[Samba] samba4 internal dns Server ddns for the reverse lookup Zone

Markus Roth markusroth1983 at gmx.net
Mon Aug 18 08:28:27 MDT 2014 

Hi Steve,

i have bind in Version   9.9.4-RedHat-9.9.4-14.el7.centos (Extended Support Version) under dentos7. I see the update messages without configuring a log-leve in var/log/messages.
ok so yu mean i should use always dhcp instead of static ips for a clean ddns update and logs?
when i changed the ip-adress of my client1 from 192.168.178.99 to 192.168.178.98 machine with windows 7 and analyse the dns entries with the windows remote tools he has updated the client1 successfully.
With the host command i get:

[root at server1 ~]# host -t A client1.winnet.local
client1.winnet.local has address 192.168.178.98
[root at server1 ~]# host -t PTR 192.168.178.98
98.178.168.192.in-addr.arpa domain name pointer client1.winnet.local.

so can i say that i have a correct configuration although i have the denied message? This says /var/log/messages for the ddns during the ip change:

Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#57564: update 'winnet.local/IN' denied
Aug 18 16:18:08 server1 named[12388]: samba_dlz: cancelling transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local.	1200	IN	A	192.168.178.98'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset winnet.local 'winnet.local.	3600	IN	SOA	server1.winnet.local. hostmaster.winnet.local. 12 900 600 86400 0'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset winnet.local 'winnet.local.	3600	IN	SOA	server1.winnet.local. hostmaster.winnet.local. 13 900 600 86400 0'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction on zone winnet.local
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#62909: update '178.168.192.in-addr.arpa/IN' denied
Aug 18 16:18:08 server1 named[12388]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '98.178.168.192.in-addr.arpa' PTR
Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '98.178.168.192.in-addr.arpa' PTR
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added 98.178.168.192.in-addr.arpa 98.178.168.192.in-addr.arpa.	1200	IN	PTR	client1.winnet.local.
Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa.	3600	IN	SOA	server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa.	3600	IN	SOA	server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa

 

Gesendet: Montag, 18. August 2014 um 00:31 Uhr
Von: steve <steve at steve-ss.com>
An: "Markus Roth" <markusroth1983 at gmx.net>
Cc: samba at lists.samba.org
Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
On Sun, 2014-08-17 at 16:55 +0200, Markus Roth wrote:
> Hi Steve,
>
> first thanks a lot for your help at this time :-)
>
> >Much easier:
> >samba-tool dns zonedelete
> >restart named
> >samba-tool dns zonecreate
> >restart sssd
>
> ah okay good to know for future actions. So do i understand that right that my configuration is correct now and the denied messages with this configuration is ok? if its so than the denied messages are ok for me :-) But before i took my new configuration in productive use i better ask.
On:
named -version
BIND 9.9.4-rpz2.13269.14-P2 (Extended Support Version)
We do not get the denied messages, but we may have a lower debug level
set. Sorry, can't confirm this as we've no test domain with that
version.
_Are_ the records being updated? Change the IP of a sssd client box (NOT
the IP of the DC) and use host to check A and PTR.
>
> I took static IPs only for testing. When this configuration is ok now i would create a test envirnoment with a dhcp-server.
>
ddns is handled fine by the sssd ad backend when the ip of a client is
changed via dhcp.

> For the rw access you said named needs rw access on the dns databases.
Yes. the keytab for named.conf and the dns partitions.

