[Samba] Samba 4.2.14 Group Policy (GPO) sync error

Thu Aug 4 16:10:56 UTC 2016

On Thu, 4 Aug 2016 17:51:09 +0200
rme at bluemail.ch wrote:

> Even some more observations.
> 
> I noticed when I join my machine to AD it prompts a second time for
> the credentials. It does not matter what I enter or even cancel the
> dialog it will always display an error:
> 
> Changing the Primary Domain DNS name of this computer to "" failed.
> The name will remain "ad.cyberdyne.local".
> 
> Well, actualy this is what I want anyway. I found this Microsoft
> article about:
> <https://support.microsoft.com/en-us/kb/2018583>
> But also forcing NetBIOS over TCP did not help. I have the follwowing
> in my dhcpd.conf anyway:
>      option netbios-name-servers 10.0.1.6;
>      option netbios-node-type 8;
> 
> 
> In any case this should not harm as far as I understood.
> 
> 
> But I went a bit more into DNS topics and came across a potential
> issue or at least nuisance.
> I am currently using BIND and it manages the zone cyberdyne.local.
> Where I also manage a reverse-DNS zone (zone 
> "1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa" in). This zone is managing 
> PTR entries for my local LAN eqipment with fixed IP addresses.
> 
> It looks like when a machine is domain-joined the clients try to
> update those records and I see the following in my BIND logs (starts
> after domain join):
> 
> 04-Aug-2016 17:09:52.381 update-security: error: client 
> fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update 
> '1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN' denied
> 04-Aug-2016 17:09:52.382 update: info: client 
> fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#54604/key 
> cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone 
> '1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN': update failed:
> rejected by secure update (REFUSED)
> 
> 
> I am in question to myself how to resolve this.
> One possibility might be to remove the reverse DNS zone and let 
> Samba_DLZ manage it. This might work but does not allow me to manage
> the PTR records for my static LAN equipment in BIND.
> 
> A second possibility might be to allow secure updates. Though I
> haven't been able to find some working guide how to allow
> kerberos-authenticated secure updates. Somewhere I found to use
> something like
> 
>      update-policy {
>           grant AD.CYBERDYNE.LOCAL krb5-self * PTR;
>      };
> 
> in my zone definition. However it didn't work as expected.
> I also found this: 
> <http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/>
> However I didn't go through the complete instruction. As of my 
> understanding it will forward the verification of the request to an 
> external script.
> Well, I think it's far too complex and kerberos authentication should
> be possible with BIND directly.
> 
> 

No its not, its fairly easy, once you get your head around it. I have
been using something based on that webpage for nearly 4 years now and
 only had self inflicted problems.

Rowland