[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Tim
lists at kiuni.de
Mon Jul 18 17:15:06 UTC 2016
Hi Norbert,
I never used Bind as samba dns backend. But this sounds like a permission problem so that your samba process isn't allowed to update Bind.
Possibly you should take a look at the permissions.
Regards
Tim
Am 18. Juli 2016 01:02:32 MESZ, schrieb Norbert Hanke <norbert.hanke at gmx.ch>:
>Hello,
>
>I'm trying to join a samba 4 DC to an already existing samba 4 DC, both
>
>with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1,
>all brand new.
>
>The existing DC runs fine, but the added DC refuses to update its local
>
>bind database: every attempt to update the local DNS results in "update
>
>failed: NOTAUTH". AD replication works perfectly.
>
>Both systems are set up identically except for the provisioning/joining
>
>command. On the first I did
>samba-tool domain provision --use-rfc2307 --domain=$domain
>--server-role=dc --dns-backend=BIND9_DLZ \
> --realm=$realm --adminpass=Wonttell
>and on the second I do
>samba-tool domain join $domain DC -Uadministrator --realm=$realm
>--dns-backend=BIND9_DLZ
>
>Versions are the same, bind config is the same, I tried follow every
>rule I could find.
>
># samba_dnsupdate --verbose -d 9
>INFO: Current debug levels:
> all: 9
>(... more such levels ...)
>lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>Processing section "[global]"
>Processing section "[netlogon]"
>Processing section "[sysvol]"
>pm_process() returned Yes
>added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
>netmask=255.255.255.0
>IPs: ['192.168.1.9']
>Module 'tombstone_reanimate' is disabled. Skip
>registration.lpcfg_servicenumber: couldn't find ldb
>schema_fsmo_init: we are master[no] updates allowed[no]
>schema_fsmo_init: we are master[no] updates allowed[no]
>Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
>dc2.ad.domain.ch.
>Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>need update: A ad.domain.ch 192.168.1.9
>(... many more such Looking...need update blocks)
>24 DNS updates and 0 DNS deletes needed
>ldb_wrap open of secrets.ldb
>Received smb_krb5 packet of length 298
>Received smb_krb5 packet of length 1311
>update(nsupdate): A ad.domain.tld 192.168.1.9
>Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>Outgoing update query:
>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>;; UPDATE SECTION:
>ad.domain.tld. 900 IN A 192.168.1.9
>
>update failed: NOTAUTH
>Failed nsupdate: 2
>(... many more such failed updates ...)
>Failed update of 24 entries
># 22:37:30 root at dc2:/root/
>
>
>In /var/log/syslog there are these equivalent 24 error message every 10
>
>minutes:
>Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
>../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>Jul 17 22:52:06 dc2 samba[3960]: /usr/local/samba/sbin/samba_dnsupdate:
>
>update failed: NOTAUTH
>and the last of the 24 entries is always followed by
>Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
>../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295:
>Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
>
>smb.conf is minimalistic:
>
># Global parameters
>[global]
> netbios name = DC2
> realm = AD.DOMAIN.TLD
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
>drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DOMAIN
> server role = active directory domain controller
>
>[netlogon]
> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
> read only = No
>
>[sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>Maybe somebody has an idea what I did wrong?
More information about the samba
mailing list