> So i've set rw access for the group named on the *.so-files and for the ldb and tdb-files in the /usr/samba/private structure. But i don't know if this is neccesary.
>
> Only for interest: When static IPs were used you would deaktivate the automatic ddns updates and add them manually with the samba-tool or with the windows remote administration kit? But i think it's much easier with ddns if some IPs will change, isn't it?
>
> >LOL, yeah. open source error messages at their best.
>
> ......
> > Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
> . . .then it does it!
> ....
> > Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> >
> >That's the best you're gonna get. But why bother with static IPs?
> >HTH,
> >Steve
>
> >
> > Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
> > Von: steve <steve at steve-ss.com>
> > An: "Markus Roth" <markusroth1983 at gmx.net>
> > Cc: samba at lists.samba.org
> > Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> > On Sun, 2014-08-17 at 00:46 +0200, Markus Roth wrote:
> > > Hi Steve,
> > >
> > > i don't know what i'm still doing wrong :-( I've create new vmware environments with centos 7 and windows 7. The hostname oft he centos 7 is server1 and the hostname from the windows 7 is client1. I've configured server1 as followed:
> > >
> > > 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> > > 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> > > 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line --disable-isc-spnego
> > > 4. rebuild bind with rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
> > > 5. remove all previous bind* and samba* installation files with yum remove
> > > 6. install bind-license, bind-libs* and bind9* with rpm -ivh
> > > 7. download samba 4.1.11
> > > 8. install dependencies for samba 4.1.11 with
> > > yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
> > > 8. install samba 4.1.11 with ./configure --enable-debug --enable-selftest than make than make install
> > > 9. configure samba 4.1.11 with samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
> > > 10. configure /etc/named.conf for samba4
> > > 11. chgrp named + rw access for named on dns.keytab, dns_update_list, named.conf under /usr/local/samba/private and the same on *.so files under
> > > /usr/local/samba/lib/bind9. Next i activate the so file for bind9 in the samba named.conf
> >
> > named needs rw on the DNS databases too.
> >
> > > 12. install sssd with yum install sssd
> > > 13. generatet he krb5.keytab with my servername in big letters fort he principal name
> > > # samba-tool domain exportkeytab /etc/krb5.keytab --principal=SERVER1$
> >
> > The next 2 lines make no sense:
> > > # chown root:root /etc/krb5.sssd.keytab
> > > # chmod 600 /etc/krb5.sssd.keytab
> >
> > > 14. generatet he sssd.conf with the same file permissions as the krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite the existing one
> > > 15. Start named, sssd and samba daemon
> > > 16. generate reverse lookup zone with samba-tool dns zonecreate server1.winnet.local 178.168.192.in-addr.arpa
> > > 17. Start the client1 machine, give the server1 ip as the dns-server and joined the client1 to the domain
> > >
> > > Here are my configuration files and the last log-file
> > > Do you see any mistakes?
> > >
> > > Named.conf
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > options {
> > > listen-on port 53 { 127.0.0.1; 192.168.178.130; };
> > > listen-on-v6 port 53 { ::1; };
> > > directory "/var/named";
> > > dump-file "/var/named/data/cache_dump.db";
> > > statistics-file "/var/named/data/named_stats.txt";
> > > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > > allow-query { localhost; 192.168.178.0/24; };
> > > allow-recursion { localhost; 192.168.178.0/24; };
> > > forwarders { 8.8.8.8; 8.8.4.4; };
> > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > > recursion yes;
> > > dnssec-enable yes;
> > > dnssec-validation yes;
> > > dnssec-lookaside auto;
> > > /* Path to ISC DLV key */
> > > bindkeys-file "/etc/named.iscdlv.key";
> > > managed-keys-directory "/var/named/dynamic";
> > > pid-file "/run/named/named.pid";
> > > session-keyfile "/run/named/session.key";
> > > };
> > > logging {
> > > channel default_debug {
> > > file "data/named.run";
> > > severity dynamic;
> > > };
> > > };
> > > zone "." IN {
> > > type hint;
> > > file "named.ca";
> > > };
> > > include "/etc/named.rfc1912.zones";
> > > include "/etc/named.root.key";
> > > include "/usr/local/samba/private/named.conf";
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > Sssd.conf
> > > [sssd]
> > > services = nss, pam
> > > config_file_version = 2
> > > domains = winnet.local
> > > [nss]
> > > [pam]
> > > [domain/winnet.local]
> > > id_provider = ad
> > > auth_provider = ad
> > > access_provider = ad
> > > ldap_id_mapping = False
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > Smb.conf
> > > # Global parameters
> > > [global]
> > > workgroup = WINNET
> > > realm = WINNET.LOCAL
> > > netbios name = SERVER1
> > > server role = active directory domain controller
> > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> > > idmap_ldb:use rfc2307 = yes
> > > [netlogon]
> > > path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
> > > read only = No
> > > [sysvol]
> > > path = /usr/local/samba/var/locks/sysvol
> > > read only = No
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > Samba4 named.conf
> > > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
> > > #
> > > # This file should be included in your main BIND configuration file
> > > #
> > > # For example with
> > > # include "/usr/local/samba/private/named.conf";
> > > #
> > > # This configures dynamically loadable zones (DLZ) from AD schema
> > > # Uncomment only single database line, depending on your BIND version
> > > #
> > > dlz "AD DNS Zone" {
> > > # For BIND 9.8.0
> > > # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
> > > # For BIND 9.9.0
> > > database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
> > > };
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > Var/log/messages
> > > Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from unauthorised host 192.168.178.200 port 123
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#57474: update 'winnet.local/IN' denied
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone winnet.local
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone winnet.local
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#59638: update '178.168.192.in-addr.arpa/IN' denied
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > >
> > You must delete the reverse zone and recreate it as I outlined in my
> > last message. Also, no feedback on the latter, so I have to guess that
> > you have done it but it.
> > HTH
> >
> >
> > >
> > >
> > > Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
> > > Von: steve <steve at steve-ss.com>
> > > An: "Markus Roth" <markusroth1983 at gmx.net>
> > > Cc: samba at lists.samba.org
> > > Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> > > On Sat, 2014-08-16 at 15:46 +0200, Markus Roth wrote:
> > > > Hi Steve,
