[Samba] Internal DNS, update of reverse zone fails

Rowland penny rpenny at samba.org
Sun Feb 16 18:48:19 UTC 2020 

On 16/02/2020 18:25, kaffeesurrogat via samba wrote:
> Dear list,
>
> one more problem.
>
>
> I've setup my host running a samba addc controller. Samba version is
> samba-4.11.6-r2. I've joined two win10 clients to my domain. One client
> has a static ip, the other one was configured to ask my dhcpd-daemon for
> an ip. Following the book from stefan kania, I modified my dhcpd.conf to
> execute some scripts I've found on ArchWiki to add my win10-dynip-client
> to the internal dns server (A,PTR,...) of my samba-addc. It took quite a
> while but it works.
>
> My win10-static-client-name is resolved by the internal dns server,
> verified with nslookup SOMENAME. Unfortunately the win10-static-client
> did not add an entry to the reverse lookup zone, when I added it to the
> domain.
>
> Is there a reason why ? I guess it should not be like this.
>
>
> I've followed
>
> https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
>
> for testing and
>
> samba_dnsupdate --verbose --all-names
>
> gives:
>
> #############################################
> ; TSIG error with server: tsig verify failure
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls. 900 IN
> SRV 0 100 389 plfa1.lfa.ls.
>
> ; TSIG error with server: tsig verify failure
>
> Failed nsupdate: 2
> update(nsupdate): A ForestDnsZones.lfa.ls 10.20.30.1
> Calling nsupdate for A ForestDnsZones.lfa.ls 10.20.30.1 (add)
> Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$
> Failed nsupdate: 2
> update(nsupdate): SRV _ldap._tcp.ForestDnsZones.lfa.ls plfa1.lfa.ls 389
> Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.lfa.ls plfa1.lfa.ls
> 389 (add)
> Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$
> Failed nsupdate: 2
> update(nsupdate): SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls
> plfa1.lfa.ls 389
> Calling nsupdate for SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls
> plfa1.lfa.ls 389 (add)
> Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$
> Failed nsupdate: 2
> Failed update of 29 entries
> ##########################################################
>
> The wiki  (https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End)
> says that the internal dns of samba does not support shared-key
> transaction signature (TSIG)
>
> To be honest, I don't know if TSIG is related to my problem.
>
>
> Would be really happy about an answer .... and ....
>
> many thanks,
>
> blubberbaer
>
Have you tried reading our documentation ?

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

You will also need to read this:

https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End

Rowland

More information about the samba mailing list