[Samba] Join AD fails DNS update

Lars Hanke debian at lhanke.de
Fri Jun 27 06:11:42 MDT 2014


Hi Steve,

taking my time to analyze what is happening I found the following:

1) Any local updates on the AD DC using nsupdate -g run well.So the 
configuration on the AD DC should be fine, and Bind9 is performing well 
with DLZ. I traced the network packages to compare with what the does.

2) net ads join form the client contacts the DNS of the DC twice, which 
causes the strange structure of syslog entries. The first one 
stipulating an unsatisfied prerequisite seems to be merely informative. 
It does not contain any update records.

3) The second request contains the update request. It is refused, 
because it does not contain ANY authorization data.

This relaxes me a lot, since the server side is running nicely. As yet, 
I don't know whether and how I'll need the functions of 'net' in any 
unattended mode. This also motivates that updating the client may be 
sensible in that case.

However, what I do not understand is why the client's 'net' contacts the 
DNS directly?

In order to make this succeed the client must have credentials for the 
central DNS. Nothing that I would want.

I'd expect that the client management tools speak to samba and samba in 
turn locally updates DNS. Does anybody know how the protocol is intended?

 > to do that over here at the moment. Alternatively you could ask the at
 > samba-technical.

;)

Regards,
  - lars.

PS: Just to share my findings:

 >>> I don't think the join does much apart from add an A record for the
 >>> machine:

The first update request checks that
- there is no corresponding CNAME (which probably succeeds)
- there is an IN for the correct IP (which should fail)
- there is an IN for 127.0.0.2 (which should also fail)
So the failure of the first request is to be expected, but I'm still not 
clear why we see NXRRSET.

The second update wipes all entries for the new FQDN and registers the 
name for the proper IP and 127.0.0.2! This at least sounds strange, 
unless issued locally on the DC.


More information about the samba mailing list