> > > >
> > > > update. I think nobody can say that i'm not creative :-) I've tried now
> > > > ./samba-tool domain exportkeytab /etc/krb5.keytab without the --principal
> > > > and change my sssd.conf back to:
> > > >
> > > > [sssd]
> > > > services = nss, pam
> > > > config_file_version = 2
> > > > domains = winnet.local
> > > > [nss]
> > > > [pam]
> > > > [domain/winnet.local]
> > > > id_provider = ad
> > > > access_provider = ad
> > > >
> > > > Now i get also the denied messages, but the logs now seems to be different:
> > >
> > > Very close now. This should do it:
> > > http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
> > >
> > > >
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > > tcpaddr=192.168.178.130 type=A key=2171273687.sig-server1.winnet.local/160/0
> > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#49475/key
> > > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > at 'server1.winnet.local' A
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > server1.winnet.local 'server1.winnet.local. 3600 IN A
> > > > 192.168.178.130'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > winnet.local 'winnet.local. 3600 IN SOA
> > > > server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> > > > 'winnet.local. 3600 IN SOA server1.winnet.local.
> > > > hostmaster.winnet.local. 5 900 600 86400 0'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > > tcpaddr=192.168.178.130 type=AAAA
> > > > key=1458088344.sig-server1.winnet.local/160/0
> > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60843/key
> > > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > at 'server1.winnet.local' AAAA
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > > tcpaddr=192.168.178.130 type=A key=2571247347.sig-server1.winnet.local/160/0
> > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60497/key
> > > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> > > > 'server1.winnet.local' A
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> > > > server1.winnet.local 'server1.winnet.local. 3600 IN A
> > > > 192.168.178.130'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > winnet.local 'winnet.local. 3600 IN SOA
> > > > server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> > > > 'winnet.local. 3600 IN SOA server1.winnet.local.
> > > > hostmaster.winnet.local. 6 900 600 86400 0'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone 178.168.192.in-addr.arpa
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> > > > tcpaddr=192.168.178.130 type=PTR
> > > > key=1615781577.sig-server1.winnet.local/160/0
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> > > > tcpaddr=192.168.178.130 type=PTR
> > > > key=1615781577.sig-server1.winnet.local/160/0
> > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> > > > SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > deleting rrset at '130.178.168.192.in-addr.arpa' PTR
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> > > > PTR server1.winnet.local.'
> > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> > > > SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > adding an RR at '130.178.168.192.in-addr.arpa' PTR
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> > > > 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> > > > PTR server1.winnet.local.'
> > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > zone 178.168.192.in-addr.arpa
> > > > Aug 16 15:40:19 server1 chronyd[831]: NTP packet received from unauthorised
> > > > host 192.168.178.200 port 123
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#53494: update
> > > > 'winnet.local/IN' denied
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA
> > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > at 'client1.winnet.local' AAAA
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > at 'client1.winnet.local' A
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > client1.winnet.local 'client1.winnet.local. 1200 IN A
> > > > 192.168.178.200'
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> > > > 'client1.winnet.local' A
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> > > > client1.winnet.local 'client1.winnet.local. 1200 IN A
> > > > 192.168.178.200'
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> > > > zone winnet.local
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone 178.168.192.in-addr.arpa
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#61402: update
> > > > '178.168.192.in-addr.arpa/IN' denied
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> > > > zone 178.168.192.in-addr.arpa
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > zone 178.168.192.in-addr.arpa
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> > > > type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> > > > type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> > > > client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> > > > PTR client1.winnet.local.'
> > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> > > > client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > adding an RR at '200.178.168.192.in-addr.arpa' PTR
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> > > > 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> > > > PTR client1.winnet.local.'
> > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> > > > zone 178.168.192.in-addr.arpa
> > > >
> > > > -----Ursprüngliche Nachricht-----
> > > > Von: Markus Roth [mailto:markusroth1983 at gmx.net]
> > > > Gesendet: Samstag, 16. August 2014 15:13
> > > > An: 'steve'
> > > > Cc: 'samba at lists.samba.org'
> > > > Betreff: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup
> > > > Zone
> > > >
> > > > Hi Steve,
> > > >
> > > > I've tried the below domain exportkeytab, but when i do samba-tool domain
> > > > exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
> > > >
> > > > ./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> > > > ERROR(runtime): uncaught exception - Key table entry not found
> > > > File
> > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > > > line 175, in _run
> > > > return self.run(*args, **kwargs)
> > > > File
> > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> > > > line 103, in run
> > > > net.export_keytab(keytab=keytab, principal=principal)
> > > >
> > > > When i do the same with --principal=server1$ it does an export, but i get
> > > > also the beginning denied messages. I also tried winnet$ or winnet.local$
> > > > but it gets the same erros above.
> > > >
> > > >
> > > > >Hi
> > > > >This is not using the sssd ad backend at all. It will not do ddns updates,
> > > > neither will it pull the correct id info from AD.
> > > >
> > > > >You were nearly there. Did you see my other post?
> > > >
> > > > >Just issue:
> > > > >samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
> > > > with your original ad sssd config.
> > > >
> > > > >--
> > > > >To unsubscribe from this list go to the following URL and read the
> > > > >Instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
> > > >
> > >
> > >
> >
> >
>
>

 

More information about the samba mailing list