[Samba] Reverse zones fail with secure updates

lingpanda101 lingpanda101 at gmail.com
Mon Nov 28 14:40:22 UTC 2016

On 11/23/2016 7:36 AM, L.P.H. van Belle via samba wrote:
> Hai James,
>> I'm aware of the .local use. Unfortunately when I initially setup the
>> domain it was suggested as appropriate. I'm unable to pass option 81
>> from our routers. I'm OK with using GPO's for this. My understanding is
>> TLS is enabled by default but I went ahead and created a self signed
>> certificate anyhow. I'll point out that this behavior is exhibited
>> through my test environment as well as production environment.
> Perfect, now read :
> https://technet.microsoft.com/nl-nl/library/cc770315(v=ws.10).aspx
> and public the root CA of you DC to the clients.
> Now key here is where do you go put the GPO for the CA.
> If you have more certificates to publish i suggest, create a new policy.
> Now link it to the top or you AD. (domain.local) Or use Default Domain Policy.
> ( you need authenticated user as security setting ) ( and reboot 2x )
> After the second reboot check if the ptr record is updated.
>> I'm still unable to get secure PTR records in the zone. Only A records
>> will update when using secure. I'm also skeptical the Win 7 workstations
>> are even requesting that PTR records be added or updated. The Wireshark
>> trace doesn't appear to show any request for PTR updates(I could be
>> wrong).
> I forgot to ask, did you create the reverse zone in the DNS.
>> Are you able to confirm secure PTR updates work when using the
>> internal DNS server?
> Ah.. theres the difference, im using bind_dlz.
> I cant tell anything about the internal DNS, i never used it.
>> This is for clients requesting the update and not
>> via. the DHCP server? Thanks.
> Both should work, static of dhcp ip.
>> --
>> - James
> Greetz,
> Louis


     I have been unsuccessful with getting this to work. However I do 
have a caveat to this. I have a legacy Windows XP device on my domain 
that did register it's PTR record. My Windows 7 and 10 devices do not. 
I'll investigate a bit further but I believe Samba is working correctly. 
Thanks for the help.

- James

More information about the samba mailing list