[Samba] samba4 internal dns Server ddns for the reverse lookup Zone
steve
steve at steve-ss.com
Mon Aug 18 09:07:44 MDT 2014
On Mon, 2014-08-18 at 16:28 +0200, Markus Roth wrote:
> Hi Steve,
>
> i have bind in Version 9.9.4-RedHat-9.9.4-14.el7.centos (Extended Support Version) under dentos7. I see the update messages without configuring a log-leve in var/log/messages.
> ok so yu mean i should use always dhcp instead of static ips for a clean ddns update and logs?
> when i changed the ip-adress of my client1 from 192.168.178.99 to 192.168.178.98 machine with windows 7 and analyse the dns entries with the windows remote tools he has updated the client1 successfully.
> With the host command i get:
>
> [root at server1 ~]# host -t A client1.winnet.local
> client1.winnet.local has address 192.168.178.98
> [root at server1 ~]# host -t PTR 192.168.178.98
> 98.178.168.192.in-addr.arpa domain name pointer client1.winnet.local.
>
> so can i say that i have a correct configuration although i have the denied message? This says /var/log/messages for the ddns during the ip change:
>
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone winnet.local
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#57564: update 'winnet.local/IN' denied
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: cancelling transaction on zone winnet.local
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone winnet.local
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#52919/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.98'
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 12 900 600 86400 0'
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset winnet.local 'winnet.local. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 13 900 600 86400 0'
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction on zone winnet.local
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#62909: update '178.168.192.in-addr.arpa/IN' denied
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=98.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1052-ms-7.1-593b.2e64d242-26e2-11e4-7397-000c29a4b410/160/0
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '98.178.168.192.in-addr.arpa' PTR
> Aug 18 16:18:08 server1 named[12388]: client 192.168.178.98#58907/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '98.178.168.192.in-addr.arpa' PTR
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added 98.178.168.192.in-addr.arpa 98.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: subtracted rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 3 900 600 86400 3600'
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: added rdataset 178.168.192.in-addr.arpa '178.168.192.in-addr.arpa. 3600 IN SOA server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 3600'
> Aug 18 16:18:08 server1 named[12388]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
>
That looks as perfect as you're gonna get. And, it's working. Unless you
want to try samba-technical or isc, I think this is the best you can
expect, especially as it's working. Remember, the errors are written by
coders and can at times have little bearing upon what is really
happening.
I'm no expert on network topography. We chose dhcp because we wanted
less work. For file servers we always use fixed IP. I'm sure that
someone will chip in with some more concrete explanations other than
sheer laziness;)
HTH,
Steve
>
>
> Gesendet: Montag, 18. August 2014 um 00:31 Uhr
> Von: steve <steve at steve-ss.com>
> An: "Markus Roth" <markusroth1983 at gmx.net>
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> On Sun, 2014-08-17 at 16:55 +0200, Markus Roth wrote:
> > Hi Steve,
> >
> > first thanks a lot for your help at this time :-)
> >
> > >Much easier:
> > >samba-tool dns zonedelete
> > >restart named
> > >samba-tool dns zonecreate
> > >restart sssd
> >
> > ah okay good to know for future actions. So do i understand that right that my configuration is correct now and the denied messages with this configuration is ok? if its so than the denied messages are ok for me :-) But before i took my new configuration in productive use i better ask.
> On:
> named -version
> BIND 9.9.4-rpz2.13269.14-P2 (Extended Support Version)
> We do not get the denied messages, but we may have a lower debug level
> set. Sorry, can't confirm this as we've no test domain with that
> version.
> _Are_ the records being updated? Change the IP of a sssd client box (NOT
> the IP of the DC) and use host to check A and PTR.
> >
> > I took static IPs only for testing. When this configuration is ok now i would create a test envirnoment with a dhcp-server.
> >
> ddns is handled fine by the sssd ad backend when the ip of a client is
> changed via dhcp.
>
> > For the rw access you said named needs rw access on the dns databases.
> Yes. the keytab for named.conf and the dns partitions.
>
> > So i've set rw access for the group named on the *.so-files and for the ldb and tdb-files in the /usr/samba/private structure. But i don't know if this is neccesary.
