[Samba] DHCP, DNS and non-domain members
Martin Renner
martin.renner at exxcellent.de
Tue Nov 28 09:46:43 UTC 2017
Hi,
On 23 Nov 2017 17:35 Rowland Penny via samba wrote:
> On Thu, 23 Nov 2017 17:05:00 +0100
> Martin Renner via samba <samba at lists.samba.org> wrote:
>
>> Hi Rowland,
>>
>> my problem is, how to get the non-AD members into the DNS?
>> Especially, if they are servers and have dynamic IPs from a DHCP
>> server?
>>
>> As far as I understand, only AD members will update the DNS inside of
>> the AD. So do I have to deliver fixed IP addresses via DHCP to
>> servers and put a manual entry into the AD DNS?
>>
> You run the DHCP server on a DC, see here:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
> Rowland
>
thank you for this link.
I configured everything according to the howto and disabled DNS updates in the group policy (Default
Domain Policy / Computer Configuration / Policies / Administrative Templates / Network / DNS Client
/ Dynamic Updates). But it looks like if the Windows clients still try to update their DNS entries
(even after "gpupdate /force" and reboot).
When a Windows client is booting, I can see entries in /var/log/syslog which are definitively from
the DHCP shell script:
samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM name=test-pc.ad.company.com
tcpaddr=... type=A key=...."
both for the forward end reverse zone.
But shortly after these messages, I can see messages which seem to come from the client:
samba_dlz: starting transaction on zone ad.company.com
client 192.168.105.101#59890: update 'ad.company.com/IN' denied
samba_dlz: cancelling transaction on zone ad.company.com
samba_dlz: starting transaction on zone ad.company.com
samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com
type=A error=insufficient access rights
client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE':
update failed: rejected by secure update (REFUSED)
This looks to me like if the client is still trying to update its DNS entry. Did I miss anything in
the client configuration?
Regards,
Martin
More information about the samba
mailing list