[Samba] ddns update fails for reverse zone

steve steve at steve-ss.com
Fri Jan 10 05:05:37 MST 2014 

Hi everyone.
I have a Linux nsupdate client sending dns update requests via sssd.
Just gone from 4.1.2 to 4.1.3. I've done this:
http://linuxcostablanca.blogspot.com.es/2013/09/samba4-bind9dlz-stale-dns-records-with.html
After which the forward zone update is working fine: 

2014-01-10T12:32:35.376142+01:00 hh16 named[4963]: samba_dlz: starting
transaction on zone hh3.site
2014-01-10T12:32:35.382352+01:00 hh16 named[4963]: samba_dlz: allowing
update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site
tcpaddr=192.168.1.22 type=A key=4172394391.sig-hh16.hh3.site/160/0
2014-01-10T12:32:35.382917+01:00 hh16 named[4963]: client
192.168.1.22#48586/key CATRAL\$\@HH3.SITE: updating zone
'hh3.site/NONE': deleting rrset at 'catral.hh3.site' A
2014-01-10T12:32:35.390788+01:00 hh16 named[4963]: samba_dlz: subtracted
rdataset catral.hh3.site
'catral.hh3.site.#0113600#011IN#011A#011192.168.1.22'
2014-01-10T12:32:35.394326+01:00 hh16 named[4963]: samba_dlz: subtracted
rdataset hh3.site 'hh3.site.#0113600#011IN#011SOA#011hh16.hh3.site.
hostmaster.hh3.site. 635 900 600 86400 0'
2014-01-10T12:32:35.396199+01:00 hh16 named[4963]: samba_dlz: added
rdataset hh3.site 'hh3.site.#0113600#011IN#011SOA#011hh16.hh3.site.
hostmaster.hh3.site. 636 900 600 86400 0'
2014-01-10T12:32:35.698255+01:00 hh16 named[4963]: samba_dlz: committed
transaction on zone hh3.site
2014-01-10T12:32:35.749459+01:00 hh16 named[4963]: samba_dlz: starting
transaction on zone hh3.site
2014-01-10T12:32:35.753506+01:00 hh16 named[4963]: samba_dlz: allowing
update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site
tcpaddr=192.168.1.22 type=AAAA key=3660185835.sig-hh16.hh3.site/160/0
2014-01-10T12:32:35.754206+01:00 hh16 named[4963]: client
192.168.1.22#48262/key CATRAL\$\@HH3.SITE: updating zone
'hh3.site/NONE': deleting rrset at 'catral.hh3.site' AAAA
2014-01-10T12:32:35.754706+01:00 hh16 named[4963]: samba_dlz: committed
transaction on zone hh3.site
2014-01-10T12:32:35.805458+01:00 hh16 named[4963]: samba_dlz: starting
transaction on zone hh3.site
2014-01-10T12:32:35.806991+01:00 hh16 named[4963]: samba_dlz: allowing
update of signer=CATRAL\$\@HH3.SITE name=catral.hh3.site
tcpaddr=192.168.1.22 type=A key=3866959392.sig-hh16.hh3.site/160/0
2014-01-10T12:32:35.807875+01:00 hh16 named[4963]: client
192.168.1.22#40235/key CATRAL\$\@HH3.SITE: updating zone
'hh3.site/NONE': adding an RR at 'catral.hh3.site' A
2014-01-10T12:32:35.810897+01:00 hh16 named[4963]: samba_dlz: added
rdataset catral.hh3.site
'catral.hh3.site.#0113600#011IN#011A#011192.168.1.22'
2014-01-10T12:32:35.814287+01:00 hh16 named[4963]: samba_dlz: subtracted
rdataset hh3.site 'hh3.site.#0113600#011IN#011SOA#011hh16.hh3.site.
hostmaster.hh3.site. 636 900 600 86400 0'
2014-01-10T12:32:35.831279+01:00 hh16 named[4963]: samba_dlz: added
rdataset hh3.site 'hh3.site.#0113600#011IN#011SOA#011hh16.hh3.site.
hostmaster.hh3.site. 637 900 600 86400 0'
2014-01-10T12:32:36.744347+01:00 hh16 named[4963]: samba_dlz: committed
transaction on zone hh3.site

But the reverse zone doesn't go:

2014-01-10T12:32:37.037639+01:00 hh16 named[4963]: samba_dlz: starting
transaction on zone 1.168.192.in-addr.arpa
2014-01-10T12:32:37.041533+01:00 hh16 named[4963]: samba_dlz:
disallowing update of signer=CATRAL\$\@HH3.SITE
name=22.1.168.192.in-addr.arpa type=PTR error=insufficient access rights
2014-01-10T12:32:37.042160+01:00 hh16 named[4963]: client
192.168.1.22#50967/key CATRAL\$\@HH3.SITE: updating zone
'1.168.192.in-addr.arpa/NONE': update failed: rejected by secure update
(REFUSED)
2014-01-10T12:32:37.042579+01:00 hh16 named[4963]: samba_dlz: cancelling
transaction on zone 1.168.192.in-addr.arpa
2014-01-10T12:32:37.514441+01:00 hh16 named[4963]: samba_dlz: starting
transaction on zone 1.168.192.in-addr.arpa
2014-01-10T12:32:37.516754+01:00 hh16 named[4963]: samba_dlz:
disallowing update of signer=CATRAL\$\@HH3.SITE
name=22.1.168.192.in-addr.arpa type=PTR error=insufficient access rights
2014-01-10T12:32:37.517581+01:00 hh16 named[4963]: client
192.168.1.22#53190/key CATRAL\$\@HH3.SITE: updating zone
'1.168.192.in-addr.arpa/NONE': update failed: rejected by secure update
(REFUSED)
2014-01-10T12:32:37.518280+01:00 hh16 named[4963]: samba_dlz: cancelling
transaction on zone 1.168.192.in-addr.arpa

Question: We're up. Am I going to break anything if I delete and
recreate the reverse zone? 

Any other stuff to try?

Cheers and belated happy new year,
Steve

More information about the samba mailing list