[Samba] Bind DNS Issues

Rowland Penny rowlandpenny241155 at gmail.com
Tue Oct 27 08:22:34 UTC 2015


On 27/10/15 03:57, David Minard wrote:
> G'day All,
>
>     I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no 
> changes to the default smb.conf file that gets created at provision/DC 
> join.  "samba-tool drs showrepl" show all DC replicating in and out.  
> "samba-tool dbcheck" shows no errors.
>
>     See below for named.conf.
>
>     I'm having two issues.
>
>     1)  After bind first starts up (systemctl restart/start bind), and 
> I watch it's log, I start getting these messages:
>
> 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
>
>     If I reload bind (systemctl reload bind), the messages stop.
>
>     Any idea why this might be?  Are these messages an issue?
>
>
>     2)  When a new windows client joins the domain, sometimes it's DNS 
> entry takes a day to appear.  Other times an hour or so, and other 
> times near to immediately.  The AD in question is only under extremely 
> light load, as it is only y being testedat the moment in the hope that 
> it will replace our existing AD next year.
>
>     What could be causing the DNS entry to not be added immediately 
> all the time?  Is it related to question 1?
>
>
> Named.conf: - with minor sanitising to remove IP addresses;
>
> acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets; 
> CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; 
> KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets; 
> IC2_Private_Nets; };
>
> #acl "Server_ADM_Network" { server_adm; };
>
> options {
>     directory "/local/etc/named";
>     allow-transfer { none; };
>     notify yes;
>     forward only;
>     allow-query { SCEM; };
> # Samba4
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
>     forwarders {
>         IP.of.non-ad.dns1;
>         IP.of.non-ad.dns2;
>         IP.of.non-ad.dns3;
>         IP.of.non-ad.dns4;
>     };
> };
>
> logging{
>   channel simple_log {
>     file "/var/log/named.log" versions 3 size 5m;
>     severity warning;
>     print-time yes;
>     print-severity yes;
>     print-category yes;
>   };
>   category default{
>     simple_log;
>   };
> };
>
>
> # Master Zones
>
> #  Samba4
>     include "/usr/local/samba/private/named.conf";
>
>     zone "." in {
>         type hint;
>         file "var/named.cache";
>     };
>
>     zone "0.0.127.in-addr.arpa" in {
>         type master;
>         allow-update { none; };
>         notify no;
>         file "master/localhost.rev";
>     };
>
> -- 
>
> Cheers,
> David Minard.
> Ph:    0247 360 155
> Fax:    0247 360 770
>
> School of Computing, Engineering, and Mathematics
> Western Sydney University
> Building Y - Penrith Campus (Kingswood)
> Locked bag 1797
> Penrith South DC
> NSW 1797
>
> [Sometimes waking up just isn't worth the insult of the day to come.]
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba


OK, I would change 'notify yes;' to 'notify no;' , you haven't got any 
slaves. I would also remove 'forward only;' , you do not want to do 
this, you want your named server to be authoritive for your AD zone.

Rowland



More information about the samba mailing list