[Samba] Samba, AD, 'short' name resolving...

Fri Jun 15 09:47:22 UTC 2018

Im wondering why your log below shows this order, i just noticed. 

Why is the computer tring to set the A records 2 x. 
Lines 1-13, show a successfull commit of the A/AAAA records. 
( TSIG key ok ) 

If you count the below lines, after line 13, my logs shows. 
samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa 
Yours is trying again to update 
samba_dlz: starting transaction on zone ad.fvg.lnf.it 

So the only thing i can think of is. 
1- you get the update for your zone : ad.fvg.lnf.it  
2- the gets in sucessfully. 
3- it does it again, but bind changed the key. 
client 10.5.2.64#61734/key ( first attempt, ok ) 
client 10.5.2.64#50303/key ( second attempt, fail ) 

Where is the reverse zone? 

I dont know it this is the fix, but its the only thing i can find for now. 
But i do think this is the problem. ( since every thing happend at exact : Jun 15 05:48:40) 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 15 juni 2018 10:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > > I don't understand it either, the rndc.key is absolutely 
> not used by
> > > Samba or Bind9 in an AD domain.
> > Then great to hear im not alone.  :-/ 
> > But by adding that part, my TSIG error message was gone 
> from my logs. 
> 
> Added, but catched that:
> 
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50403: 
> update 'ad.fvg.lnf.it/IN' denied
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' AAAA
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': adding an RR at 'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#57791: 
> update 'ad.fvg.lnf.it/IN' denied
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' AAAA
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': adding an RR at 'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:45 vdcsv2 named[6494]: client 10.5.2.64#50303: 
> request has invalid signature: TSIG 
> 1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49 
> (ALBERT\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)
> 
> 
> Looking at:
> 
> 	https://wiki.debian.org/Bind9#File_.2Fetc.2Fbind.2Fnamed.conf
> 
> the note:
> 
> 	// Configure the communication channel for 
> Administrative BIND9 with rndc
> 	// By default, they key is in the rndc.key file and is 
> used by rndc and bind9 
> 	// on the localhost
> 
> seems to me that inclusion of rndc.conf and access on localhost is the
> default, and so it is not needed.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 