[Samba] Join AD fails DNS update
debian at lhanke.de
Fri Jun 27 06:11:42 MDT 2014
taking my time to analyze what is happening I found the following:
1) Any local updates on the AD DC using nsupdate -g run well.So the
configuration on the AD DC should be fine, and Bind9 is performing well
with DLZ. I traced the network packages to compare with what the does.
2) net ads join form the client contacts the DNS of the DC twice, which
causes the strange structure of syslog entries. The first one
stipulating an unsatisfied prerequisite seems to be merely informative.
It does not contain any update records.
3) The second request contains the update request. It is refused,
because it does not contain ANY authorization data.
This relaxes me a lot, since the server side is running nicely. As yet,
I don't know whether and how I'll need the functions of 'net' in any
unattended mode. This also motivates that updating the client may be
sensible in that case.
However, what I do not understand is why the client's 'net' contacts the
In order to make this succeed the client must have credentials for the
central DNS. Nothing that I would want.
I'd expect that the client management tools speak to samba and samba in
turn locally updates DNS. Does anybody know how the protocol is intended?
> to do that over here at the moment. Alternatively you could ask the at
PS: Just to share my findings:
>>> I don't think the join does much apart from add an A record for the
The first update request checks that
- there is no corresponding CNAME (which probably succeeds)
- there is an IN for the correct IP (which should fail)
- there is an IN for 127.0.0.2 (which should also fail)
So the failure of the first request is to be expected, but I'm still not
clear why we see NXRRSET.
The second update wipes all entries for the new FQDN and registers the
name for the proper IP and 127.0.0.2! This at least sounds strange,
unless issued locally on the DC.
More information about the samba