[Samba] DNS: Update not allowed for unsigned packet
Andrew Bartlett
abartlet at samba.org
Mon Nov 6 19:34:51 UTC 2023
On Mon, 2023-11-06 at 10:02 -0800, Aaron C. de Bruyn via samba wrote:
> DNS is suddenly not working properly for some machines.
>
>
>
> We had a bunch of machines that were joined to the domain, but the
> computer
>
> name was wrong.
>
>
>
> To fix this, we unjoined the machines and deleted the computer
> accounts out
>
> of Samba (because renames while joined will leave LDAP attributes
> with the
>
> previous machine name and there will be connectivity problems for
> some
>
> reason), and we deleted them out of DNS (dnsmgmt.msc) so there were
> no
>
> mismatched SIDs.
>
>
>
> Then we renamed and restarted the machines (All Windows 11 Pro), then
> we
>
> joined them back to the domain.
The unsigned packet is a red herring, all first DNS updates are
unsigned, then a signed one comes after the DC disallows it.
The issues is that you deleted accounts, but did not clean out DNS, so
the old name is still owned by the old account (now gone), so the update fails due to simple permissions (DNS is secured on a first-to-claim basis).
Clean out your DNS records and it should work.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list