[Samba] Samba, AD, 'short' name resolving...

Rowland Penny rpenny at samba.org
Fri Jun 8 10:52:53 UTC 2018 

On Fri, 8 Jun 2018 12:04:30 +0200
Marco Gaiarin via samba <samba at lists.samba.org> wrote:

> 
> > You are meaning here, literally: windows client try to
> > register/update DNS using ONLY the dns provided by DHCP?
> > Or, speaking differently the same thing, windows client suppose
> > blindly that DNS got by DHCP ARE AD DCs?
> 
> Ok, DNS registration seems to work, but on a (form me) strange way...
> 
> Spotted in logs:
> 
>  Jun  8 10:14:25 vdcud1 named[1049]: client 10.5.2.127#50250: request
> has invalid signature: TSIG
> 1592-ms-7.34-f336b9d.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634
> (QUIRINIUS\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG) Jun  8
> 10:19:05 vdcud1 named[1049]: samba_dlz: starting transaction on zone
> ad.fvg.lnf.it Jun  8 10:19:05 vdcud1 named[1049]: client
> 10.5.2.127#56413: update 'ad.fvg.lnf.it/IN' denied Jun  8 10:19:05
> vdcud1 named[1049]: samba_dlz: cancelling transaction on zone
> ad.fvg.lnf.it
> 
> note that '10.5.2.127' is in a different 'site' from vdcud1. Also, the
> link under which vdcud1 is located now suffer major troubles, so some
> network errors are expected.
> 
> Effectively, after some seconds:
> 
>  Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz: starting transaction
> on zone ad.fvg.lnf.it Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz:
> allowing update of signer=QUIRINIUS\$\@AD.FVG.LNF.IT
> name=QUIRINIUS.ad.fvg.lnf.it tcpaddr= type=AAAA
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun  8 10:19:06 vdcud1 named[1049]: client 10.5.2.127#50735/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' AAAA Jun  8 10:19:06
> vdcud1 named[1049]: client 10.5.2.127#50735/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' A Jun  8 10:19:06 vdcud1
> named[1049]: samba_dlz: subtracted rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127' Jun  8
> 10:19:06 vdcud1 named[1049]: client 10.5.2.127#50735/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> adding an RR at 'QUIRINIUS.ad.fvg.lnf.it' A Jun  8 10:19:06 vdcud1
> named[1049]: samba_dlz: added rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127' Jun  8
> 10:19:06 vdcud1 named[1049]: samba_dlz: committed transaction on zone
> ad.fvg.lnf.it Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz: starting
> transaction on zone ad.fvg.lnf.it Jun  8 10:19:06 vdcud1 named[1049]:
> client 10.5.2.127#49227: update 'ad.fvg.lnf.it/IN' denied Jun  8
> 10:19:06 vdcud1 named[1049]: samba_dlz: cancelling transaction on
> zone ad.fvg.lnf.it Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz:
> starting transaction on zone ad.fvg.lnf.it Jun  8 10:19:06 vdcud1
> named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=AAAA
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun  8 10:19:06 vdcud1 named[1049]: samba_dlz: allowing update of
> signer=QUIRINIUS\$\@AD.FVG.LNF.IT name=QUIRINIUS.ad.fvg.lnf.it
> tcpaddr= type=A
> key=1592-ms-7.35-f37ffc1.cc4eac93-69d4-11e8-1eb6-dc4a3e58a634/160/0
> Jun  8 10:19:06 vdcud1 named[1049]: client 10.5.2.127#53254/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' AAAA Jun  8 10:19:06
> vdcud1 named[1049]: client 10.5.2.127#53254/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> deleting rrset at 'QUIRINIUS.ad.fvg.lnf.it' A Jun  8 10:19:06 vdcud1
> named[1049]: samba_dlz: subtracted rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127' Jun  8
> 10:19:06 vdcud1 named[1049]: client 10.5.2.127#53254/key
> QUIRINIUS\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE':
> adding an RR at 'QUIRINIUS.ad.fvg.lnf.it' A Jun  8 10:19:06 vdcud1
> named[1049]: samba_dlz: added rdataset QUIRINIUS.ad.fvg.lnf.it
> 'QUIRINIUS.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.127'
> 
> transaction happened.
> 
> So, to me:
> 
> a) seems that DNS offered by DHCP CAN not be the AD DNS, and client
>  find a way to register himself.
> 
> b) client use as DNS to register some ''random'' DNS, and seems to
> keep them for some time...
> 
> 
> Currently i've machine on site A that register on site C, and machine
> of site B that register on site A.
> 
> 
> AARRGGH! ;-)
> 

Yes, 'AARRGGH' indeed ;-)

For a computer to update its records, the records must be owned by the
computer or the computer will be denied.

You seem to be running a strange DNS setup, where the dhcp server is
sending one dns domain, but the AD domain is in another one, not sure
this is a good idea.

What created the dns records in AD in the first place ?

Rowland

More information about the samba mailing list