[Samba] Dynamic DNS updates (Samba 4.8.2 & Bind 9.10)
Eric Hiller
mrraptor98 at hotmail.com
Fri May 25 15:40:16 UTC 2018
Hi all - I've been fighting Dynamic DNS updates for _weeks_ now. Quite
possibly I am missing some key piece of information, and if so, please let
me know! I have been going through every iota of information trying to
figure this out on my own, but I finally must ask.
I am unable to get any machines to _naturally_ register. I can force
register with samba-tool and I can create new records with the DNS mmdc
tool. But as far as a new windows workstation auto-registering, or forcing
via ipconfig /registerdns - that never works. But first my configs, then my
logs:
*Config:* (the only replaced items are DOMAIN.TLD and domain.tld)
[global]
netbios name = lighthouse
realm = DOMAIN.TLD
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = DOMAIN
idmap_ldb:use rfc2307 = yes
# logging
# logging = syslog file
logging = file
max log size = 2000
log level = 2 dns:10 auth_audit:0 auth_json_audit:0 msdfs:3
registry:3
debug class = yes
debug prefix timestamp = yes
# disable printing
disable spoolss = yes
printcap name = /dev/null
load printers = no
printing = bsd
[netlogon]
path = /usr/local/samba/var/locks/sysvol/domain.tld/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
acl_xattr:ignore system acls = yes
I've now tried Samba 4.8.0 with Bind 9.9 and Samba 4.8.2 with Bind 9.10
both with the same symptoms.
The only suspicious looking errors logs I see are:
repeated entries of "dnsserver: Invalid zone operation IsSigneddnsserver:"
*Some log excerpts*: (from log.samba)
[2018/05/25 07:33:55.378073, 2] Calling samba_kcc script
[2018/05/25 07:33:55.898790, 2] dnsserver: Found DNS zone .
[2018/05/25 07:33:55.899059, 2] dnsserver: Found DNS zone domain.tld
[2018/05/25 07:33:55.899175, 2] dnsserver: Found DNS zone
10.168.192.in-addr.arpa
[2018/05/25 07:33:55.900674, 2] dnsserver: Found DNS zone
_msdcs.domain.tld
[2018/05/25 07:33:55.903646, 0] [2018/05/25 07:38:55.447569, 2] Calling
samba_kcc script
[2018/05/25 07:43:55.570195, 2] Calling samba_kcc script
dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone
operation IsSigneddnsserver: Invalid zone operation IsSigneddnsserver:
Invalid zone operation IsSigneddnsserver: Invalid zone operation
IsSigneddnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone
operation IsSigneddnsserver: Found DNS zone .
[2018/05/25 07:44:38.555366, 2] dnsserver: Found DNS zone domain.tld
[2018/05/25 07:44:38.555528, 2] dnsserver: Found DNS zone
10.168.192.in-addr.arpa
[2018/05/25 07:44:38.556769, 2] dnsserver: Found DNS zone
_msdcs.domain.tld
[2018/05/25 07:44:38.559655, 0] [2018/05/25 07:48:55.692918, 2] Calling
samba_kcc script
[2018/05/25 07:53:55.810061, 2] Calling samba_kcc script
[2018/05/25 07:58:55.932487, 2] Calling samba_kcc script
*I believe this was the log at the time of an attempted* ipconfig
/registerdns
[2018/05/25 08:03:56.047620, 2] Calling samba_kcc script
dnsserver: Invalid zone operation IsSigneddnsserver: Found DNS zone .
[2018/05/25 08:08:33.475465, 2] dnsserver: Found DNS zone domain.tld
[2018/05/25 08:08:33.475667, 2] dnsserver: Found DNS zone
10.168.192.in-addr.arpa
[2018/05/25 08:08:33.476984, 2] dnsserver: Found DNS zone
_msdcs.domain.tld
[2018/05/25 08:08:33.480365, 0] [2018/05/25 08:08:56.170145, 2] Calling
samba_kcc script
Also, I saw this entry only once (in log.smbd)
[2018/05/25 07:30:12.791556, 2] svcctl_set_secdesc: Could not open
SYSTEM\CurrentControlSet\Services\DNS\Security
-
WERR_FILE_NOT_FOUND
It seemed as thought it _could_ have something to do with it, but I see no
registry entry on any of my machines nor in fact do I see that via
samba-regedit
Lastly, diagnostics (such as the below) work perfectly:
samba_dnsupdate --fail-immediately --all-names --verbose --use-nsupdate
I hope I've provided enough background, and that someone has an idea, I
sure would appreciate figuring this one out!
Thank you,
-Eric
More information about the samba
mailing list