> >
> > Only for interest: When static IPs were used you would deaktivate the automatic ddns updates and add them manually with the samba-tool or with the windows remote administration kit? But i think it's much easier with ddns if some IPs will change, isn't it?
> >
> > >LOL, yeah. open source error messages at their best.
> >
> > ......
> > > Aug 17 08:34:02 server1 named[12525]: samba_dlz: added 200.178.168.192.in-addr.arpa 200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.
> > . . .then it does it!
> > ....
> > > Aug 17 08:34:02 server1 named[12525]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> > >
> > >That's the best you're gonna get. But why bother with static IPs?
> > >HTH,
> > >Steve
> >
> > >
> > > Gesendet: Sonntag, 17. August 2014 um 01:53 Uhr
> > > Von: steve <steve at steve-ss.com>
> > > An: "Markus Roth" <markusroth1983 at gmx.net>
> > > Cc: samba at lists.samba.org
> > > Betreff: Re: Aw: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> > > On Sun, 2014-08-17 at 00:46 +0200, Markus Roth wrote:
> > > > Hi Steve,
> > > >
> > > > i don't know what i'm still doing wrong :-( I've create new vmware environments with centos 7 and windows 7. The hostname oft he centos 7 is server1 and the hostname from the windows 7 is client1. I've configured server1 as followed:
> > > >
> > > > 1. download bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> > > > 2. rpm -ivh bind-9.8.2-0.23.rc1.el6_5.1.src.rpm
> > > > 3. edit /root/rpmbuild/SPECS/bind.spec and remove the line --disable-isc-spnego
> > > > 4. rebuild bind with rpmbuild -bb ~/rpmbuild/SPECS/bind.spec
> > > > 5. remove all previous bind* and samba* installation files with yum remove
> > > > 6. install bind-license, bind-libs* and bind9* with rpm -ivh
> > > > 7. download samba 4.1.11
> > > > 8. install dependencies for samba 4.1.11 with
> > > > yum install glibc glibc-devel gcc python* libacl-devel krb5-workstation krb5-libs pam_krb5
> > > > 8. install samba 4.1.11 with ./configure --enable-debug --enable-selftest than make than make install
> > > > 9. configure samba 4.1.11 with samba-tool domain provision --use-rfc2307 --interactive --function-level=2008_R2
> > > > 10. configure /etc/named.conf for samba4
> > > > 11. chgrp named + rw access for named on dns.keytab, dns_update_list, named.conf under /usr/local/samba/private and the same on *.so files under
> > > > /usr/local/samba/lib/bind9. Next i activate the so file for bind9 in the samba named.conf
> > >
> > > named needs rw on the DNS databases too.
> > >
> > > > 12. install sssd with yum install sssd
> > > > 13. generatet he krb5.keytab with my servername in big letters fort he principal name
> > > > # samba-tool domain exportkeytab /etc/krb5.keytab --principal=SERVER1$
> > >
> > > The next 2 lines make no sense:
> > > > # chown root:root /etc/krb5.sssd.keytab
> > > > # chmod 600 /etc/krb5.sssd.keytab
> > >
> > > > 14. generatet he sssd.conf with the same file permissions as the krb5.keytab + copy the samba4 krb5.conf to /etc and overwrite the existing one
> > > > 15. Start named, sssd and samba daemon
> > > > 16. generate reverse lookup zone with samba-tool dns zonecreate server1.winnet.local 178.168.192.in-addr.arpa
> > > > 17. Start the client1 machine, give the server1 ip as the dns-server and joined the client1 to the domain
> > > >
> > > > Here are my configuration files and the last log-file
> > > > Do you see any mistakes?
