[Samba] DHCP-DNS problems
rpenny at samba.org
Wed Jan 3 11:17:03 UTC 2018
On Wed, 3 Jan 2018 10:49:36 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> Thanks for your comments. The settings are as they are since I used
> the default Centos settings as much as possible, adopting the
> functional difference from the wiki.
I understand this, it is just that when I try out red-hat distros, I
have to make the changes I suggested, or it doesn't work for me ;-)
> Interesting bit about recursion, will fix. Actually this explains one
> funny bit: These DCs are servicing our internal domain, rvx.is, in
> the 192.168.x.x. range. However, we also do have an external
> (internet visible) domain server outside, for such external stuff
> such as www.rvx.is. Choosing the same dns name for the internal and
> external net was not my idea.
Your AD domain should have been a subdomain of your main domain, but
saying this will not help you now, unless you can start again because
you cannot change a Samba AD domain name.
> and making dns lookups inside, things
> not found will also recurse to the external ones.
It is 'forward' not 'recurse' ;-)
Your AD dns server should be authoritative for the AD domain and should
forward anything unknown to a dns server outside the AD dns domain.
> I'm not sure how
> that is a bad thing, but it is actually not needed so I will switch
> it off.
> As for the kerberos ticket: I already explained that I tried
> removing and refreshing the ticket in the /tmp folder. None of this
> has any effect. Only restarting Bind will cause things to start
> working. To me, it looks rather that bind is suddenly having trouble
> accepting kerberos authentication.
Is it that Bind is having problems, or is the ticket expiring and not
getting renewed ?
> Is it possible that named is caching the authentication, comparing the
> incoming ticket with something it has already verified, and if the
> ticket changes (because /tmp/dhcp-dyndns.cc was regenerated) that
> named will refuse the connection?
Not that I am aware of (unless it is something to do with systemd ?)
When the ticket is renewed, it just gets replaced.
>Is this authentication part of
> named itself or dlz_bind9_9.so? (I'm running "BIND
> 9.9.4-RedHat-9.9.4-51.el7_4.1 (Extended Support Version)"), and SMB
> 4.7.4. compiled from sources.
The script uses 'nsupdate' (a part of Bind) to carry out the updates
and uses kerberos for the authentication. Unless the red-hat version of
9.9.4 is different from the 9.9.4 version that comes with ubuntu 14.04,
it should just work.
> Things are running smoothly now, once they start failing again, I'll
> scour the logs for clues. Thanks.
Hopefully it will work, but I am not holding my breath ;-)
More information about the samba