[Samba] DHCP-DNS problems

[Rowland Penny]

On Wed, 3 Jan 2018 10:49:36 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:

> Thanks for your comments.  The settings are as they are since I used
> the default Centos settings as much as possible, adopting the
> functional difference from the wiki.

I understand this, it is just that when I try out red-hat distros, I
have to make the changes I suggested, or it doesn't work for me ;-)

> Interesting bit about recursion, will fix.  Actually this explains one
> funny bit:  These DCs are servicing our internal domain, rvx.is, in
> the 192.168.x.x. range.  However, we also do have an external
> (internet visible) domain server outside, for such external stuff
> such as www.rvx.is. Choosing the same dns name for the internal and
> external net was not my idea. 

Your AD domain should have been a subdomain of your main domain, but
saying this will not help you now, unless you can start again because
you cannot change a Samba AD domain name.

> and making dns lookups inside, things
> not found will also recurse to the external ones.

It is 'forward' not 'recurse' ;-)
Your AD dns server should be authoritative for the AD domain and should
forward anything unknown to a dns server outside the AD dns domain.

>  I'm not sure how
> that is a bad thing, but it is actually not needed so I will switch
> it off.
> 
> As for the kerberos ticket:  I already explained that I tried
> removing and refreshing the ticket in the /tmp folder.  None of this
> has any effect. Only restarting Bind will cause things to start
> working.  To me, it looks rather that bind is suddenly having trouble
> accepting kerberos authentication.

Is it that Bind is having problems, or is the ticket expiring and not
getting renewed ?

> Is it possible that named is caching the authentication, comparing the
> incoming ticket with something it has already verified, and if the
> ticket changes (because /tmp/dhcp-dyndns.cc was regenerated) that
> named will refuse the connection?  

Not that I am aware of (unless it is something to do with systemd ?)
When the ticket is renewed, it just gets replaced.

>Is this authentication part of
> named itself or dlz_bind9_9.so?  (I'm running "BIND
> 9.9.4-RedHat-9.9.4-51.el7_4.1 (Extended Support Version)"), and SMB
> 4.7.4. compiled from sources.

The script uses 'nsupdate' (a part of Bind) to carry out the updates
and uses kerberos for the authentication. Unless the red-hat version of
9.9.4 is different from the 9.9.4 version that comes with ubuntu 14.04,
it should just work.

> 
> 
> Things are running smoothly now, once they start failing again, I'll
> scour the logs for clues.  Thanks.
> 

Hopefully it will work, but I am not holding my breath ;-)

Rowland