[Samba] Samba 4.2.14 Group Policy (GPO) sync error
rme at bluemail.ch
rme at bluemail.ch
Thu Aug 4 21:20:40 UTC 2016
Hi Rowland,
> No, the kerberos support was built into Bind, but it isn't Bind that
> runs the script, it is DHCP.
> Windows can update the forward zone, but, if I understand it correctly,
> it doesn't update the reverse zone, Unix clients does neither
Are you sure about this?
I know about the DDNS update from DHCP and I have enabled it for my
cyberdyne.local zone and it works fine. But this will update BIND on
DHCP request and the update is triggered by the DHCP.
In my case I see the Windows client asking to update the DNS (if I read
the log properly):
04-Aug-2016 17:09:52.381 update-security: error: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#56593: view internal: update
'1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN' denied
04-Aug-2016 17:09:52.382 update: info: client
fdea:5b48:d4c1:1:2839:ba1e:ac57:aa6#54604/key
cyb64w10-monste\$\@AD.CYBERDYNE.LOCAL: view internal: updating zone
'1.0.0.0.1.c.4.d.8.4.b.5.a.e.d.f.ip6.arpa/IN': update failed: rejected
by secure update (REFUSED)
Therefore the client needs to authenticate to BIND in order to update
its own entry (forward and reverse). I think the forward entry is
updated via kerberos authentication to the bind_dlz module directly by
the client too. It actually also updates the PTR records if I use only
bind_dlz. But in my case I am operating my own reverse zone and here I
don't know how to authenticate Windows clients to update the zone.
Perhaps I am wrong on this point. I need to investigate a bit further
tomorrow.
Thanks for your time and patience!
Rainer
More information about the samba
mailing list