[Samba] Workstation AD members failing DNS updates - and worse!

Michael A Weber mweber.subscriptions01 at gmail.com
Fri Sep 30 18:27:36 UTC 2016 

Greetings, everyone.

I have Samba 4.4.5, built from source on CentOS 6.8 using Bind 9.8.2 and configured in the last couple months.  It’s in place and functioning, but I’m having a few issues I’m trying to iron out.

First, the workstations added to the AD domain are not able to make DNS updates if the IP address changes after the domain join.  However, at the time of the AD join, the DNS entries were created successfully.

This, however, is now a secondary problem as I have a new, potentially larger issue that I cannot identify its cause and I believe needs to be addressed before we get workstations updating DNS entries.

When I was configuring everything, I tested the DNS configuration and managed to iron out all the SELinux problems with samba_dnsupdate —verbose —all-names, and that did function correctly…

…but now if I run it, it is failing.

27 updates it wants to perform, and all 27 fail with similar (this is sanitized):

27 DNS updates and 0 DNS deletes needed
update(nsupdate): A addc.domain2.domain1.tld 192.168.237.21
Calling nsupdate for A addc.domain2.domain1.tld 192.168.237.21 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
addc.domain2.domain1.tld. 900 IN	A	192.168.237.21

update failed: NOTAUTH
Failed nsupdate: 2

I’ve googled the NOTAUTH errors but cannot find anything particular to my system which may be the cause, I’ve gone back and verified all my configuration information is seemingly correct per the wiki pages, checked permissions on needed .keytab and .conf files, checked logs for any SELinux errors, and nothing.  I can’t figure out what I may have changed which made my working configuration stop working.

So, I’d like to get this working first and then try to get the workstation DNS updates functioning, too.

Any ideas?  I’m completely lost (or, looking at things for so many hours have glossed over my poor eyes and I just can’t see what is the problem).

Best,
Mike

More information about the samba mailing list