[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2

Giacomo Gorgellino giacomo.gorgellino at risorsa.com
Thu Nov 29 11:30:28 UTC 2018 

Hi,

I've some trouble in getting samba internal DNS server in sync with 
others DNS (Windows) of my AD domain.

samba_dnsupdate returns:

update failed: REFUSED
Failed update of 1 entries

I'm running samba Version 4.5.12-Debian

root at mysamba4dc:~# dpkg -l | grep samba
ii  python-samba                   2:4.5.12+dfsg-2+deb9u3 amd64        
Python bindings for Samba
ii  samba                          2:4.5.12+dfsg-2+deb9u3 amd64        
SMB/CIFS file, print, and login server for Unix
ii  samba-common                   2:4.5.12+dfsg-2+deb9u3 all          
common files used by both the Samba server and client
ii  samba-common-bin               2:4.5.12+dfsg-2+deb9u3 amd64        
Samba common files used by both the server and the client
ii  samba-dsdb-modules             2:4.5.12+dfsg-2+deb9u3 amd64        
Samba Directory Services Database
ii  samba-libs:amd64               2:4.5.12+dfsg-2+deb9u3 amd64        
Samba core libraries
ii  samba-vfs-modules              2:4.5.12+dfsg-2+deb9u3 amd64        
Samba Virtual FileSystem plugins

This is the Windows DNS log:

29/11/2018 12:03:17 0CCC PACKET  0000000004E5AD10 TCP Rcv 
10.0.16.25      e2a8   U [0028       NOERROR] SOA (7)MYDOMAIN(3)com(0)
29/11/2018 12:03:17 13CC PACKET  0000000004E5AD10 TCP Snd 
10.0.16.25      e2a8 R U [05a8       REFUSED] SOA (7)MYDOMAIN(3)com(0)

This is the output of samba_dnsupdate --verbose:

root at mysamba4dc:~# samba_dnsupdate --verbose
IPs: ['10.0.16.25']
Looking for DNS entry A mysamba4dc.MYDOMAIN.com 10.0.16.25 as 
mysamba4dc.MYDOMAIN.com.
Looking for DNS entry NS MYDOMAIN.com mysamba4dc.MYDOMAIN.com as 
MYDOMAIN.com.
Looking for DNS entry NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com as 
_msdcs.MYDOMAIN.com.
The DNS entry NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com, queried as 
_msdcs.MYDOMAIN.com. does not hold this record type
need update: NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com
Looking for DNS entry A MYDOMAIN.com 10.0.16.25 as MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYDOMAIN.com.
Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV 
_ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV _ldap._tcp.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.dc._msdcs.MYDOMAIN.com.
Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV 
_ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 ris-dom-contr01.MYDOMAIN.com. against SRV 
_ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com.
Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 ris-dom-contr01.MYDOMAIN.com. against SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV _kerberos._tcp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV _kerberos._udp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._udp.MYDOMAIN.com.
Checking 0 100 88 ris-dom-contr01.MYDOMAIN.com. against SRV 
_kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Checking 0 100 88 ris-dom-contr02.MYDOMAIN.com. against SRV 
_kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.dc._msdcs.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV _kpasswd._tcp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 464 as _kpasswd._tcp.MYDOMAIN.com.
Checking 0 100 464 mysamba4dc.MYDOMAIN.com. against SRV 
_kpasswd._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464
Looking for DNS entry SRV _kpasswd._udp.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 464 as _kpasswd._udp.MYDOMAIN.com.
Checking 0 100 464 mysamba4dc.MYDOMAIN.com. against SRV 
_kpasswd._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464
Looking for DNS entry CNAME 
f9757ca5-8424-4016-99d7-1fbbb232e304._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com as 
f9757ca5-8424-4016-99d7-1fbbb232e304._msdcs.MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYSITE._sites.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 
389 as _ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV _kerberos._tcp.MYSITE._sites.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYSITE._sites.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry SRV 
_kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88 as 
_kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com.
Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV 
_kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 88
Looking for DNS entry A gc._msdcs.MYDOMAIN.com 10.0.16.25 as 
gc._msdcs.MYDOMAIN.com.
Looking for DNS entry SRV _gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 
3268 as _gc._tcp.MYDOMAIN.com.
Checking 0 100 3268 mywindc02.MYDOMAIN.com. against SRV 
_gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry SRV _ldap._tcp.gc._msdcs.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 3268 as _ldap._tcp.gc._msdcs.MYDOMAIN.com.
Checking 0 100 3268 mywindc02.MYDOMAIN.com. against SRV 
_ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry SRV _gc._tcp.MYSITE._sites.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 3268 as _gc._tcp.MYSITE._sites.MYDOMAIN.com.
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_gc._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 
3268 as _ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com.
Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268
Looking for DNS entry A DomainDnsZones.MYDOMAIN.com 10.0.16.25 as 
DomainDnsZones.MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.DomainDnsZones.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.DomainDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as 
_ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry A ForestDnsZones.MYDOMAIN.com 10.0.16.25 as 
ForestDnsZones.MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.ForestDnsZones.MYDOMAIN.com.
Checking 0 100 389 mywindc02.MYDOMAIN.com. against SRV 
_ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mywindc01.MYDOMAIN.com. against SRV 
_ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
Looking for DNS entry SRV 
_ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389 as 
_ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com.
Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV 
_ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com 
mysamba4dc.MYDOMAIN.com 389
1 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/mywindc01.MYDOMAIN.com as 
mysamba4dc$
update(nsupdate): NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com
Calling nsupdate for NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.MYDOMAIN.com.     900     IN      NS mysamba4dc.MYDOMAIN.com.

; TSIG error with server: tsig verify failure
update failed: REFUSED
Failed nsupdate: 2
Failed update of 1 entries

Any hints?

Thanks,

Giacomo

More information about the samba mailing list