[Samba] BIND9_DLZ: TKEY is unacceptable - depending on the name server

Rowland Penny rpenny at samba.org
Sat Jun 30 17:03:57 UTC 2018


On Sat, 30 Jun 2018 18:08:22 +0200 (CEST)
"Peter Serbe" <peter at serbe.ch> wrote:

> 
> 
> Rowland Penny via samba schrieb am 30.06.2018 16:45:
> 
> > I think you have run into the 'whoever creates the dns records owns
> > them' problem. 
> 
> Hi Rowland, 
> 
> I am extremely surprised by that. Writing the two lines below each
> other...
> 
> >> Successfully obtained Kerberos ticket to DNS/horus.home.serbe.ch
> >> as HORUS$ Successfully obtained Kerberos ticket to
> >> DNS/charon.home.serbe.ch as HORUS$

Yes, but only one of the machines can update the records, the other
will always fail.


 
> ... then I see, that there are different principals, and apparently
> the tickets on the machines are issued to the different principals.
> OK, so understand, that on one machine all the DNS entries must be
> owned by the principal, which is listed in the local keytab file,
> right? 

Yes, each machine can update its own records.

> 
> So the first question is: how can I make the local DNS to send out 
> the local machine as the first service provider. Currently it looks
> like there was a big mess. Every DNS spits out a different order...
> it should at least give out the own name before the others. 

Not sure I understand what you are trying to ask here, each dns server
is authoritative for the dns domain (multi-master), there is no single
master (unless you only have on DC) and there are definitely no slave
dns servers. Each DC should just sit there, awaiting the clients
asking for dns info.
 
> 
> Another think, which surprises me, is that this effect eats up a
> whole lot of the redundancy of the whole network. As the going down
> of one DNS would seriously disturb the capabilities of the DCs. But
> OK, it won't bring it down too fast, but - beware - one has to
> monitor the stuff.

As each DC is a dns master, this shouldn't be a problem, provide the
clients get the full set of nameservers.
 
> 
> Is there any Wiki-article discussing the issue? Or any blog post?
> The issue should be of major concern for any admin, who runs (as 
> advised by the Samba team) several ADDCs in one network. 
> 
> 
> > Only the owner of a dns record can update that record
> > and if you look carefully, you are trying to update the same records
> > from both machines. Try pointing the /etc/resolv.conf nameserver on
> > each DC to itself. 
> 
> I will do so, as soon as I understand the big picture - and of 
> course the means to get there:

Do you use dhcp for the clients ?
If so, there is a wikipage about running the dhcp server on a DC, see
here:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

There is also a page about bind9:

https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server

> - how to see the ownership of the DNS records. and in a second step
> - how to transfer the ownership of them
> - then: what happens with the DNS records ownership during the 
>   process of the replication over to the other ADDCs. Or maybe
>   this is even a no-problem... I am still a bit confused.

The record ownerships is stored in AD, you need to see the
'nTSecurityDescriptor' attribute of the dns record.

Rowland



More information about the samba mailing list