[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Rowland penny
rpenny at samba.org
Mon Jul 18 18:10:51 UTC 2016
On 18/07/16 00:02, Norbert Hanke wrote:
> Hello,
>
> I'm trying to join a samba 4 DC to an already existing samba 4 DC,
> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version
> 9.10.4-P1, all brand new.
>
> The existing DC runs fine, but the added DC refuses to update its
> local bind database: every attempt to update the local DNS results in
> "update failed: NOTAUTH". AD replication works perfectly.
>
> Both systems are set up identically except for the
> provisioning/joining command. On the first I did
> samba-tool domain provision --use-rfc2307 --domain=$domain
> --server-role=dc --dns-backend=BIND9_DLZ \
> --realm=$realm --adminpass=Wonttell
> and on the second I do
> samba-tool domain join $domain DC -Uadministrator --realm=$realm
> --dns-backend=BIND9_DLZ
>
> Versions are the same, bind config is the same, I tried follow every
> rule I could find.
>
> # samba_dnsupdate --verbose -d 9
> INFO: Current debug levels:
> all: 9
> (... more such levels ...)
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255
> netmask=255.255.255.0
> IPs: ['192.168.1.9']
> Module 'tombstone_reanimate' is disabled. Skip
> registration.lpcfg_servicenumber: couldn't find ldb
> schema_fsmo_init: we are master[no] updates allowed[no]
> schema_fsmo_init: we are master[no] updates allowed[no]
> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
> need update: A ad.domain.ch 192.168.1.9
> (... many more such Looking...need update blocks)
> 24 DNS updates and 0 DNS deletes needed
> ldb_wrap open of secrets.ldb
> Received smb_krb5 packet of length 298
> Received smb_krb5 packet of length 1311
> update(nsupdate): A ad.domain.tld 192.168.1.9
> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ad.domain.tld. 900 IN A 192.168.1.9
>
> update failed: NOTAUTH
> Failed nsupdate: 2
> (... many more such failed updates ...)
> Failed update of 24 entries
> # 22:37:30 root at dc2:/root/
>
>
> In /var/log/syslog there are these equivalent 24 error message every
> 10 minutes:
> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0]
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
> Jul 17 22:52:06 dc2 samba[3960]:
> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> and the last of the 24 entries is always followed by
> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0]
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295:
> Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
>
> smb.conf is minimalistic:
>
> # Global parameters
> [global]
> netbios name = DC2
> realm = AD.DOMAIN.TLD
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc,
> drepl, winbindd, ntp_signd, kcc, dnsupdate
> workgroup = DOMAIN
> server role = active directory domain controller
>
> [netlogon]
> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
> read only = No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
> Maybe somebody has an idea what I did wrong?
>
>
>
Try reading this wiki page, it may help:
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
Rowland
More information about the samba
mailing list