[Samba] Samba 4.2.14 Group Policy (GPO) sync error

rme at bluemail.ch rme at bluemail.ch
Thu Aug 4 21:20:40 UTC 2016

Hi Rowland,

> No, the kerberos support was built into Bind, but it isn't Bind that
> runs the script, it is DHCP.

> Windows can update the forward zone, but, if I understand it correctly,
> it doesn't update the reverse zone, Unix clients does neither

Are you sure about this?
I know about the DDNS update from DHCP and I have enabled it for my 
cyberdyne.local zone and it works fine. But this will update BIND on 
DHCP request and the update is triggered by the DHCP.

In my case I see the Windows client asking to update the DNS (if I read 
the log properly):

04-Aug-2016 17:09:52.381 update-security: error: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update
'' denied
04-Aug-2016 17:09:52.382 update: info: client
cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'': update failed: rejected
by secure update (REFUSED)

Therefore the client needs to authenticate to BIND in order to update 
its own entry (forward and reverse). I think the forward entry is 
updated via kerberos authentication to the bind_dlz module directly by 
the client too. It actually also updates the PTR records if I use only 
bind_dlz. But in my case I am operating my own reverse zone and here I 
don't know how to authenticate Windows clients to update the zone.

Perhaps I am wrong on this point. I need to investigate a bit further 

Thanks for your time and patience!


More information about the samba mailing list