[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

Norbert Hanke norbert.hanke at gmx.ch
Sun Jul 17 23:02:32 UTC 2016 

Hello,

I'm trying to join a samba 4 DC to an already existing samba 4 DC, both 
with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1, 
all brand new.

The existing DC runs fine, but the added DC refuses to update its local 
bind database: every attempt to update the local DNS results in "update 
failed: NOTAUTH". AD replication works perfectly.

Both systems are set up identically except for the provisioning/joining 
command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain 
--server-role=dc --dns-backend=BIND9_DLZ \
  --realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm 
--dns-backend=BIND9_DLZ

Versions are the same, bind config is the same, I tried follow every 
rule I could find.

# samba_dnsupdate --verbose -d 9
INFO: Current debug levels:
   all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip 
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ad.domain.tld.        900     IN      A       192.168.1.9

update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
# 22:37:30 root at dc2:/root/


In /var/log/syslog there are these equivalent 24 error message every 10 
minutes:
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
Jul 17 22:52:06 dc2 samba[3960]: /usr/local/samba/sbin/samba_dnsupdate: 
update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295: 
Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES

smb.conf is minimalistic:

# Global parameters
[global]
         netbios name = DC2
         realm = AD.DOMAIN.TLD
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = DOMAIN
         server role = active directory domain controller

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

Maybe somebody has an idea what I did wrong?

More information about the samba mailing list