[Samba] DNS: Update not allowed for unsigned packet

Aaron C. de Bruyn aaron at heyaaron.com
Mon Nov 6 19:35:47 UTC 2023


Thanks Andrew, but we checked for that.

Firing up dnsmgmt.msc shows no entries with those computer names.

-A

On Mon, Nov 6, 2023 at 11:34 AM Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2023-11-06 at 10:02 -0800, Aaron C. de Bruyn via samba wrote:
> > DNS is suddenly not working properly for some machines.
> >
> >
> >
> > We had a bunch of machines that were joined to the domain, but the
> > computer
> >
> > name was wrong.
> >
> >
> >
> > To fix this, we unjoined the machines and deleted the computer
> > accounts out
> >
> > of Samba (because renames while joined will leave LDAP attributes
> > with the
> >
> > previous machine name and there will be connectivity problems for
> > some
> >
> > reason), and we deleted them out of DNS (dnsmgmt.msc) so there were
> > no
> >
> > mismatched SIDs.
> >
> >
> >
> > Then we renamed and restarted the machines (All Windows 11 Pro), then
> > we
> >
> > joined them back to the domain.
>
> The unsigned packet is a red herring, all first DNS updates are
> unsigned, then a signed one comes after the DC disallows it.
>
> The issues is that you deleted accounts, but did not clean out DNS, so
> the old name is still owned by the old account (now gone), so the update
> fails due to simple permissions (DNS is secured on a first-to-claim basis).
>
> Clean out your DNS records and it should work.
>
> Andrew Bartlett
>
>
> --
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead                https://catalyst.net.nz/services/samba
> Catalyst.Net <https://catalyst.net.nz/services/sambaCatalyst.Net> Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
> company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
>
>


More information about the samba mailing list