[Samba] Reverse DNS

Praveen Ghimire PGhimire at sundata.com.au
Wed Jun 26 11:39:42 UTC 2019


Further on this. We have Win10 machine with RSAT installed in it. Using the DNS tool, I created an A record with an associated PTR record. The A record got created but not PTR. I was logged in the domain administrator

The following with no dns update directive in smb.conf

Jun 26 11:21:07 server5-ad samba[4812]: [2019/06/26 11:21:07.978068,  0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: starting transaction on zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: client @0x7fcfd80c71e0 192.168.14.196#59770: update 'lin.group/IN' denied
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: cancelling transaction on zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: starting transaction on zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: spnego update failed
Jun 26 11:21:14 server5-ad named[4853]: client @0x7fcfd80c71e0 192.168.14.196#63579/key WIN10VM01\$\@lin.GROUP: updating zone 'lin.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: cancelling transaction on zone lin.group
Jun 26 11:21:23 server5-ad samba[4812]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ: [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Wed, 26 Jun 2019 11:21:23.001914 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Jun 26 11:21:32 server5-ad samba[4812]: [2019/06/26 11:21:32.583231,  0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:22:07 server5-ad samba[4812]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 26 11:22:37 server5-ad samba[4812]: [2019/06/26 11:22:37.511948,  0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:23:37 server5-ad samba[4812]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

With dns update = nonsecure

Jun 26 11:30:53 server5-ad samba[4972]:   dnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 26 11:31:06 server5-ad samba[4972]: [2019/06/26 11:31:06.953613,  0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:31:28 server5-ad samba[4972]:   dnsserver: Invalid zone operation IsSignedSuccessful AuthZ: [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Wed, 26 Jun 2019 11:31:28.187322 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Jun 26 11:31:51 server5-ad samba[4972]: [2019/06/26 11:31:51.662909,  0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:31:58 server5-ad samba[4972]:   dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'

-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen Ghimire via samba
Sent: Wednesday, 26 June 2019 8:32 PM
To: 'Rowland penny'
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

Hi Rowland,

I have tried putting the whole rev-domain name. The following is the dhcpd.conf zone definition

      subnet 192.168.14.0 netmask 255.255.255.0 {
        authoritative;    
        ddns-update-style standard;
        option netbios-name-servers 192.168.14.10; #14.10 is the AD box
        option netbios-dd-server 192.168.14.10;
        option netbios-node-type 8;
        option domain-name-servers 192.168.14.10;
        ddns-rev-domainname "14.168.192.in-addr.arpa.";
	 option broadcast-address 192.168.14.255;
        option routers 192.168.14.254;
        option domain-name "lin.group"; #AD DOMAIN
        ddns-domainname "lin.group";
        ddns-updates on;
        update-optimization off;
        update-static-leases on;
        allow client-updates;
pool
{
.......
}

I have removed and re-created the reverse zone a few times , selecting secure and nosecure also with and without storing the info in AD. The only time I have seen it being populated is when I assign static IPs



Regards,
Praveen Ghimire


-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny via samba
Sent: Wednesday, 26 June 2019 5:06 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS

On 26/06/2019 04:38, Praveen Ghimire via samba wrote:
> Hi Louis,
>
> Thank you for that
>
> I have made the changes as per below , some items might have 
> duplicated. I then reload apparmor restarted the samba-ad-dc and bind9 
> services and get the same issue. Every time the forward DNS update 
> works but the reverse doesn't
>
> I found a really interesting samba post going back 2017 re the DHCP 
> and DNS
> http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4
> 726681.html
>
> In the article there are suggestions of not letting Windows clients updating their own DNS records. In my test machine I manually removed the option . The error message disappears when the machine renews it's DHCP but the DNS (forward or reverse) doesn't update.
>
> The one thing I can't understand is despite the error messages in 
> syslog about denying the lin.group zone, the forward updates but the 
> reverse doesn't .  The DHCP server has the following
>
> ddns-rev-domainname "in-addr.arpa.";

But isn't your reverse zone called '14.168.192.in-addr.arpa' ?

Are your clients set to update their reverse zone ? The DHCP server will not do this by default.

Try deleting the reversezone and recreating it, it could be a permissions problem.

Rowland



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________



More information about the samba mailing list