[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Jiří Černý cerny at svmetal.cz
Wed Aug 22 13:47:07 UTC 2018

> Yes, it is a failure, but a failure of the script, it shouldn't print
> all those Python errors, it should print something like 'No update
> required' for each attempted update and then 'No updates required'

Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws
; TSIG error with server: tsig verify failure
Failed nsupdate: 2
which look more serious.

> What it does show is that it isn't a Samba problem, but something to do
> with the interaction of Bind9 and Samba AD.
Same errors I get with Samba internal DNS, so I don't think it is Bind related. Or maybe I can't understand you, sorry.

> It is your decision, but I wouldn't allow anything to
> change /etc/resolv.conf on a DC.
> I can only speak about my experience with the order of
> nameservers in /etc/resolv.conf. All my DC's have their ipaddress as
> the first nameserver, followed by the other DC's. I never add any
> nameservers outside the domain, this is what 'forwarders' is for. I
> also never add a 'domain' line.
>With a DC based on the above, I have never experienced 'islanding'

All DC have static IP configuration, but it's done by nmtui. I never had problem with this on many CentOS 7 server I manage.
I changed all DCs to point to itself first, than to others. And I also deleted domain search line, as you recommend.


More information about the samba mailing list