[Samba] Bind DNS Issues

David Minard david at scem.uws.edu.au
Tue Oct 27 22:52:49 UTC 2015 

> On 27/10/15 03:57, David Minard wrote:
> >/  G'day All,
> />/
> />/      I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no
> />/  changes to the default smb.conf file that gets created at provision/DC
> />/  join.  "samba-tool drs showrepl" show all DC replicating in and out.
> />/  "samba-tool dbcheck" shows no errors.
> />/
> />/      See below for named.conf.
> />/
> />/      I'm having two issues.
> />/
> />/      1)  After bind first starts up (systemctl restart/start bind), and
> />/  I watch it's log, I start getting these messages:
> />/
> />/  27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/
> />/      If I reload bind (systemctl reload bind), the messages stop.
> />/
> />/      Any idea why this might be?  Are these messages an issue?
> />/
> />/
> />/      2)  When a new windows client joins the domain, sometimes it's DNS
> />/  entry takes a day to appear.  Other times an hour or so, and other
> />/  times near to immediately.  The AD in question is only under extremely
> />/  light load, as it is only y being testedat the moment in the hope that
> />/  it will replace our existing AD next year.
> />/
> />/      What could be causing the DNS entry to not be added immediately
> />/  all the time?  Is it related to question 1?
> />/
> />/
> />/  Named.conf: - with minor sanitising to remove IP addresses;
> />/
> />/  acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets;
> />/  CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets;
> />/  KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets;
> />/  IC2_Private_Nets; };
> />/
> />/  #acl "Server_ADM_Network" { server_adm; };
> />/
> />/  options {
> />/      directory "/local/etc/named";
> />/      allow-transfer { none; };
> />/      notify yes;
> />/      forward only;
> />/      allow-query { SCEM; };
> />/  # Samba4
> />/          tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> />/
> />/      forwarders {
> />/          IP.of.non-ad.dns1;
> />/          IP.of.non-ad.dns2;
> />/          IP.of.non-ad.dns3;
> />/          IP.of.non-ad.dns4;
> />/      };
> />/  };
> />/
> />/  logging{
> />/    channel simple_log {
> />/      file "/var/log/named.log" versions 3 size 5m;
> />/      severity warning;
> />/      print-time yes;
> />/      print-severity yes;
> />/      print-category yes;
> />/    };
> />/    category default{
> />/      simple_log;
> />/    };
> />/  };
> />/
> />/
> />/  # Master Zones
> />/
> />/  #  Samba4
> />/      include "/usr/local/samba/private/named.conf";
> />/
> />/      zone "." in {
> />/          type hint;
> />/          file "var/named.cache";
> />/      };
> />/
> />/      zone "0.0.127.in-addr.arpa" in {
> />/          type master;
> />/          allow-update { none; };
> />/          notify no;
> />/          file "master/localhost.rev";
> />/      };
> />/
> />/  --
> />/
> />/  Cheers,
> />/  David Minard.
> />/  Ph:    0247 360 155
> />/  Fax:    0247 360 770
> />/
> />/  School of Computing, Engineering, and Mathematics
> />/  Western Sydney University
> />/  Building Y - Penrith Campus (Kingswood)
> />/  Locked bag 1797
> />/  Penrith South DC
> />/  NSW 1797
> />/
> />/  [Sometimes waking up just isn't worth the insult of the day to come.]
> />/
> />/
> />/  --
> />/  This message has been scanned for viruses and
> />/  dangerous content by MailScanner, and is
> />/  believed to be clean.
> />/
> />/
> />/  --
> />/  To unsubscribe from this list go to the following URL and read the
> />/  instructions:https://lists.samba.org/mailman/options/samba
> /
>
> OK, I would change 'notify yes;' to 'notify no;' , you haven't got any
> slaves. I would also remove 'forward only;' , you do not want to do
> this, you want your named server to be authoritive for your AD zone.
>
> Rowland

     Okay.  I've made the changes.  I'll see if this helps.  Thank you.

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the samba mailing list