[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
Elias Pereira
empbilly at gmail.com
Mon Jul 2 15:12:07 UTC 2018
>
> Hmm, bind 9.12.x isn't supported yet.
He works with "dlopen
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without problems, at
first.
include "/etc/bind/rndc.key";
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> };
> You do not need the four lines above
Ok, but if I leave it, does not have problems either, I believe!?
You mention '#public IP' twice, are they both the same IP and is it
> the DC ipaddress and if so, why are you trying to forward the DC to
> itself ?
No, two different networks.
xxx.xxx.xxx.0/26
xxx.xxx.xxx.128/26
Sometimes the "samba_dlz: spnego update failed" appears in the log. I found
this link talks about the problem.
https://bugzilla.redhat.com/show_bug.cgi?id=1528867
I added the "KRB5RCACHETYPE="none"" on the /etc/default/bind9, but the
error message keeps.
Any other idea? :)
On Mon, Jul 2, 2018 at 10:49 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Mon, 2 Jul 2018 10:27:58 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > The error described in the email title happens in version 9.10 of the
> > bind that I have installed in our main DC. In face of that, I found
> > the samba wiki article that talks about this problem.
> >
> https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates
> >
> > I made a new installation via source with the suggested options:
> >
> > root at dc3:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man
> > --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var
> > --enable-threads --enable-largefile --with-libtool --enable-shared
> > --enable-static --with-openssl=/usr --with-gssapi=/usr --with-gnu-ld
> > --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes
> > --with-dlz-filesystem=yes --with-dlz-ldap=yes --with-dlz-stub=yes
> > --with-dlopen=yes --with-geoip=/usr --enable-ipv6
> > CFLAGS=-fno-strict-aliasing
> >
> > root at dc3:~# named -v
> > BIND 9.12.1-P2 <id:14b0e01>
>
> Hmm, bind 9.12.x isn't supported yet.
>
> >
> > named.conf.options
> > options {
> > directory "/var/cache/bind";
> > version "non3";
> > forwarders { xxx.xxx.xxx.xxx; }; #public IP
> > allow-query { internal; };
> > dnssec-validation no;
> > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> > auth-nxdomain no; # conform to RFC1035
> > listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; }; #public IP
> > zone-statistics yes;
> > statistics-file "/var/log/named/stats/named_stats.log";
> > };
> >
> > include "/etc/bind/rndc.key";
> > controls {
> > inet 127.0.0.1 allow { localhost; } keys { rndc-key;};
> > };
>
> You do not need the four lines above
>
> >
> > acl "internal" {
> > 172.16.0.0/16;
> > 10.10.4.0/24;
> > 10.10.5.0/26;
> > xxx.xxx.xxx.xxx/26;
> > 10.59.0.0/16;
> > 10.41.0.0/22;
> > 10.42.2.0/24;
> > 10.50.0.0/22;
> > 10.51.0.0/23;
> > 10.52.0.0/24;
> > 10.40.0.0/16;
> > 10.10.1.0/26;
> > xxx.xxx.xxx.xxx/26;
> > 10.10.10.0/26;
> > };
> >
> > For example, if the 172.16.5.86 client is offline, can it cause the
> > error?
>
> I wouldn't think so.
>
> You mention '#public IP' twice, are they both the same IP and is it
> the DC ipaddress and if so, why are you trying to forward the DC to
> itself ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
Elias Pereira
More information about the samba
mailing list