> > > >
> > > > Named.conf
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > > options {
> > > > listen-on port 53 { 127.0.0.1; 192.168.178.130; };
> > > > listen-on-v6 port 53 { ::1; };
> > > > directory "/var/named";
> > > > dump-file "/var/named/data/cache_dump.db";
> > > > statistics-file "/var/named/data/named_stats.txt";
> > > > memstatistics-file "/var/named/data/named_mem_stats.txt";
> > > > allow-query { localhost; 192.168.178.0/24; };
> > > > allow-recursion { localhost; 192.168.178.0/24; };
> > > > forwarders { 8.8.8.8; 8.8.4.4; };
> > > > tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> > > > recursion yes;
> > > > dnssec-enable yes;
> > > > dnssec-validation yes;
> > > > dnssec-lookaside auto;
> > > > /* Path to ISC DLV key */
> > > > bindkeys-file "/etc/named.iscdlv.key";
> > > > managed-keys-directory "/var/named/dynamic";
> > > > pid-file "/run/named/named.pid";
> > > > session-keyfile "/run/named/session.key";
> > > > };
> > > > logging {
> > > > channel default_debug {
> > > > file "data/named.run";
> > > > severity dynamic;
> > > > };
> > > > };
> > > > zone "." IN {
> > > > type hint;
> > > > file "named.ca";
> > > > };
> > > > include "/etc/named.rfc1912.zones";
> > > > include "/etc/named.root.key";
> > > > include "/usr/local/samba/private/named.conf";
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > > Sssd.conf
> > > > [sssd]
> > > > services = nss, pam
> > > > config_file_version = 2
> > > > domains = winnet.local
> > > > [nss]
> > > > [pam]
> > > > [domain/winnet.local]
> > > > id_provider = ad
> > > > auth_provider = ad
> > > > access_provider = ad
> > > > ldap_id_mapping = False
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > > Smb.conf
> > > > # Global parameters
> > > > [global]
> > > > workgroup = WINNET
> > > > realm = WINNET.LOCAL
> > > > netbios name = SERVER1
> > > > server role = active directory domain controller
> > > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate
> > > > idmap_ldb:use rfc2307 = yes
> > > > [netlogon]
> > > > path = /usr/local/samba/var/locks/sysvol/winnet.local/scripts
> > > > read only = No
> > > > [sysvol]
> > > > path = /usr/local/samba/var/locks/sysvol
> > > > read only = No
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > > Samba4 named.conf
> > > > # This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
> > > > #
> > > > # This file should be included in your main BIND configuration file
> > > > #
> > > > # For example with
> > > > # include "/usr/local/samba/private/named.conf";
> > > > #
> > > > # This configures dynamically loadable zones (DLZ) from AD schema
> > > > # Uncomment only single database line, depending on your BIND version
> > > > #
> > > > dlz "AD DNS Zone" {
> > > > # For BIND 9.8.0
> > > > # database "dlopen /usr/local/samba/lib/bind9/dlz_bind9.so";
> > > > # For BIND 9.9.0
> > > > database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_9.so";
> > > > };
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > > Var/log/messages
> > > > Aug 17 00:13:58 server1 chronyd[809]: NTP packet received from unauthorised host 192.168.178.200 port 123
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#57474: update 'winnet.local/IN' denied
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone winnet.local
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone winnet.local
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' AAAA
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset at 'client1.winnet.local' A
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#53493/key client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at 'client1.winnet.local' A
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset client1.winnet.local 'client1.winnet.local. 1200 IN A 192.168.178.200'
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone winnet.local
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#59638: update '178.168.192.in-addr.arpa/IN' denied
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: cancelling transaction on zone 178.168.192.in-addr.arpa
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: starting transaction on zone 178.168.192.in-addr.arpa
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: allowing update of signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr= type=PTR key=1088-ms-7.1-7a40.a05db54a-2592-11e4-8a89-000c29a4b410/160/0
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: subtracted rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> > > > Aug 17 00:14:02 server1 named[11100]: client 192.168.178.200#55402/key client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE': adding an RR at '200.178.168.192.in-addr.arpa' PTR
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: added rdataset 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN PTR client1.winnet.local.'
> > > > Aug 17 00:14:02 server1 named[11100]: samba_dlz: committed transaction on zone 178.168.192.in-addr.arpa
> > > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> > > >
> > > You must delete the reverse zone and recreate it as I outlined in my
> > > last message. Also, no feedback on the latter, so I have to guess that
> > > you have done it but it.
