[Samba] [samba4] DNS updates

Rowland penny rpenny at samba.org
Mon Jan 18 20:07:10 UTC 2016

On 18/01/16 19:44, mathias dufresne wrote:
> Hi all,
> I would like to be able to rely on samba given tools to manage my DNS
> entries but until now, I failed.
>  From what I have understood there is one and only one tool responsible to
> update DNS: samba_dnsupdate.
> Is that previous affirmation true?
> I had issue with DNS backend set to internal DNS server: samba_dnsupdate
> was almost never working.
> So I switched to Bind-DLZ as advised here and on the wiki.
> With Bind-DLZ sometimes it works, sometimes it don't.
> Two tests platforms: Debian Jessie and Centos 7. Both plqtforms qre using
> Sernet packages to be sure to have working packages.
> On Debian Jessie it was working easily, just following the wiki.
> Rerplication was working and is still working.
> Sites were created and DNS entries changed accordingly.
> Today I get back on that Debian platform, move again some DC to a new site
> and:
> - entries on new are created
> - entries on old sites are NOT removed
> - samba_dnsupdate --verbose ends with "No DNS updates needed"
> On Centos 7 it was never working correctly: samba_dnsupdate failed because
> of TSIG authentication failure (I'm not at work so I can't be more precise
> right now) and?or replication is failing.
> On Centos 7 the only to get something a little bit working was to get Bind
> configuration from Debian to Centos, removing /var/named and /etc/named*.
> Perhaps samba_dnsupdate is not responsible to remove DNS entries, in that
> case, what tool is responsible to clean up DNS?
> I'm looking for more information about DNS authentication and updates:
> Perhaps samba_dnsupdate is not responsible to remove these entries, in that
> case, what tool is responsible to clean up DNS?
> Finally is someone able to explain:
> - how to manually create DNS user and give him right to modify DNS entries.
> This is important to be underwstood I think because some others users can
> created to do the same, to be able to find them could nice in a
> securisation point of view.
> - how to recreate the keytab of such user without samba_upgradedns: this
> user can be deleted accidentaly, being able to recreate it without
> samba_dnsupgrade seems less violent so less risky than switching
> dns-backend...
> - how frequent are DNS updates? Is it every X minutes ? After each Site
> modification + at every samba start?
> As you see I completely lost into Samba DNS and help would be welcomed.
> Cheers,
> mathias

it is actually 'nsupdate' (a bind tool) that updates your DNS records, I 
have been using a combination of Samba4 AD, bind9 and dhcp since 2012 
and find it quite amusing seeing all the problems people have and that I 
have never had.

Start by having a look here:


If, after reading that, you think this is what you need, I will refresh 
my notes and send you a copy, but note, I use debian.


More information about the samba mailing list