[Samba] Reverse DNS
Praveen Ghimire
PGhimire at sundata.com.au
Wed Jun 26 11:39:42 UTC 2019
Further on this. We have Win10 machine with RSAT installed in it. Using the DNS tool, I created an A record with an associated PTR record. The A record got created but not PTR. I was logged in the domain administrator
The following with no dns update directive in smb.conf
Jun 26 11:21:07 server5-ad samba[4812]: [2019/06/26 11:21:07.978068, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: starting transaction on zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: client @0x7fcfd80c71e0 192.168.14.196#59770: update 'lin.group/IN' denied
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: cancelling transaction on zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: starting transaction on zone lin.group
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: spnego update failed
Jun 26 11:21:14 server5-ad named[4853]: client @0x7fcfd80c71e0 192.168.14.196#63579/key WIN10VM01\$\@lin.GROUP: updating zone 'lin.group/NONE': update failed: rejected by secure update (REFUSED)
Jun 26 11:21:14 server5-ad named[4853]: samba_dlz: cancelling transaction on zone lin.group
Jun 26 11:21:23 server5-ad samba[4812]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedSuccessful AuthZ: [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Wed, 26 Jun 2019 11:21:23.001914 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Jun 26 11:21:32 server5-ad samba[4812]: [2019/06/26 11:21:32.583231, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:22:07 server5-ad samba[4812]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 26 11:22:37 server5-ad samba[4812]: [2019/06/26 11:22:37.511948, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:23:37 server5-ad samba[4812]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
With dns update = nonsecure
Jun 26 11:30:53 server5-ad samba[4972]: dnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
Jun 26 11:31:06 server5-ad samba[4972]: [2019/06/26 11:31:06.953613, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:31:28 server5-ad samba[4972]: dnsserver: Invalid zone operation IsSignedSuccessful AuthZ: [DCE/RPC,ncacn_np] user [NT AUTHORITY]\[SYSTEM] [S-1-5-18] at [Wed, 26 Jun 2019 11:31:28.187322 UTC] Remote host [ipv6::::0] local host [ipv6::::0]
Jun 26 11:31:51 server5-ad samba[4972]: [2019/06/26 11:31:51.662909, 0] ../source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1085(dnsserver_query_zone)
Jun 26 11:31:58 server5-ad samba[4972]: dnsserver: Invalid zone operation IsSigneddnsserver: Invalid zone operation IsSignedTerminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Praveen Ghimire via samba
Sent: Wednesday, 26 June 2019 8:32 PM
To: 'Rowland penny'
Cc: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS
Hi Rowland,
I have tried putting the whole rev-domain name. The following is the dhcpd.conf zone definition
subnet 192.168.14.0 netmask 255.255.255.0 {
authoritative;
ddns-update-style standard;
option netbios-name-servers 192.168.14.10; #14.10 is the AD box
option netbios-dd-server 192.168.14.10;
option netbios-node-type 8;
option domain-name-servers 192.168.14.10;
ddns-rev-domainname "14.168.192.in-addr.arpa.";
option broadcast-address 192.168.14.255;
option routers 192.168.14.254;
option domain-name "lin.group"; #AD DOMAIN
ddns-domainname "lin.group";
ddns-updates on;
update-optimization off;
update-static-leases on;
allow client-updates;
pool
{
.......
}
I have removed and re-created the reverse zone a few times , selecting secure and nosecure also with and without storing the info in AD. The only time I have seen it being populated is when I assign static IPs
Regards,
Praveen Ghimire
-----Original Message-----
From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of Rowland penny via samba
Sent: Wednesday, 26 June 2019 5:06 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Reverse DNS
On 26/06/2019 04:38, Praveen Ghimire via samba wrote:
> Hi Louis,
>
> Thank you for that
>
> I have made the changes as per below , some items might have
> duplicated. I then reload apparmor restarted the samba-ad-dc and bind9
> services and get the same issue. Every time the forward DNS update
> works but the reverse doesn't
>
> I found a really interesting samba post going back 2017 re the DHCP
> and DNS
> http://samba.2283325.n4.nabble.com/DHCP-DNS-and-non-domain-members-td4
> 726681.html
>
> In the article there are suggestions of not letting Windows clients updating their own DNS records. In my test machine I manually removed the option . The error message disappears when the machine renews it's DHCP but the DNS (forward or reverse) doesn't update.
>
> The one thing I can't understand is despite the error messages in
> syslog about denying the lin.group zone, the forward updates but the
> reverse doesn't . The DHCP server has the following
>
> ddns-rev-domainname "in-addr.arpa.";
But isn't your reverse zone called '14.168.192.in-addr.arpa' ?
Are your clients set to update their reverse zone ? The DHCP server will not do this by default.
Try deleting the reversezone and recreating it, it could be a permissions problem.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com ______________________________________________________________________
More information about the samba
mailing list