> > > HTH
> > >
> > >
> > > >
> > > >
> > > > Gesendet: Samstag, 16. August 2014 um 16:00 Uhr
> > > > Von: steve <steve at steve-ss.com>
> > > > An: "Markus Roth" <markusroth1983 at gmx.net>
> > > > Cc: samba at lists.samba.org
> > > > Betreff: Re: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup Zone
> > > > On Sat, 2014-08-16 at 15:46 +0200, Markus Roth wrote:
> > > > > Hi Steve,
> > > > >
> > > > > update. I think nobody can say that i'm not creative :-) I've tried now
> > > > > ./samba-tool domain exportkeytab /etc/krb5.keytab without the --principal
> > > > > and change my sssd.conf back to:
> > > > >
> > > > > [sssd]
> > > > > services = nss, pam
> > > > > config_file_version = 2
> > > > > domains = winnet.local
> > > > > [nss]
> > > > > [pam]
> > > > > [domain/winnet.local]
> > > > > id_provider = ad
> > > > > access_provider = ad
> > > > >
> > > > > Now i get also the denied messages, but the logs now seems to be different:
> > > >
> > > > Very close now. This should do it:
> > > > http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
> > > >
> > > > >
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > > > tcpaddr=192.168.178.130 type=A key=2171273687.sig-server1.winnet.local/160/0
> > > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#49475/key
> > > > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > > at 'server1.winnet.local' A
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > > server1.winnet.local 'server1.winnet.local. 3600 IN A
> > > > > 192.168.178.130'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > > winnet.local 'winnet.local. 3600 IN SOA
> > > > > server1.winnet.local. hostmaster.winnet.local. 4 900 600 86400 0'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> > > > > 'winnet.local. 3600 IN SOA server1.winnet.local.
> > > > > hostmaster.winnet.local. 5 900 600 86400 0'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > > > tcpaddr=192.168.178.130 type=AAAA
> > > > > key=1458088344.sig-server1.winnet.local/160/0
> > > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60843/key
> > > > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > > at 'server1.winnet.local' AAAA
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=SERVER1\$\@WINNET.LOCAL name=server1.winnet.local
> > > > > tcpaddr=192.168.178.130 type=A key=2571247347.sig-server1.winnet.local/160/0
> > > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#60497/key
> > > > > SERVER1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> > > > > 'server1.winnet.local' A
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> > > > > server1.winnet.local 'server1.winnet.local. 3600 IN A
> > > > > 192.168.178.130'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > > winnet.local 'winnet.local. 3600 IN SOA
> > > > > server1.winnet.local. hostmaster.winnet.local. 5 900 600 86400 0'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset winnet.local
> > > > > 'winnet.local. 3600 IN SOA server1.winnet.local.
> > > > > hostmaster.winnet.local. 6 900 600 86400 0'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone 178.168.192.in-addr.arpa
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> > > > > tcpaddr=192.168.178.130 type=PTR
> > > > > key=1615781577.sig-server1.winnet.local/160/0
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=SERVER1\$\@WINNET.LOCAL name=130.178.168.192.in-addr.arpa
> > > > > tcpaddr=192.168.178.130 type=PTR
> > > > > key=1615781577.sig-server1.winnet.local/160/0
> > > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> > > > > SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > > deleting rrset at '130.178.168.192.in-addr.arpa' PTR
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > > 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> > > > > PTR server1.winnet.local.'
> > > > > Aug 16 15:40:03 server1 named[14419]: client 192.168.178.130#56401/key
> > > > > SERVER1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > > adding an RR at '130.178.168.192.in-addr.arpa' PTR
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: added rdataset
> > > > > 130.178.168.192.in-addr.arpa '130.178.168.192.in-addr.arpa. 3600 IN
> > > > > PTR server1.winnet.local.'
