[Samba] adding samba to win2008Rd domain as DC ( second question)

L.P.H. van Belle belle at bazuin.nl
Wed Oct 23 06:18:37 MDT 2013 

Ok, server is joined, looks good but other question. 

i reading on the wiki, https://wiki.samba.org/index.php/Dns-backend_bind 
Testing/Debugging dynamic DNS updates 
samba_dnsupdate --verbose --all-names 

im getting 

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 11 entries

so read on what i already did. 

bind loads ok, 
some parts of the log.
Oct 23 13:33:14 ms249-lin-007 named[12524]: Loading 'AD DNS Zone' using driver dlopen 
Oct 23 13:33:14 ms249-lin-007 named[12524]: samba_dlz: Processing section "[netlogon]"
Oct 23 13:33:14 ms249-lin-007 named[12524]: samba_dlz: Processing section "[sysvol]"
last line. .
Oct 23 13:33:14 ms249-lin-007 named[12524]: running 

so looks ok to me. 

I did the zone test, is ok.
I included :  include "/var/lib/samba/private/named.conf";   and is ok, since bind loads ok. 
checked again manualy and the bind 9.8.0 dlz is used, thats ok. 

i wanted to enable : ( since its recommended ) 
DNS dynamic updates via Kerberos (optional, but recommended) 
so i added in named.conf.options 
options {
     tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
.. 
check for owner on that file, was root, so changed it : 
chown bind:bind /var/lib/samba/private/dns.keytab
ls -al :  -rw------- 1 bind bind 937 Oct 23 12:48 /var/lib/samba/private/dns.keytab 


and when testing dynamic dns updates, 
samba_dnsupdate --verbose --all-names  
( output : a part of the messages  ) 

; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.rotterdam.bazuin.nl ms249-lin-007.mydomain.lan 3268
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.default-first-site-name._sites.mydomain.lan. 900 IN SRV 0 100 3268 ms249-lin-007.mydomain.lan.


i checked the time om both servers. 
ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 MS249-DB-001.ro .LOCL.           1 u   21   64   77    0.496   -6.743   3.525

less than 1 sec off

host -t SRV _ldap._tcp.mydomain.lan.
_ldap._tcp.mydomain.lan has SRV record 0 100 389 ms249-lin-007.mydomain.lan.
_ldap._tcp.mydomain.lan has SRV record 0 100 389 ms249-db-001.mydomain.lan.

host -t SRV _kerberos._udp.mydomain.lan.
_kerberos._udp.mydomain.lan has SRV record 0 100 88 ms249-lin-007.mydomain.lan.
_kerberos._udp.mydomain.lan has SRV record 0 100 88 ms249-db-001.mydomain.lan.

host -t A ms249-db-001.mydomain.lan
ms249-db-001.mydomain.lan has address 192.168.249.225

host -t A ms249-lin-007.mydomain.lan
ms249-lin-007.mydomain.lan has address 192.168.249.227


so any one knows why am i getting the update error? 

what have i missed? Or, is DNS dynamic updates via Kerberos not needed in my case. 

When im ready i want to transfer the fsmo roles, but the windows stays dns+dhcp. 


Anyone some other tips where to look.

Louis

More information about the samba mailing list