[Samba] Samba, AD, 'short' name resolving...
Rowland Penny
rpenny at samba.org
Fri Jun 8 10:52:53 UTC 2018
On Fri, 8 Jun 2018 12:04:30 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:
>
> > You are meaning here, literally: windows client try to
> > register/update DNS using ONLY the dns provided by DHCP?
> > Or, speaking differently the same thing, windows client suppose
> > blindly that DNS got by DHCP ARE AD DCs?
>
> Ok, DNS registration seems to work, but on a (form me) strange way...
>
> Spotted in logs:
>
> Jun 8 10:14:25 vdcud1 named[1049]: client 10.5.2.127#50250: request
> has invalid signature: TSIG
> 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634
> (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG) Jun 8
> 10:19:05 vdcud1 named[1049]: samba_dlz: starting transaction on zone
> ad.fvg.lnf.it Jun 8 10:19:05 vdcud1 named[1049]: client
> 10.5.2.127#56413: update 'ad.fvg.lnf.it/IN' denied Jun 8 10:19:05
> vdcud1 named[1049]: samba_dlz: cancelling transaction on zone
> ad.fvg.lnf.it
>
> note that '10.5.2.127' is in a different 'site' from vdcud1. Also, the
> link under which vdcud1 is located now suffer major troubles, so some
> network errors are expected.
>
> Effectively, after some seconds:
>
> Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz: starting transaction
> on zone ad.fvg.lnf.it Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz:
> allowing update of signer=QUIRINIUS\$\@AD.FVG.LNF.IT
> name=QUIRINIUS.ad.fvg.lnf.it tcpaddr= type=AAAA
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun 8 10:19:06 vdcud1 named[1049]: client 10.5.2.127#50735/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' AAAA Jun 8 10:19:06
> vdcud1 named[1049]: client 10.5.2.127#50735/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' A Jun 8 10:19:06 vdcud1
> named[1049]: samba_dlz: subtracted rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127' Jun 8
> 10:19:06 vdcud1 named[1049]: client 10.5.2.127#50735/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> adding an RR at 'QUIRINIUS.ad.fvg.lnf.it' A Jun 8 10:19:06 vdcud1
> named[1049]: samba_dlz: added rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127' Jun 8
> 10:19:06 vdcud1 named[1049]: samba_dlz: committed transaction on zone
> ad.fvg.lnf.it Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz: starting
> transaction on zone ad.fvg.lnf.it Jun 8 10:19:06 vdcud1 named[1049]:
> client 10.5.2.127#49227: update 'ad.fvg.lnf.it/IN' denied Jun 8
> 10:19:06 vdcud1 named[1049]: samba_dlz: cancelling transaction on
> zone ad.fvg.lnf.it Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz:
> starting transaction on zone ad.fvg.lnf.it Jun 8 10:19:06 vdcud1
> named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=AAAA
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun 8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun 8 10:19:06 vdcud1 named[1049]: client 10.5.2.127#53254/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' AAAA Jun 8 10:19:06
> vdcud1 named[1049]: client 10.5.2.127#53254/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' A Jun 8 10:19:06 vdcud1
> named[1049]: samba_dlz: subtracted rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127' Jun 8
> 10:19:06 vdcud1 named[1049]: client 10.5.2.127#53254/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> adding an RR at 'QUIRINIUS.ad.fvg.lnf.it' A Jun 8 10:19:06 vdcud1
> named[1049]: samba_dlz: added rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127'
>
> transaction happened.
>
> So, to me:
>
> a) seems that DNS offered by DHCP CAN not be the AD DNS, and client
> find a way to register himself.
>
> b) client use as DNS to register some ''random'' DNS, and seems to
> keep them for some time...
>
>
> Currently i've machine on site A that register on site C, and machine
> of site B that register on site A.
>
>
> AARRGGH! ;-)
>
Yes, 'AARRGGH' indeed ;-)
For a computer to update its records, the records must be owned by the
computer or the computer will be denied.
You seem to be running a strange DNS setup, where the dhcp server is
sending one dns domain, but the AD domain is in another one, not sure
this is a good idea.
What created the dns records in AD in the first place ?
Rowland
More information about the samba
mailing list