[Samba] Reverse zones fail with secure updates

lingpanda101 lingpanda101 at gmail.com
Tue Nov 22 17:41:05 UTC 2016

On 11/22/2016 11:14 AM, L.P.H. van Belle via samba wrote:
> Comments inline
>> -----Oorspronkelijk bericht-----
>> Van: lingpanda101 [mailto:lingpanda101 at gmail.com]
>> Verzonden: dinsdag 22 november 2016 15:32
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Reverse zones fail with secure updates
>> Hi Louis,
>>         Comments inline
>> On 11/22/2016 3:38 AM, L.P.H. van Belle via samba wrote:
>>> Hai James,
>>> What is the connection's DNS suffix of the pc?
>> domain.local
> Uhm.. , if you are in production dont change it but a .local (and .lan)
> Are reserved by Apple's mDNS (zeroconf/avahi)
>>> And did you setup TLS in you samba?
>> No. How?
> https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC
>>> Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all )
>>> And is it ticked "Use this connections dns suffix in dns registration"
>>> (In dhcp option 81.)
>> Our routers handle DHCP.
> Ok then do you routers send option 81, of the dns suffic.
> If not possible, then the Group policy is you last option.
>>> Or use Group policy editors.
>>> - Computer Configuration\Administrative Templates\Network\DNS Client
>>> 	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
>>> 	-Register DNS records with connection-specific DNS suffix: enabled
>>> 	-Register PTR Records: enabled
>>> 	-Dynamic Update: enabled
>> I tried this method as well.
> This works, i use a setup like this.
> ! Must be a computer policy, and you must reboot 2x to see if it works.
>>> Or use static ips, then A and PTR are registered by the computer.
>> Static IP's only register if I disable secure updates.
> Due to no tls/ssl
>>> Key is to remember, Windows uses the connection-specific DNS suffix to
>> register DNS records.
>>> Greetz,
>>> Louis
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens lingpanda101
>> via
>>>> samba
>>>> Verzonden: maandag 21 november 2016 21:14
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: [Samba] Reverse zones fail with secure updates
>>>> Hello,
>>>>        I'm using Samba 4.5.1 as a ADDC and the internal DNS. If I use
>>>> 'allow dns updates = secure' in my smb.conf. Only A records update. The
>>>> applicable reverse zone fails to update. If I switch to using non
>> secure
>>>> updates both the A and the PTR records are updated. Is someone else
>> able
>>>> to confirm this behavior? Thanks.
>>>> --
>>>> - James
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>> --
>> - James

I'm aware of the .local use. Unfortunately when I initially setup the 
domain it was suggested as appropriate. I'm unable to pass option 81 
from our routers. I'm OK with using GPO's for this. My understanding is 
TLS is enabled by default but I went ahead and created a self signed 
certificate anyhow. I'll point out that this behavior is exhibited 
through my test environment as well as production environment.

I'm still unable to get secure PTR records in the zone. Only A records 
will update when using secure. I'm also skeptical the Win 7 workstations 
are even requesting that PTR records be added or updated. The Wireshark 
trace doesn't appear to show any request for PTR updates(I could be 
wrong). Are you able to confirm secure PTR updates work when using the 
internal DNS server? This is for clients requesting the update and not 
via. the DHCP server? Thanks.

- James

More information about the samba mailing list