[Samba] Join AD fails DNS update

L.P.H. van Belle belle at bazuin.nl
Fri Jun 27 07:45:57 MDT 2014

nsupdate -D -l  ?? 

Are you using bind9_DLZ of bind9_FLATFILE 

above is NOT for DLZ.

 -g is used for kerberos auth. 

and i see: 
>tsig verification successful 
TSIG ?? 

so you problem is probely in you Bind setup, not samba. 
I think you mixing TSIG and GSSTSIG 

start reading here. 



>-----Oorspronkelijk bericht-----
>Van: debian at lhanke.de [mailto:samba-bounces at lists.samba.org] 
>Namens Lars Hanke
>Verzonden: donderdag 26 juni 2014 13:27
>Aan: Rowland Penny; samba at lists.samba.org
>Onderwerp: Re: [Samba] Join AD fails DNS update
>> Have you tried running the 'nsupdate' command direct, this 
>is what named
>> is doing and it might get you more info.
>Didn't even know that tool ...
>The update is refused, but I don't see clearly why (see log at 
>the end). 
>Maybe this is an issue to be solved beforehand ...
>On the other hand, this will not help to hunt down the prerequisite 
>issue, since it would require me to manually define such, i.e. prereq 
>Just for my understanding ... I thought that SAMBA_DLZ is an interface 
>for Bind9 to access samba's LDAP. So if samba updates its LDAP, why we 
>still go through the pain of sending update requests?
>root at samba:/# nsupdate -D -l
>Creating key...
> > update add samba4.ad.microsult.de 86400 A
> > send
>About to create rcvmsg
>Reply from SOA query:
>;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id:  59702
>;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>;samba4.ad.microsult.de.                IN      SOA
>ad.microsult.de.        0       IN      SOA     samba.ad.microsult.de. 
>hostmaster.ad.microsult.de. 1 900 600 86400 0
>local-ddns.             0       ANY     TSIG    hmac-sha256. 
>300 32 vQ9kJvZKQKMBMuDfLhd4qN5fbZ0ekdJX9RJ/QwHWSPQ= 59702 NOERROR 0
>Found zone name: ad.microsult.de
>The master is: samba.ad.microsult.de
>Sending update to
>Outgoing update query:
>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  28777
>;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
>samba4.ad.microsult.de. 86400   IN      A
>local-ddns.             0       ANY     TSIG    hmac-sha256. 
>300 32 6C64ivAB6zDMqC2OV9EecmOAr8bWw4fBhXOq1WuWPyQ= 28777 NOERROR 0
>Out of recvsoa
>tsig verification successful
>Reply from update query:
>;; ->>HEADER<<- opcode: UPDATE, status: REFUSED, id:  28777
>;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
>;ad.microsult.de.               IN      SOA
>local-ddns.             0       ANY     TSIG    hmac-sha256. 
>300 32 EauhZfYkovrkF+hocj17kvUs61BLleTa71AJ9PAza5Q= 28777 NOERROR 0
> > cleanup()
>detach tsigkey x0x7f35351885f8
>Shutting down task manager
>Shutting down request manager
>Destroy DST lib
>Destroying request manager
>Freeing the dispatchers
>Shutting down dispatch manager
>Destroying event
>Shutting down socket manager
>Shutting down timer manager
>Destroying hash context
>Destroying name state
>Removing log context
>Destroying memory context
>root at samba:/#
>Kind regards,
>  - lars.
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list