[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
Jiří Černý
cerny at svmetal.cz
Tue Aug 21 14:30:42 UTC 2018
> So you never read this:
> https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC
> Which means that you probably never ran the aptly named
> 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:D
If I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made everything from wiki:
https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#TroubleshootingAnd tried everything possible. Writing mail to lists is the last instance for me...On every of our DCs:
samba_dnsupdate --verbose
IPs: ['192.168.45.1']
Looking for DNS entry A dc03x.samdom.svmetal.cz 192.168.45.1 as dc03x.samdom.svmetal.cz.
Looking for DNS entry NS samdom.svmetal.cz dc03x.samdom.svmetal.cz as samdom.svmetal.cz.
Looking for DNS entry NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz as _msdcs.samdom.svmetal.cz.
Looking for DNS entry A samdom.svmetal.cz 192.168.45.1 as samdom.svmetal.cz.
Looking for DNS entry SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.dc._msdcs.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.samdom.svmetal.cz.
Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Looking for DNS entry SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._udp.samdom.svmetal.cz.
Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.dc._msdcs.samdom.svmetal.cz.
Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Looking for DNS entry SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 as _kpasswd._tcp.samdom.svmetal.cz.
Checking 0 100 464 dc01.samdom.svmetal.cz. against SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Checking 0 100 464 dc02x.samdom.svmetal.cz. against SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Checking 0 100 464 dc03x.samdom.svmetal.cz. against SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Looking for DNS entry SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 as _kpasswd._udp.samdom.svmetal.cz.
Checking 0 100 464 dc01.samdom.svmetal.cz. against SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Checking 0 100 464 dc02x.samdom.svmetal.cz. against SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Checking 0 100 464 dc03x.samdom.svmetal.cz. against SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Looking for DNS entry CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz as a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz.
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz.
Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz.
Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Looking for DNS entry A gc._msdcs.samdom.svmetal.cz 192.168.45.1 as gc._msdcs.samdom.svmetal.cz.
Looking for DNS entry SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _gc._tcp.samdom.svmetal.cz.
Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Checking 0 100 3268 dc02x.samdom.svmetal.cz. against SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _ldap._tcp.gc._msdcs.samdom.svmetal.cz.
Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Checking 0 100 3268 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz.
Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz.
Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Looking for DNS entry A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 as DomainDnsZones.samdom.svmetal.cz.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.DomainDnsZones.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 as ForestDnsZones.samdom.svmetal.cz.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.ForestDnsZones.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz.
Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
No DNS updates needed
But samba_dnsupdate --verbose --all-names
IPs: ['192.168.45.1']
force update: A dc03x.samdom.svmetal.cz 192.168.45.1
force update: NS samdom.svmetal.cz dc03x.samdom.svmetal.cz
force update: NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
force update: A samdom.svmetal.cz 192.168.45.1
force update: SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
force update: SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
force update: CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
force update: A gc._msdcs.samdom.svmetal.cz 192.168.45.1
force update: SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
force update: A DomainDnsZones.samdom.svmetal.cz 192.168.45.1
force update: SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: A ForestDnsZones.samdom.svmetal.cz 192.168.45.1
force update: SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
28 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
update(nsupdate): A dc03x.samdom.svmetal.cz 192.168.45.1
Calling nsupdate for A dc03x.samdom.svmetal.cz 192.168.45.1 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
dc03x.samdom.svmetal.cz. 900 IN A 192.168.45.1
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): NS samdom.svmetal.cz dc03x.samdom.svmetal.cz
Calling nsupdate for NS samdom.svmetal.cz dc03x.samdom.svmetal.cz (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samdom.svmetal.cz. 900 IN NS dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
Calling nsupdate for NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.samdom.svmetal.cz. 900 IN NS dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A samdom.svmetal.cz 192.168.45.1
Calling nsupdate for A samdom.svmetal.cz 192.168.45.1 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
samdom.svmetal.cz. 900 IN A 192.168.45.1
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling nsupdate for SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling nsupdate for SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._udp.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Calling nsupdate for SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 464 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464
Calling nsupdate for SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kpasswd._udp.samdom.svmetal.cz. 900 IN SRV 0 100 464 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz
Calling nsupdate for CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz. 900 IN CNAME dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88
Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A gc._msdcs.samdom.svmetal.cz 192.168.45.1
Calling nsupdate for A gc._msdcs.samdom.svmetal.cz 192.168.45.1 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
gc._msdcs.samdom.svmetal.cz. 900 IN A 192.168.45.1
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling nsupdate for SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling nsupdate for SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.gc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A DomainDnsZones.samdom.svmetal.cz 192.168.45.1
Calling nsupdate for A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DomainDnsZones.samdom.svmetal.cz. 900 IN A 192.168.45.1
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.DomainDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): A ForestDnsZones.samdom.svmetal.cz 192.168.45.1
Calling nsupdate for A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ForestDnsZones.samdom.svmetal.cz. 900 IN A 192.168.45.1
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ForestDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)
Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
Failed update of 28 entries
But it's nothing new, that errors I've seen from 4.2 until now.
> It shouldn't have been 'painful' to upgrade, you could have done an in
> place dist-upgrade. If this is not possible, you should have demoted
> the old one and then joined a new DC with the same IP but a new name.
> There is another flaw in your thinking, all DC's running a dns
> nameserver are SOA masters.No, you cannot upgrade CentOS 6 to 7 inplace.
And I'm sorry for misunderstanding with SOA. Only one DC should be primary server in SOA (the very first provisioned DC), but that DC and all another DCs are NS for domain zones.
But if you demote that first DC (primary in SOA), the record for that DC will remain in SOA. I tested it in lab environment and Bind threw errors because of that.
Moreover samba-tool domain demote remain many things in DNS and you have to run samba-tool domain demote --remove-other-dead-server= also. And manually delete rest for sure. Thats pain.
And I don't know how others, but I tested FSMO transfer on 4.7 (both DCs) and also 4.8 (both DCs) at it also didn't performed well. I hit some kind of timeouts during transfer and I had to run it 7 times to transfer all roles.It was really painfull in our environment. But it's quite old (from Samba 4.2) a classiupgraded, so quite different than default provisioned.Actually, I'm really glad our domain works at least with nonsecure internal DNS;)
> That is where I expected them to be ;-)
> The only thing that can change the dns records is whatever owns them,
> it looks like whatever is trying to change the records is being refused
> because it doesn't own them.Ok. But is there some insecure workaround? How do that internal server with "nonsecure" options? As I wrote in the first mail, I have no problem with forcing Bind to do thing insecure.Jiri
More information about the samba
mailing list