[Samba] Bind9_DLZ DNS updating

Ray Klassen ray.klassen at icloud.com
Fri Nov 3 15:51:56 UTC 2023


Still pursuing my strange problem with windows clients randomly (2 or 3
a day on a network of about 200 pc's)  not allowing logins until
reboot.

Nailing down some best practises in an attempt to fix. My best guess is
that it's a Kerberos issue --sensitive to time sync and DNS.

-- Installed chrony instead of ntpsec (seems to perform as advertised)

-- (Today) moved to BIND9_DLZ instead of SAMBA_INTERNAL for dns
services. (long ago I switched to SAMBA _INTERNAL from BIND9_DLZ
because the Debian version of named did not include dlopen and had to
be recompiled every time) 
 So now the windows eventlog complains that it can't update RR's
because of a system error instead of a security problem (PROGRESS!?).
The DC shows variations on the following in the log  

"ERROR: auth_data_only pad length mismatch. Client sent a longer BIND
packet than expected by 44 bytes (pkt_trailer->length=2084 -
auth_length=2040) = 44 auth_pad_length=0" 

I notice that there's lots of mention of this from 2020 on and one of
the emails points to WIP list with the latest post as of October 9 of
this year. Is there any further action on this? Do I switch to
nonsecure updates? Is it likely improve the original problem with
windows 10 clients needing reboot to login?





More information about the samba mailing list