[Samba] V4 - New Install - Missing Zone File
JDFire
jdfire at cox.net
Fri Feb 24 18:57:22 MST 2012
Hi Amitay
On Feb 23, 2012, at 10:28 PM, Amitay Isaacs <amitay at gmail.com> wrote:
> Hi Jeremy,
>
> On Thu, Feb 23, 2012 at 4:54 PM, Jeremy Davis <jdavis4102 at gmail.com> wrote:
>>
>>
>> On 02/22/2012 10:48 PM, Amitay Isaacs wrote:
>>>
>>> On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>> wrote:
>>>>
>>>> Hello Amitay,
>>>>
>>>>
>>>> On 02/22/2012 10:07 PM, Amitay Isaacs wrote:
>>>>>
>>>>> Hi Jeremy,
>>>>>
>>>>> On Thu, Feb 23, 2012 at 3:29 PM, Jeremy Davis<jdavis4102 at gmail.com>
>>>>> wrote:
>>>>>>
>>>>>> Hello Amitay,
>>>>>>
>>>>>> On 02/22/2012 02:34 PM, Amitay Isaacs wrote:
>>>>>>>
>>>>>>> Hi Jeremy,
>>>>>>>
>>>>>>>
>>>>>>> That error message needs to be fixed. :)
>>>>>>>
>>>>>>> Looks like "nsupdate" command is not in the path. samba_dnsupdate
>>>>>>> script uses nsupdate to dynamically update DNS entries.
>>>>>>>
>>>>>>> Try adding "nsupdate command = /path/to/nsupdate" in smb.conf.
>>>>>>>
>>>>>>> Amitay.
>>>>>>>
>>>>>> Thank you SO MUCH for getting me this far!! :) That looks like it fixed
>>>>>> that
>>>>>> issue but I have now ran into a denied error message for bind. Below
>>>>>> you
>>>>>> can
>>>>>> find my logs for both samba_dnsupdate and bind. Seems like the
>>>>>> dns.keytab
>>>>>> file is not correct or something. I have tried to put allow-update {
>>>>>> 192.168.30.1; } in my options section of my named.conf with no luck.
>>>>>>
>>>>> I forgot to mention that nsupdate command should also include -g flag to
>>>>> force
>>>>> secure (kerberos) updates.
>>>>>
>>>>> nsupdate command = /path/to/nsupdate -g
>>>>>
>>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>>
>>>>> Amitay.
>>>>>
>>>> I added the -g to the smb.conf and restarted samba and named but it
>>>> doesn't
>>>> seem to do anything. Could this be an issue with kerberos? I am able to
>>>> authenticate with my Windows machine and via the command line using the
>>>> tests on the samba4 wiki. Any ideas as to what this could be?
>>>
>>> What happens when you run samba_dnsupdate --verbose?
>>> What's the output from BIND?
>>>
>>> Amitay.
>>>
>>
>> Well, the samba_dnsupdate logs are the same but bind is now showing a little
>> different error.
>>
>>
>> samba-dnsupdate:
>>
>> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491',
>> 'fe80::a00:27ff:fe14:5491%eth0', 'fe80::a00:27ff:fee5:5840%eth1',
>> '192.168.7.30', '192.168.30.1']
>> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
>> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
>> Looking for DNS entry AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as
>> bob-dc.com.
>> Failed to find matching DNS entry AAAA bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry AAAA dc1.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
>> Failed to find matching DNS entry AAAA dc1.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as
>> gc._msdcs.bob-dc.com.
>> Looking for DNS entry AAAA gc._msdcs.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
>> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Looking for DNS entry CNAME
>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com as
>> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
>> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464 as
>> _kpasswd._tcp.bob-dc.com.
>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._tcp.bob-dc.com
>> dc1.bob-dc.com 464
>> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464 as
>> _kpasswd._udp.bob-dc.com.
>> Checking 0 100 464 dc1.bob-dc.com. against SRV _kpasswd._udp.bob-dc.com
>> dc1.bob-dc.com 464
>> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88 as
>> _kerberos._tcp.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._tcp.bob-dc.com
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com
>> 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>> as _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>> _kerberos._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 88
>> Looking for DNS entry SRV
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 88 as
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV
>> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88 as
>> _kerberos._udp.bob-dc.com.
>> Checking 0 100 88 dc1.bob-dc.com. against SRV _kerberos._udp.bob-dc.com
>> dc1.bob-dc.com 88
>> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as
>> _ldap._tcp.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> as _ldap._tcp.dc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com
>> 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
>> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com
>> 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389 as
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
>> Looking for DNS entry SRV
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 389 as
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>> dc1.bob-dc.com 3268 as
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
>> dc1.bob-dc.com 3268
>> Looking for DNS entry SRV
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>> dc1.bob-dc.com 389 as
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
>> Checking 0 100 389 dc1.bob-dc.com. against SRV
>> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
>> dc1.bob-dc.com 389
>> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as
>> _gc._tcp.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com
>> dc1.bob-dc.com 3268
>> Looking for DNS entry SRV _gc._tcp.default-first-site-name._sites.bob-dc.com
>> dc1.bob-dc.com 3268 as _gc._tcp.default-first-site-name._sites.bob-dc.com.
>> Checking 0 100 3268 dc1.bob-dc.com. against SRV
>> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
>> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
>> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
>> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
>> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
>> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as
>> gc._msdcs.bob-dc.com.
>> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
>> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> bob-dc.com. 900 IN AAAA 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for AAAA dc1.bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> dc1.bob-dc.com. 900 IN AAAA 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for AAAA gc._msdcs.bob-dc.com
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.bob-dc.com. 900 IN AAAA
>> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> bob-dc.com. 900 IN A 192.168.30.1
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> dc1.bob-dc.com. 900 IN A 192.168.30.1
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> gc._msdcs.bob-dc.com. 900 IN A 192.168.30.1
>>
>> update failed: REFUSED
>> Failed nsupdate: 2
>> Failed update of 6 entries
>>
>>
>> bind logs:
>>
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> _msdcs.bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating zone
>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> _msdcs.bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>> bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating zone
>> 'bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on zone
>> _msdcs.bob-dc.com
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
>> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating zone
>> '_msdcs.bob-dc.com/NONE': update failed: rejected by secure update (REFUSED)
>> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on zone
>> _msdcs.bob-dc.com
>>
>
> The problem is "spnego update failed". This step actually verifies the kerberos
> ticket provided in dynamic update and that is failing for some reason.
> I'll do some
> testing and find out what's causing this.
>
>
I see, leave it up to me to find possible bugs. :) Please let me know if you need any further information/testing. Thanks again for your help so far.
Regards,
Jeremy
More information about the samba-technical
mailing list