[Samba] Workstation AD members failing DNS updates - and worse!

Mark Nienberg mnlists at tippingstructural.com
Wed Oct 5 17:21:07 UTC 2016

On Fri, Sep 30, 2016 at 11:27 AM, Michael A Weber via samba <
samba at lists.samba.org> wrote:

> I have Samba 4.4.5, built from source on CentOS 6.8 using Bind 9.8.2 and
> configured in the last couple months.  It’s in place and functioning, but
> I’m having a few issues I’m trying to iron out.
> First, the workstations added to the AD domain are not able to make DNS
> updates if the IP address changes after the domain join.  However, at the
> time of the AD join, the DNS entries were created successfully.
> This, however, is now a secondary problem as I have a new, potentially
> larger issue that I cannot identify its cause and I believe needs to be
> addressed before we get workstations updating DNS entries.
> When I was configuring everything, I tested the DNS configuration and
> managed to iron out all the SELinux problems with samba_dnsupdate —verbose
> —all-names, and that did function correctly…
> …but now if I run it, it is failing.
> 27 updates it wants to perform, and all 27 fail with similar (this is
> sanitized):
> 27 DNS updates and 0 DNS deletes needed
> update(nsupdate): A addc.domain2.domain1.tld
> Calling nsupdate for A addc.domain2.domain1.tld (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> addc.domain2.domain1.tld. 900 IN        A
> update failed: NOTAUTH
> Failed nsupdate: 2
> I’ve googled the NOTAUTH errors but cannot find anything particular to my
> system which may be the cause, I’ve gone back and verified all my
> configuration information is seemingly correct per the wiki pages, checked
> permissions on needed .keytab and .conf files, checked logs for any SELinux
> errors, and nothing.  I can’t figure out what I may have changed which made
> my working configuration stop working.
> So, I’d like to get this working first and then try to get the workstation
> DNS updates functioning, too.
> Any ideas?  I’m completely lost (or, looking at things for so many hours
> have glossed over my poor eyes and I just can’t see what is the problem).

You might try adding this to smb.conf at least for debugging. If it works
again then you can focus on the auth issues.
allow dns updates = nonsecure

More information about the samba mailing list