[Samba] Switching from Internal DNS to Bind9_DLZ

Rowland Penny rpenny at samba.org
Tue Jan 2 19:49:03 UTC 2018


On Tue, 2 Jan 2018 14:40:10 -0500
lingpanda101 <lingpanda101 at gmail.com> wrote:

> On 1/2/2018 2:23 PM, Rowland Penny wrote:
> > On Tue, 2 Jan 2018 14:15:11 -0500
> > lingpanda101 <lingpanda101 at gmail.com> wrote:
> >
> >> On 1/2/2018 1:51 PM, Rowland Penny wrote:
> >>> On Tue, 2 Jan 2018 13:38:52 -0500
> >>> lingpanda101 via samba <samba at lists.samba.org> wrote:
> >>>
> >>>
> >>>> A few other observations while attempting to switch.
> >>>>
> >>>>     * I do not have a dns.keytab file. Should I or is created
> >>>> after attempting to switch?
> >>> See my earlier post about samba_dnsupgrade.
> >>>
> >>>>     * running 'named-checkconf' throws an error.
> >>> It would, it cannot find the zones files that are now in AD.
> >>>
> >>> Rowland
> >> Rowland,
> >>
> >>       I think I'm on the home stretch :). However I am running
> >> into a issue after switching the backend. The switch command
> >> completes successfully. Bind starts but I get errors when
> >> attempting to run this command after reboot.
> >>
> >> samba_dnsupdate --verbose --all-names
> >>
> >> I get this error for all updates.
> >>
> >> TSIG error with server: tsig indicates error
> >> update failed: NOTAUTH(BADSIG)
> >> Failed nsupdate: 2
> >> update(nsupdate): A gc._msdcs.domain.local 172.16.22.27
> >> Calling nsupdate for A gc._msdcs.domain.local 172.16.22.27 (add)
> >> Successfully obtained Kerberos ticket to DNS/DDC1.domain.local as
> >> DDC2$ Outgoing update query:
> >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> >> ;; UPDATE SECTION:
> >> gc._msdcs.domain.local.   900     IN      A       172.16.22.27
> >>
> >>
> >> I can connect to the server via. Windows DNS Manager and browse.
> >>
> >>
> > Try adding '--use-samba-tool' to the 'samba_dnsupdate' command
> >
> > Rowland
> 
> I will add that DNS is replicating correctly.  I deleted and added a
> DNS A record and it replicated instantaneously across sites.
> 

The problem is that only the owner (or a member of dnsadmins) of a dns
record can update it. You seem to be trying to use a computer account
(fairly common) that doesn't own the records.

Rowland



More information about the samba mailing list