actually
>                 worked for a few
>                 hours!  Then all of a sudden, stopped working with the
>                 above errors
>                 littering my named.log again.
>
>             Hi
>             Do you have CNAME's? If not, then it's just because you've
>             tried
>             different Samba versions but with the same dns records.
>             Try deleting the
>             old machine record so that a new one corresponding to your
>             new install
>             will recreate it at the next update request. I don't know
>             your domain
>             names and finding the DN for the machine took some working
>             out, but I've
>             an example here:
>
>             http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
>             HTH
>             Steve
>
>
>             --
>             To unsubscribe from this list go to the following URL and
>             read the
>             instructions: https://lists.samba.org/mailman/options/samba
>
>     Hi, try starting here:
>     http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
>     Rowland
>
>
I know it will work, I've had it working for the last 10 months or so, 
give me an email if you get stuck.

Rowland

More information about the samba mailing list