[Samba] once again reverse DNS - bind_dlz

Jan JMPBL jmpblto at gmail.com
Thu May 20 12:26:07 UTC 2021 

Hi again,

dhcp configured as per the SAMBA wiki.
Workstations update automatically.
generally - almost everything works :)

sometimes errors occur:

May 20 14:08:37 ad named [8041]: samba_dlz: disallowing update of signer =
TEST_LAP \ $ \ @ TEST.LAN name = Test_Lap.test.lan type = AAAA error =
insufficient access rights
May 20 14:08:37 ad named [8041]: client @ 0x7f11fc021e30 10/10/10.101 #
50217 / key TEST_LAP \ $ \ @ TEST.LAN: updating zone 'test.lan / NONE':
update failed: rejected by secure update ( REFUSED)

I added lines to smb.conf:

dns update command = / usr / sbin / samba_dnsupdate --use-samba-tool
allow dns updates = nonsecure and secure

unfortunately it doesn't work

Thanks,

Jan

wt., 18 maj 2021 o 10:28 Jan JMPBL <jmpblto at gmail.com> napisał(a):

> Thank you for your response.
> my named.conf.options file as below
>
> ipv6 - disabled
>
> options {
>         directory "/var/cache/bind";
>         recursion yes;
>         allow-query { any; };
>         forwarders { 8.8.8.8; 8.8.4.4; };
>         dnssec-enable no;
>         dnssec-validation no;
>         dnssec-lookaside no;
>         listen-on-v6 { none; };
>         notify no;
>         auth-nxdomain yes;
>         empty-zones-enable no;
>
>         // DNS dynamic updates via Kerberos
>         //var/lib/samba/bind-dns/dns.keytab;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>        minimal-responses yes;
> };
>
> I have not read anywhere that the reverse zone is not updated
> automatically. It usually says it works :)
> I will try to configure the dhcp server to update DNS zones. Do you have
> any good "how to" how to configure it?
>
> Thanks,
>
> Jan
>
>
> wt., 18 maj 2021 o 10:02 L.P.H. van Belle via samba <samba at lists.samba.org>
> napisał(a):
>
>> AND.. Before i forget, does the ipv6 reverse zone exist?
>>
>> If you need a private IPv6 number.
>> Have a look at this.
>> wget
>> https://sunknudsen.com/static/media/privacy-guides/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/ulagen.py
>>
>> python3 ulagen.py | grep "First subnet" | awk '{print "IPV6_ULA="$3}'
>>
>> (ULA= see https://en.wikipedia.org/wiki/Unique_local_address )
>>
>> (original source of that script :
>> https://gist.github.com/andrewlkho/31341da4f5953b8d977aab368e6280a8 )
>> Can be handy.
>>
>> Last, if you running on debian buster,
>>
>>       minimal-responses yes; << add this in named.conf.options in the
>> defaults.
>>         (see also :
>> https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server )
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jan
>> > JMPBL via samba
>> > Verzonden: maandag 17 mei 2021 23:19
>> > Aan: Rowland penny
>> > CC: sambalist
>> > Onderwerp: Re: [Samba] once again reverse DNS - bind_dlz
>> >
>> > Hi,
>> > thank you,
>> > all changed as you suggested.
>> >
>> > still the reverse zone does not update automatically.
>> > doesn't recognize names. e.g. rsat.test.lan
>> >
>> > root @ ad: ~ # host 10.10.10.160
>> > Host 160.10.10.10.in-addr.arpa. not found: 3 (NXDOMAIN)
>> >
>> > from windows
>> > C: \ Users \ administrator.TEST.001> nslookup 10/10/10.50
>> > Server: UnKnown
>> > Address: 10.10.10.50
>> >
>> > *** UnKnown can't find 10.10.10.50: Non-existent domain
>> >
>> > do you have any more ideas?
>> >
>> > Thanks,
>> >
>> > Jan
>> >
>> > pon., 17 maj 2021 o 22:27 Rowland penny via samba
>> > <samba at lists.samba.org>
>> > napisa??(a):
>> >
>> > > On 17/05/2021 20:50, Jan JMPBL wrote:
>> > > > Hi,
>> > > > debug result below:
>> > > >
>> > >
>> > > Not much wrong, just a couple of dns problems, one that is
>> > your major
>> > > problem.
>> > >
>> > > Change your /etc/resolv.conf to this:
>> > >
>> > > nameserver 10.10.10.50
>> > > search test.lan
>> > >
>> > > Then change /etc/bind/named.conf.options to match this:
>> > >
>> > > options {
>> > >      directory "/var/cache/bind";
>> > >
>> > >          recursion yes;
>> > >          allow-query { any; };
>> > >
>> > >          forwarders { 8.8.8.8; 8.8.4.4; };
>> > >
>> > >          dnssec-enable no;
>> > >          dnssec-validation no;
>> > >
>> > >          listen-on-v6 { none; };
>> > >          notify no;
>> > >          auth-nxdomain yes;
>> > >          empty-zones-enable no;
>> > >          // DNS dynamic updates via Kerberos
>> > > /var/lib/samba/bind-dns/dns.keytab;
>> > >          tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>> > > };
>> > >
>> > > You should also install the libkrb5-26-heimdal package
>> > >
>> > > Rowland
>> > >
>> > >
>> > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

More information about the samba mailing list