[Samba] Samba_dlz: canceling trasaction on zone domain

Philip Banh Philip.Banh at oahpp.ca
Tue Nov 10 20:57:51 UTC 2015 

Hi again,

While I've seen a lot of solution use that script, I'm wondering to myself is there any other solution? I'm also curious still does anyone know what these messages mean:

Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: starting transaction on zone coreontario2.ca
Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: client 172.17.0.30*#33362: update 'coreontario2.ca/IN' denied
Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: cancelling transaction on zone coreontario2.ca

*The client that is trying to do the update is the DHCP.

Again, my guess is my DHCP isn't sending secure updates for Samba_dlz (BIND) and it only wants to accept secure updates. If that's the case is there a way to make ISC DHCP do secure updates...but it seems like the work around eventually leads back to that script. Any ways its worth a shot...

Also I know about smb.conf allow dns 'update = nonsecure and secure'...but I dont' see it having any affect. Since I'm at it might as well post the smb.conf:

[global]
        workgroup = DOMAIN
        realm = DOMAIN
        netbios name = NS01
        server role = active directory domain controller
        printing = bsd
        allow dns updates = nonsecure and secure
        nsupdate command = /usr/local/bin/nsupdate -g
        server services = -dns
        server services = dnsupdate
[netlogon]
        path = /usr/local/samba/var/locks/sysvol/coreontario.ca/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No

Any input is appreciate.

Thanks!
Philip
________________________________________
From: samba [samba-bounces at lists.samba.org] on behalf of Philip Banh [Philip.Banh at oahpp.ca]
Sent: Monday, November 09, 2015 5:51 PM
To: Rowland Penny; samba at lists.samba.org
Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain

Thanks a lot. I'll take a read through it and see if I can get it working.

________________________________________
From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com]
Sent: Monday, November 09, 2015 5:02 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain

On 09/11/15 21:28, Philip Banh wrote:
> Hey Rowland,
>
> Below is a cutdown version of my DHCP. As you can see, I haven't really set anything up for ddns-update. While using Samba4's internal DNS I had the setting 'ddns-update-style interim;' and it seemed to have worked fine. But with bind I'm not sure what else is needed.
>
> Thanks for taking a look at it.
> Philip
>
> #
> # DHCP Server Configuration file.
> #   see /usr/share/doc/dhcp*/dhcpd.conf.sample
> #   see 'man 5 dhcpd.conf'
> #
> # option definitions common to all supported networks...
> option domain-name "DOMAIN";
> option domain-name-servers 172.17.0.170, 172.17.0.171;
>
> filename "pxelinux.0";
> next-server 172.17.0.50;
>
> default-lease-time 600;
> max-lease-time 7200;
>
> # Use this to enble / disable dynamic dns updates globally.
> #ddns-updates on; # not really necessary, ddns-update-style is good enough
> ddns-update-style interim;
> deny client-updates;
> ignore-client-updates;
> #allow client-updates;
>
> #update-static-leases on;
>   key DHCP_UPDATER {
>           algorithm HMAC-MD5.SIG-ALG.REG.INT;
>
>           #Paste in the generated key here.   Should be in quotes
>                    secret "SECRET";
>           };
> # If this DHCP server is the official DHCP server for the local
> # network, the authoritative directive should be uncommented.
> authoritative;
>
> class "Others" {
>
> .....
>
> }
>
> subnet 172.17.0.0 netmask 255.255.255.0 {
>    option routers 172.17.0.1;
>
>    pool {
>      range 172.17.0.201 172.17.0.254;
>      option broadcast-address 172.17.0.255;
>      deny members of "Others";
>    }
>
> .....The rest of vlans
>
> log-facility local6;
>
> ________________________________________
> From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com]
> Sent: Monday, November 09, 2015 4:15 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
>
> On 09/11/15 20:48, Philip Banh wrote:
>> Hi there,
>>
>> I'm in the process of switching from using Samba4 internal DNS to using BIND as my backend DNS. However, I'm currently running into some issues with the transition.
>>
>> Here's an example of the messages I'm getting from /var/log/messages logs:
>>
>> Nov  9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>> Nov  9 15:34:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#59051: update 'DOMAIN/IN' denied
>> Nov  9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>> Nov  9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>> Nov  9 15:35:24 pho-dcpvl-01N named[27524]: client 172.17.0.30#42206: update 'DOMAIN/IN' denied
>> Nov  9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>> Nov  9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>> Nov  9 15:35:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#51563: update 'DOMAIN/IN' denied
>> Nov  9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>> Nov  9 15:35:32 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>>
>> * 172.17.0.30 being my DHCP server.
>>
>> Does anyone know what's causing the above messages? And how do you proceed in a setup with Samba4 AD / BIND with DDNS.
>>
>> My guess here is I'm having troubles with setting up the DHCP properly to communicate with BIND, so the DNS isn't being updated.
>>
>> Please let me know what other information I can provide.
>>
>> Thanks,
>> Philip
>>
>>
>>
>>
> Can you post your dhcpd.conf ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

One thing I forgot to say is that my setup is based on what I found here:

http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list