[Samba] Samba_dlz: canceling trasaction on zone domain

Rowland Penny rowlandpenny241155 at gmail.com
Tue Nov 10 21:10:05 UTC 2015 

On 10/11/15 20:57, Philip Banh wrote:
> Hi again,
>
> While I've seen a lot of solution use that script, I'm wondering to myself is there any other solution? I'm also curious still does anyone know what these messages mean:
>
> Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: starting transaction on zone coreontario2.ca
> Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: client 172.17.0.30*#33362: update 'coreontario2.ca/IN' denied
> Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: cancelling transaction on zone coreontario2.ca
>
> *The client that is trying to do the update is the DHCP.
>
> Again, my guess is my DHCP isn't sending secure updates for Samba_dlz (BIND) and it only wants to accept secure updates. If that's the case is there a way to make ISC DHCP do secure updates...but it seems like the work around eventually leads back to that script. Any ways its worth a shot...
>
> Also I know about smb.conf allow dns 'update = nonsecure and secure'...but I dont' see it having any affect. Since I'm at it might as well post the smb.conf:
>
> [global]
>          workgroup = DOMAIN
>          realm = DOMAIN
>          netbios name = NS01
>          server role = active directory domain controller
>          printing = bsd
>          allow dns updates = nonsecure and secure
>          nsupdate command = /usr/local/bin/nsupdate -g
>          server services = -dns
>          server services = dnsupdate
> [netlogon]
>          path = /usr/local/samba/var/locks/sysvol/coreontario.ca/scripts
>          read only = No
>
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
>
> Any input is appreciate.
>
> Thanks!
> Philip
> ________________________________________
> From: samba [samba-bounces at lists.samba.org] on behalf of Philip Banh [Philip.Banh at oahpp.ca]
> Sent: Monday, November 09, 2015 5:51 PM
> To: Rowland Penny; samba at lists.samba.org
> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
>
> Thanks a lot. I'll take a read through it and see if I can get it working.
>
> ________________________________________
> From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com]
> Sent: Monday, November 09, 2015 5:02 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
>
> On 09/11/15 21:28, Philip Banh wrote:
>> Hey Rowland,
>>
>> Below is a cutdown version of my DHCP. As you can see, I haven't really set anything up for ddns-update. While using Samba4's internal DNS I had the setting 'ddns-update-style interim;' and it seemed to have worked fine. But with bind I'm not sure what else is needed.
>>
>> Thanks for taking a look at it.
>> Philip
>>
>> #
>> # DHCP Server Configuration file.
>> #   see /usr/share/doc/dhcp*/dhcpd.conf.sample
>> #   see 'man 5 dhcpd.conf'
>> #
>> # option definitions common to all supported networks...
>> option domain-name "DOMAIN";
>> option domain-name-servers 172.17.0.170, 172.17.0.171;
>>
>> filename "pxelinux.0";
>> next-server 172.17.0.50;
>>
>> default-lease-time 600;
>> max-lease-time 7200;
>>
>> # Use this to enble / disable dynamic dns updates globally.
>> #ddns-updates on; # not really necessary, ddns-update-style is good enough
>> ddns-update-style interim;
>> deny client-updates;
>> ignore-client-updates;
>> #allow client-updates;
>>
>> #update-static-leases on;
>>    key DHCP_UPDATER {
>>            algorithm HMAC-MD5.SIG-ALG.REG.INT;
>>
>>            #Paste in the generated key here.   Should be in quotes
>>                     secret "SECRET";
>>            };
>> # If this DHCP server is the official DHCP server for the local
>> # network, the authoritative directive should be uncommented.
>> authoritative;
>>
>> class "Others" {
>>
>> .....
>>
>> }
>>
>> subnet 172.17.0.0 netmask 255.255.255.0 {
>>     option routers 172.17.0.1;
>>
>>     pool {
>>       range 172.17.0.201 172.17.0.254;
>>       option broadcast-address 172.17.0.255;
>>       deny members of "Others";
>>     }
>>
>> .....The rest of vlans
>>
>> log-facility local6;
>>
>> ________________________________________
>> From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com]
>> Sent: Monday, November 09, 2015 4:15 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
>>
>> On 09/11/15 20:48, Philip Banh wrote:
>>> Hi there,
>>>
>>> I'm in the process of switching from using Samba4 internal DNS to using BIND as my backend DNS. However, I'm currently running into some issues with the transition.
>>>
>>> Here's an example of the messages I'm getting from /var/log/messages logs:
>>>
>>> Nov  9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>>> Nov  9 15:34:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#59051: update 'DOMAIN/IN' denied
>>> Nov  9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>>> Nov  9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>>> Nov  9 15:35:24 pho-dcpvl-01N named[27524]: client 172.17.0.30#42206: update 'DOMAIN/IN' denied
>>> Nov  9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>>> Nov  9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>>> Nov  9 15:35:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#51563: update 'DOMAIN/IN' denied
>>> Nov  9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN
>>> Nov  9 15:35:32 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN
>>>
>>> * 172.17.0.30 being my DHCP server.
>>>
>>> Does anyone know what's causing the above messages? And how do you proceed in a setup with Samba4 AD / BIND with DDNS.
>>>
>>> My guess here is I'm having troubles with setting up the DHCP properly to communicate with BIND, so the DNS isn't being updated.
>>>
>>> Please let me know what other information I can provide.
>>>
>>> Thanks,
>>> Philip
>>>
>>>
>>>
>>>
>> Can you post your dhcpd.conf ?
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
> One thing I forgot to say is that my setup is based on what I found here:
>
> http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

I just setup bind & dhcp on my new DC today, using the info I posted 
earlier, I had just one problem, it didn't work :-D

Traced it to the fact that I am now using a self-compiled Samba and 
wbinfo wasn't in bash path, added this:

PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH

to the top of the script cured this and it is now working :-)

ov 10 20:55:43 dc1 dhcpd: Commit: IP: 192.168.0.101 DHCID: 
1:68:b5:99:2c:98:fa Name: HP-Printer
Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[0] = 
/etc/dhcp/bin/dhcp-dyndns.sh
Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[1] = add
Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[2] = 192.168.0.101
Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[3] = 1:68:b5:99:2c:98:fa
Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[4] = HP-Printer
Nov 10 20:55:43 dc1 named[1461]: samba_dlz: starting transaction on zone 
samdom.example.com
Nov 10 20:55:43 dc1 named[1461]: samba_dlz: allowing update of 
signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=HP-Printer.samdom.example.com 
tcpaddr=127.0.0.1 type=A key=2086870239.sig-dc1.samdom.example.com/160/0
...............
.................
Nov 10 20:55:43 dc1 root: DHCP-DNS Update succeeded

Rowland

More information about the samba mailing list