> > > > > Aug 16 15:40:03 server1 named[14419]: samba_dlz: committed transaction on
> > > > > zone 178.168.192.in-addr.arpa
> > > > > Aug 16 15:40:19 server1 chronyd[831]: NTP packet received from unauthorised
> > > > > host 192.168.178.200 port 123
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#53494: update
> > > > > 'winnet.local/IN' denied
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=AAAA
> > > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> > > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=client1\$\@WINNET.LOCAL name=client1.winnet.local tcpaddr= type=A
> > > > > key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > > at 'client1.winnet.local' AAAA
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': deleting rrset
> > > > > at 'client1.winnet.local' A
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > > client1.winnet.local 'client1.winnet.local. 1200 IN A
> > > > > 192.168.178.200'
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#59384/key
> > > > > client1\$\@WINNET.LOCAL: updating zone 'winnet.local/NONE': adding an RR at
> > > > > 'client1.winnet.local' A
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> > > > > client1.winnet.local 'client1.winnet.local. 1200 IN A
> > > > > 192.168.178.200'
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> > > > > zone winnet.local
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone 178.168.192.in-addr.arpa
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#61402: update
> > > > > '178.168.192.in-addr.arpa/IN' denied
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: cancelling transaction on
> > > > > zone 178.168.192.in-addr.arpa
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: starting transaction on
> > > > > zone 178.168.192.in-addr.arpa
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> > > > > type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: allowing update of
> > > > > signer=client1\$\@WINNET.LOCAL name=200.178.168.192.in-addr.arpa tcpaddr=
> > > > > type=PTR key=1084-ms-7.1-6f73.dd303850-254a-11e4-439a-000c29a4b410/160/0
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> > > > > client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > > deleting rrset at '200.178.168.192.in-addr.arpa' PTR
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: subtracted rdataset
> > > > > 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> > > > > PTR client1.winnet.local.'
> > > > > Aug 16 15:40:20 server1 named[14419]: client 192.168.178.200#54396/key
> > > > > client1\$\@WINNET.LOCAL: updating zone '178.168.192.in-addr.arpa/NONE':
> > > > > adding an RR at '200.178.168.192.in-addr.arpa' PTR
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: added rdataset
> > > > > 200.178.168.192.in-addr.arpa '200.178.168.192.in-addr.arpa. 1200 IN
> > > > > PTR client1.winnet.local.'
> > > > > Aug 16 15:40:20 server1 named[14419]: samba_dlz: committed transaction on
> > > > > zone 178.168.192.in-addr.arpa
> > > > >
> > > > > -----Ursprüngliche Nachricht-----
> > > > > Von: Markus Roth [mailto:markusroth1983 at gmx.net]
> > > > > Gesendet: Samstag, 16. August 2014 15:13
> > > > > An: 'steve'
> > > > > Cc: 'samba at lists.samba.org'
> > > > > Betreff: AW: [Samba] samba4 internal dns Server ddns for the reverse lookup
> > > > > Zone
> > > > >
> > > > > Hi Steve,
> > > > >
> > > > > I've tried the below domain exportkeytab, but when i do samba-tool domain
> > > > > exportkeytab /etc/krb5.keytab --principal=WINNET$ the log says:
> > > > >
> > > > > ./samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$
> > > > > ERROR(runtime): uncaught exception - Key table entry not found
> > > > > File
> > > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
> > > > > line 175, in _run
> > > > > return self.run(*args, **kwargs)
> > > > > File
> > > > > "/usr/local/samba/lib64/python2.7/site-packages/samba/netcmd/domain.py",
> > > > > line 103, in run
> > > > > net.export_keytab(keytab=keytab, principal=principal)
> > > > >
> > > > > When i do the same with --principal=server1$ it does an export, but i get
> > > > > also the beginning denied messages. I also tried winnet$ or winnet.local$
> > > > > but it gets the same erros above.
> > > > >
> > > > >
> > > > > >Hi
> > > > > >This is not using the sssd ad backend at all. It will not do ddns updates,
> > > > > neither will it pull the correct id info from AD.
> > > > >
> > > > > >You were nearly there. Did you see my other post?
> > > > >
> > > > > >Just issue:
> > > > > >samba-tool domain exportkeytab /etc/krb5.keytab --principal=WINNET$ and try
> > > > > with your original ad sssd config.
> > > > >
> > > > > >--
> > > > > >To unsubscribe from this list go to the following URL and read the
> > > > > >Instructions: https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba][https://lists.samba.org/mailman/options/samba[https://lists.samba.org/mailman/options/samba]]]]
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
More information about the samba
mailing list