[Samba] Client update of DNS records denied

Roy Eastwood spindles7 at gmail.com
Tue Jun 23 10:59:22 UTC 2020

AD domain with 2 samba DCs and a number of samba member fileservers.    Windows 10 member workstations in the domain fail to update
their DNS records and regularly produce error messages in the log on one of the DCs:

client @0x7f5ccc11d960 update 'microlynx.org/IN' denied
client @0x7f5ccc11d960 update '2.168.192.in-addr.arpa/IN' denied

Thinking that the client cannot update the records because it didn't own them, I deleted the DNS entry for the workstation in DNS
and issued the command 'ipconfig /registerdns' on one of the Windows 10 machines.   This failed and the logs above were repeated.

The dns backend is Bind9_DLZ.   named.conf.options on the DC is as follows:
options {
	directory "/var/cache/bind";

	auth-nxdomain yes;
	notify no;
	empty-zones-enable no;

	allow-query {;; };
	allow-update {;; };
	allow-recursion {;; };
	allow-transfer { none; };

	listen-on port 53 { any; };
	listen-on-v6 port 53 { none; };

	forwarders {;	// asus router

	dnssec-enable no;
	dnssec-validation no;

	// for updates to AD zone
# self-compiled version:	tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab";
	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
	minimal-responses yes;

The smb.conf on the DC is as follows:
	netbios name = TIGER-DB
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = MICROLYNX
# prevent CUPS errors in syslog
	printcap name = /dev/null
	load printers = no

# disable smb1
# these are now defaults in version 4.11.x
#	client min protocol = smb2_02
#       server min protocol = smb2_02

# add the following two lines for testing - remove for production
#	winbind enum users = yes
#	winbind enum groups = yes
#	following added to see if it prevents smbd from starting (as it does on pi4b)
#	yes it does!
#	bind interfaces only = yes
#	interfaces = lo br0

# allow clients to update their DNS records - not working!
	allow dns updates = nonsecure

# allow AD users to log on
	template shell = /bin/bash
	template homedir = /home/%D/%U
	winbind refresh tickets = yes

	log file = /var/log/samba/log.samba
	log level = 1

	path = /var/lib/samba/sysvol
	read only = No

	path = /var/lib/samba/sysvol/microlynx.org/scripts
	read only = No

OS is Debian Buster, samba is version 4.12.3 (Louis' repo).

Any suggestions on how to get this working?



More information about the samba mailing list