[Samba] Join AD fails DNS update

Rowland Penny rowlandpenny at googlemail.com
Thu Jun 26 06:04:00 MDT 2014 

On 26/06/14 12:26, Lars Hanke wrote:
>> Have you tried running the 'nsupdate' command direct, this is what named
>> is doing and it might get you more info.
>
> Didn't even know that tool ...
>
> The update is refused, but I don't see clearly why (see log at the 
> end). Maybe this is an issue to be solved beforehand ...
>
> On the other hand, this will not help to hunt down the prerequisite 
> issue, since it would require me to manually define such, i.e. prereq 
> nxrrset.
>
> Just for my understanding ... I thought that SAMBA_DLZ is an interface 
> for Bind9 to access samba's LDAP. So if samba updates its LDAP, why we 
> still go through the pain of sending update requests?
>
> root at samba:/# nsupdate -D -l
> setup_system()
> Creating key...
> namefromtext
> keycreate
> reset_system()
> user_interaction()
> get_next_command()
> > update add samba4.ad.microsult.de 86400 A 172.16.6.242
> evaluate_update()
> update_addordelete()
> get_next_command()
> > send
> start_update()
> recvsoa()
> About to create rcvmsg
> show_message()
> Reply from SOA query:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59702
> ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> ;; QUESTION SECTION:
> ;samba4.ad.microsult.de.                IN      SOA
>
> ;; AUTHORITY SECTION:
> ad.microsult.de.        0       IN      SOA samba.ad.microsult.de. 
> hostmaster.ad.microsult.de. 1 900 600 86400 0
>
> ;; TSIG PSEUDOSECTION:
> local-ddns.             0       ANY     TSIG    hmac-sha256. 
> 1403781225 300 32 vQ9kJvZKQKMBMuDfLhd4qN5fbZ0ekdJX9RJ/QwHWSPQ= 59702 
> NOERROR 0
>
> Found zone name: ad.microsult.de
> The master is: samba.ad.microsult.de
> send_update()
> Sending update to 127.0.0.1#53
> show_message()
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 28777
> ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
> ;; UPDATE SECTION:
> samba4.ad.microsult.de. 86400   IN      A       172.16.6.242
>
> ;; TSIG PSEUDOSECTION:
> local-ddns.             0       ANY     TSIG    hmac-sha256. 
> 1403781225 300 32 6C64ivAB6zDMqC2OV9EecmOAr8bWw4fBhXOq1WuWPyQ= 28777 
> NOERROR 0
>
> Out of recvsoa
> update_completed()
> tsig verification successful
> show_message()
>
> Reply from update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id: 28777
> ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
> ;; ZONE SECTION:
> ;ad.microsult.de.               IN      SOA
>
> ;; TSIG PSEUDOSECTION:
> local-ddns.             0       ANY     TSIG    hmac-sha256. 
> 1403781225 300 32 EauhZfYkovrkF+hocj17kvUs61BLleTa71AJ9PAza5Q= 28777 
> NOERROR 0
>
> done_update()
> reset_system()
> user_interaction()
> get_next_command()
> > cleanup()
> detach tsigkey x0x7f35351885f8
> Shutting down task manager
> shutdown_program()
> Shutting down request manager
> Destroy DST lib
> Destroying request manager
> Freeing the dispatchers
> Shutting down dispatch manager
> Destroying event
> Shutting down socket manager
> Shutting down timer manager
> Destroying hash context
> Destroying name state
> Removing log context
> Destroying memory context
> root at samba:/#
>
> Kind regards,
>  - lars.
>

login as root, kinit as Administrator, now run nsupdate like this:

nsupdate -g -d
 > update add samba4.ad.microsult.de 86400 A 172.16.6.242
 > send

Rowland

More information about the samba mailing list