[Samba] Bind DNS Issues
David Minard
david at scem.uws.edu.au
Tue Oct 27 22:52:49 UTC 2015
> On 27/10/15 03:57, David Minard wrote:
> >/ G'day All,
> />/
> />/ I'm running up Samba4.2.3 with 4 DCs on Centos7. There are no
> />/ changes to the default smb.conf file that gets created at provision/DC
> />/ join. "samba-tool drs showrepl" show all DC replicating in and out.
> />/ "samba-tool dbcheck" shows no errors.
> />/
> />/ See below for named.conf.
> />/
> />/ I'm having two issues.
> />/
> />/ 1) After bind first starts up (systemctl restart/start bind), and
> />/ I watch it's log, I start getting these messages:
> />/
> />/ 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/ 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> />/ update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/
> />/ If I reload bind (systemctl reload bind), the messages stop.
> />/
> />/ Any idea why this might be? Are these messages an issue?
> />/
> />/
> />/ 2) When a new windows client joins the domain, sometimes it's DNS
> />/ entry takes a day to appear. Other times an hour or so, and other
> />/ times near to immediately. The AD in question is only under extremely
> />/ light load, as it is only y being testedat the moment in the hope that
> />/ it will replace our existing AD next year.
> />/
> />/ What could be causing the DNS entry to not be added immediately
> />/ all the time? Is it related to question 1?
> />/
> />/
> />/ Named.conf: - with minor sanitising to remove IP addresses;
> />/
> />/ acl "SCEM" { KWD_Internal_Nets; PTA_Internal_Nets;
> />/ CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets;
> />/ KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets;
> />/ IC2_Private_Nets; };
> />/
> />/ #acl "Server_ADM_Network" { server_adm; };
> />/
> />/ options {
> />/ directory "/local/etc/named";
> />/ allow-transfer { none; };
> />/ notify yes;
> />/ forward only;
> />/ allow-query { SCEM; };
> />/ # Samba4
> />/ tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
> />/
> />/ forwarders {
> />/ IP.of.non-ad.dns1;
> />/ IP.of.non-ad.dns2;
> />/ IP.of.non-ad.dns3;
> />/ IP.of.non-ad.dns4;
> />/ };
> />/ };
> />/
> />/ logging{
> />/ channel simple_log {
> />/ file "/var/log/named.log" versions 3 size 5m;
> />/ severity warning;
> />/ print-time yes;
> />/ print-severity yes;
> />/ print-category yes;
> />/ };
> />/ category default{
> />/ simple_log;
> />/ };
> />/ };
> />/
> />/
> />/ # Master Zones
> />/
> />/ # Samba4
> />/ include "/usr/local/samba/private/named.conf";
> />/
> />/ zone "." in {
> />/ type hint;
> />/ file "var/named.cache";
> />/ };
> />/
> />/ zone "0.0.127.in-addr.arpa" in {
> />/ type master;
> />/ allow-update { none; };
> />/ notify no;
> />/ file "master/localhost.rev";
> />/ };
> />/
> />/ --
> />/
> />/ Cheers,
> />/ David Minard.
> />/ Ph: 0247 360 155
> />/ Fax: 0247 360 770
> />/
> />/ School of Computing, Engineering, and Mathematics
> />/ Western Sydney University
> />/ Building Y - Penrith Campus (Kingswood)
> />/ Locked bag 1797
> />/ Penrith South DC
> />/ NSW 1797
> />/
> />/ [Sometimes waking up just isn't worth the insult of the day to come.]
> />/
> />/
> />/ --
> />/ This message has been scanned for viruses and
> />/ dangerous content by MailScanner, and is
> />/ believed to be clean.
> />/
> />/
> />/ --
> />/ To unsubscribe from this list go to the following URL and read the
> />/ instructions:https://lists.samba.org/mailman/options/samba
> /
>
> OK, I would change 'notify yes;' to 'notify no;' , you haven't got any
> slaves. I would also remove 'forward only;' , you do not want to do
> this, you want your named server to be authoritive for your AD zone.
>
> Rowland
Okay. I've made the changes. I'll see if this helps. Thank you.
--
Cheers,
David Minard.
Ph: 0247 360 155
Fax: 0247 360 770
School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797
[Sometimes waking up just isn't worth the insult of the day to come.]
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the samba
mailing list