[Samba] Struggling to get DC Setup/Validated with BIND_DLZ

[Pat Synor]

So I have a lot of experience with BIND, and some with Samba, but I know
nothing about AD.  Anyhow, I am trying to get a simple lab DC setup using
BIND9_DLZ and I am having trouble when I try and test the DNS update
capabilities.

I followed the guide here to setup BIND as a backend:
https://wiki.samba.org/index.php/DNS_Backend_BIND

And the guide here to setup the Samba DC:
https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

When I run:

# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names

I get:

[root at lab-dc ~]# /usr/local/samba/sbin/samba_dnsupdate --verbose --all-names
IPs: ['192.168.2.20']
Calling nsupdate for A lab-dc.sytech.local 192.168.2.20 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
lab-dc.sytech.local.    900     IN      A       192.168.2.20

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for A sytech.local 192.168.2.20 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
sytech.local.           900     IN      A       192.168.2.20

update failed: REFUSED
Failed nsupdate: 2
Calling nsupdate for SRV _ldap._tcp.sytech.local lab-dc.sytech.local 389
(add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.sytech.local. 900    IN      SRV     0 100 389
lab-dc.sytech.local.

...
...
...
update failed: REFUSED
Failed nsupdate: 2
Failed update of 27 entries

Looking at my BIND log I see:

...
...
Oct 15 17:24:01 lab-dc named[2065]: client 192.168.2.20#35817: update
'sytech.local/IN' denied
Oct 15 17:24:01 lab-dc named[2065]: samba_dlz: cancelling transaction on
zone sytech.local
Oct 15 17:24:01 lab-dc named[2065]: samba_dlz: starting transaction on zone
sytech.local
Oct 15 17:24:01 lab-dc named[2065]: client 192.168.2.20#65266: update
'sytech.local/IN' denied
Oct 15 17:24:01 lab-dc named[2065]: samba_dlz: cancelling transaction on
zone sytech.local

To me that indicates an issue with the allow-update BIND settings for the
zone, but that would imply that I need to manually create a zone file for
this zone and configure it in BIND.  Is that a part of the process that was
omitted in these documents, or am I doing something wrong?

BTW, this all works fine:

[root at lab-dc ~]# host -t SRV _ldap._tcp.sytech.local.
_ldap._tcp.sytech.local has SRV record 0 100 389 lab-dc.sytech.local.
[root at lab-dc ~]# host -t SRV _kerberos._udp.sytech.local.
_kerberos._udp.sytech.local has SRV record 0 100 88 lab-dc.sytech.local.
[root at lab-dc ~]#  host -t A lab-dc.sytech.local.
lab-dc.sytech.local has address 192.168.2.20

I was also able to update a record using "samba-tool dns update."


Any help is greatly appreciated.

Thanks,
Pat