Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com.
Still can not join any windows clients (XP or 7) to the EXAMPLE.COM domain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return "update failed: REFUSED" So DNS now seems to be having permission problems? Attached are outputs from "samba_dnsupdate --verbose --all-names" and the subsequent "tail /var/log/syslog". Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell <jb.fr...@gmail.com> wrote: > Thought for sure this was a real bug, but you are correct Mr. Bartlett, > thats just how the SMB protocol works. I verified this with another > wireshark capture from the same XP machine and a working SAMBA4 appliance > from Sernet. This second capture also reveals that bind9 is still having > issues on the SOGo appliance. The host machine registers itself into the > DNS zone, but will not add client machines when they try to join the > domain. How do I use the internal DNS service with SAMBA4? > > > On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett <abart...@samba.org>wrote: > >> On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: >> > Ran wireshark on the XP client while joining the domain and saw SAM >> LOGON >> > request from client and SAM Active Directory Response - user unknown. >> > >> > I noticed on the request and the response packets the user name field in >> > the packet is blank (yes, I am typing the user name and password into >> the >> > prompt from the XP machine!). >> > >> > Any ideas on what causes this? >> >> While an odd feature of the protocol, this is actually a normal >> successful response to the expected packet. (Essentially, this is a >> historical oddity from a time when asking if a server knew about a user >> over an un-authenticated UDP packet wasn't considered a >> security/confidentially issue). >> >> -- >> Andrew Bartlett >> http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> >> >> > > > -- > "It's better to be boldly decisive and risk being wrong than to agonize at > length and be right too late." > Marilyn Moats Kennedy > -- "It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late." Marilyn Moats Kennedy
root@sogo:~# samba_dnsupdate --verbose --all-names IPs: ['fe80::a00:27ff:fef2:b592%eth0', '172.16.1.7'] Calling nsupdate for A example.com 172.16.1.7 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A sogo.example.com 172.16.1.7 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: sogo.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A gc._msdcs.example.com 172.16.1.7 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for CNAME a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com sogo.example.com Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com. 900 IN CNAME sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.example.com sogo.example.com 464 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._udp.example.com sogo.example.com 464 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.example.com sogo.example.com 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com sogo.example.com 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.example.com sogo.example.com 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com sogo.example.com 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.default-first-site-name._sites.dc._msdcs.example.com. 900 IN SRV0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._udp.example.com sogo.example.com 88 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.example.com sogo.example.com 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.example.com. 900 IN SRV 0 100 389 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.dc._msdcs.example.com sogo.example.com 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.example.com. 900 IN SRV 0 100 389 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.example.com sogo.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.example.com. 900 IN SRV 0 100 3268 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.pdc._msdcs.example.com sogo.example.com 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.pdc._msdcs.example.com. 900 IN SRV 0 100 389 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.example.com sogo.example.com 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 389 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com sogo.example.com 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.default-first-site-name._sites.dc._msdcs.example.com. 900 IN SRV 0 100 389 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com sogo.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.default-first-site-name._sites.gc._msdcs.example.com. 900 IN SRV 0 100 3268 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _ldap._tcp.8ec1f6ca-d95f-412a-8bab-662edeaa8095.domains._msdcs.example.com sogo.example.com 389 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.8ec1f6ca-d95f-412a-8bab-662edeaa8095.domains._msdcs.example.com. 900IN SRV 0 100 389 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _gc._tcp.example.com sogo.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.example.com. 900 IN SRV 0 100 3268 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _gc._tcp.default-first-site-name._sites.example.com sogo.example.com 3268 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.default-first-site-name._sites.example.com. 900 IN SRV 0 100 3268 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Failed update of 21 entries
root@sogo:~# tail /var/log/syslog Oct 6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone _msdcs.example.com Oct 6 22:16:43 sogo named[3402]: samba_dlz: starting transaction on zone _msdcs.example.com Oct 6 22:16:43 sogo named[3402]: client 172.16.1.7#64208: update '_msdcs.example.com/IN' denied Oct 6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone _msdcs.example.com Oct 6 22:16:43 sogo named[3402]: samba_dlz: starting transaction on zone example.com Oct 6 22:16:43 sogo named[3402]: client 172.16.1.7#37057: update 'example.com/IN' denied Oct 6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone example.com Oct 6 22:16:43 sogo named[3402]: samba_dlz: starting transaction on zone example.com Oct 6 22:16:43 sogo named[3402]: client 172.16.1.7#62264: update 'example.com/IN' denied Oct 6 22:16:43 sogo named[3402]: samba_dlz: cancelling transaction on zone example.com
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba