Re: [Samba] Dynamic DNS updates not working with BIND DLZ
Hi Thomas, Thanks for the information. I did as you suggested and ran named in debug mode and issued 'ipconfig /registerdns' from the client. The output was similar to your post: failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success. gss-api source name (accept) is client_pc$@EXAMPLE.LOCAL process_gsstkey(): dns_tsigerror_noerror Looks like the server does not believe the client update request is signed appropriately. Strange, since I know Kerberos is setup fine and works. I can use nsupdate with Kerberos to edit the AD domain from the command line. Run 'kinit Administrator@EXAMPLE.LOCAL' gets a ticket, then 'nsupdate -g' and I can add/remove DNS entries. I know dynamic updates from the client worked before when I first setup Samba4. I don't know at what point it decided to stop working. The only thing I have done that I consider may have influence is upgrading Samba to 4.0.1. I don't really want to use the Samba internal DNS. The server runs an external domain as well as the internal AD domain with a split DNS setup, and I may not be able to run BIND and Samba DNS together. And if MX and CNAME in the Samba DNS is broken then it's no good to me running a mail server. The BIND DLZ seems a much better option to me. I certainly hope there is a fix for this problem. Regards, Stephen Jones On Thu, Apr 11, 2013, at 09:01 PM, Thomas Simmons wrote: On Wed, Apr 10, 2013 at 10:22 PM, Stephen Jones <[1]lloydsyst...@fastmail.com.au> wrote: Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private/named.conf"; which loads the DLZ module for BIND 9.8. The /etc/named.conf also has in the options tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; Permissions of files: /var/lib/samba4/private/named.conf root:named 640 /var/lib/samba4/private/dns.keytab root:named 640 /var/lib/samba4/private/dns/ root:named 770 It all seems OK (I think), but no dynamic DNS updates. There is nothing in the samba.log file to suggest a problem. The system log has messages client : update 'example.local/IN' denied samba_dlz: cancelling transaction on zone example.local Is there something I need to set in smb.conf? I see there are new options like "allow dns updates" and "dns update command", which I do not have specifically set, but I don't know if these only apply to Samba internal DNS. There is still really no documentation about smb.conf for Samba4. Can someone please explain what might be wrong or what I should look for. Hello Stephen, I have been experiencing the same problem for the past month or so. Unfortunately, I have been unable to find a solution. I was able to dig back through my logs and found that the last DNS update occurred very early in the morning, so for some reason it just stopped updating. You can start bind in debugging mode "named -u named -g -d 5", then run "ipconfig /registerdns" on the Windows client. If you see the following, then you are experiencing the same issue: 28-Mar-2013 08:26:15.759 failed gss_inquire_cred: GSSAPI error: Major = Unspecif ied GSS failure. Minor code may provide more information, Minor = Success. 28-Mar-2013 08:26:15.760 failed gss_accept_sec_context: GSSAPI error: Major = Un specified GSS failure. Minor code may provide more information, Minor = . 28-Mar-2013 08:26:15.760 process_gsstkey(): dns_tsigerror_badkey This is not a pro
Re: [Samba] Dynamic DNS updates not working with BIND DLZ
On Wed, Apr 10, 2013 at 10:22 PM, Stephen Jones < lloydsyst...@fastmail.com.au> wrote: > Hi, > > A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using > the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. > > I tested with a Windows 7 VM client. When I joined the client to the > domain it was automatically added to the AD DNS and appeared in the > Windows DNS Manager. The VM had a static IP, but if I changed the IP > address that change was automatically reflected in the DNS entry. > > I am now adding new real clients to the domain and find that they are > not added to the AD domain DNS. The client has a dynamic IP, but I have > tried changing to a fixed IP address and it makes no difference. > > The only changes I can recall between the initial setup and now are: > > 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and > ran > samba-tool dbcheck --cross-ncs --fix > samba-tool ntacl sysvolreset > The upgrade changed the permissions of /var/lib/samba4/private back to > root:root 700, which is no good, so I changed back to root:named 750. > I also added "server services = -dns" to smb.conf as per the > instructions because internal DNS is now default. > > 2. Tested OpenChange. But, prior to doing anything I backed up entire > /var/lib/samba4 directory. When I removed OpenChange (as it is just not > stable yet) I removed /var/lib/samba4 and replaced it with the backup. > So this should not have any effect. > > I have checked everything against my notes made when installing Samba4 > and can't find anything wrong. In terms of DNS, /etc/named.conf > contains > include "/var/lib/samba4/private/named.conf"; > which loads the DLZ module for BIND 9.8. > The /etc/named.conf also has in the options > tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; > Permissions of files: > /var/lib/samba4/private/named.conf root:named 640 > /var/lib/samba4/private/dns.keytab root:named 640 > /var/lib/samba4/private/dns/ root:named 770 > > It all seems OK (I think), but no dynamic DNS updates. There is nothing > in the samba.log file to suggest a problem. The system log has messages > client : update 'example.local/IN' denied > samba_dlz: cancelling transaction on zone example.local > > Is there something I need to set in smb.conf? I see there are new > options like "allow dns updates" and "dns update command", which I do > not have specifically set, but I don't know if these only apply to Samba > internal DNS. There is still really no documentation about smb.conf for > Samba4. > > Can someone please explain what might be wrong or what I should look > for. > > Hello Stephen, I have been experiencing the same problem for the past month or so. Unfortunately, I have been unable to find a solution. I was able to dig back through my logs and found that the last DNS update occurred very early in the morning, so for some reason it just stopped updating. You can start bind in debugging mode "named -u named -g -d 5", then run "ipconfig /registerdns" on the Windows client. If you see the following, then you are experiencing the same issue: 28-Mar-2013 08:26:15.759 failed gss_inquire_cred: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Success. 28-Mar-2013 08:26:15.760 failed gss_accept_sec_context: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = . 28-Mar-2013 08:26:15.760 process_gsstkey(): dns_tsigerror_badkey This is not a problem with the internal DNS server, so that may be a solution. Do be advised that MX and CNAME records are broken in the internal DNS server, so that may not work for you. I'm working on migrating everything to Windows Server in my test environment. Since there is no way to go back to Samba 3, that seems to be the only option I have. Please let me know if you see the same errors with named in debugging mode. Perhaps it's a different problem altogether. Regards, > > Stephen Jones > -- > Stephen Jones > lloydsyst...@fastmail.com.au > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Dynamic DNS updates not working with BIND DLZ
Hi, A while ago I setup Samba4 on CentOS 6. Samba version was 4.0.0 using the RPM from SOGo. I used the DLZ BIND backend with BIND 9.8. I tested with a Windows 7 VM client. When I joined the client to the domain it was automatically added to the AD DNS and appeared in the Windows DNS Manager. The VM had a static IP, but if I changed the IP address that change was automatically reflected in the DNS entry. I am now adding new real clients to the domain and find that they are not added to the AD domain DNS. The client has a dynamic IP, but I have tried changing to a fixed IP address and it makes no difference. The only changes I can recall between the initial setup and now are: 1. Samba upgrade to 4.0.1. After upgrading I followed the procedure and ran samba-tool dbcheck --cross-ncs --fix samba-tool ntacl sysvolreset The upgrade changed the permissions of /var/lib/samba4/private back to root:root 700, which is no good, so I changed back to root:named 750. I also added "server services = -dns" to smb.conf as per the instructions because internal DNS is now default. 2. Tested OpenChange. But, prior to doing anything I backed up entire /var/lib/samba4 directory. When I removed OpenChange (as it is just not stable yet) I removed /var/lib/samba4 and replaced it with the backup. So this should not have any effect. I have checked everything against my notes made when installing Samba4 and can't find anything wrong. In terms of DNS, /etc/named.conf contains include "/var/lib/samba4/private/named.conf"; which loads the DLZ module for BIND 9.8. The /etc/named.conf also has in the options tkey-gssapi-keytab "/var/lib/samba4/private/dns.keytab"; Permissions of files: /var/lib/samba4/private/named.conf root:named 640 /var/lib/samba4/private/dns.keytab root:named 640 /var/lib/samba4/private/dns/ root:named 770 It all seems OK (I think), but no dynamic DNS updates. There is nothing in the samba.log file to suggest a problem. The system log has messages client : update 'example.local/IN' denied samba_dlz: cancelling transaction on zone example.local Is there something I need to set in smb.conf? I see there are new options like "allow dns updates" and "dns update command", which I do not have specifically set, but I don't know if these only apply to Samba internal DNS. There is still really no documentation about smb.conf for Samba4. Can someone please explain what might be wrong or what I should look for. Regards, Stephen Jones -- Stephen Jones lloydsyst...@fastmail.com.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Dynamic DNS updates not working
Hi guys, I'm having a struggle with Dynamic DNS updates. When i join a Windows machine to the domain the host name get registered. When I change the IP the A-record gets deleted and nothing more happens. I'm using the internal dns with Samba 4. Any help or advice would be much appreciated. log: Replicated 0 objects (0 linked attributes) for CN=Configuration,DC=corp,DC=lo [2013/02/28 16:29:45, 2] ../source4/rpc_server/dnsserver/dnsdb.c:140(dnsserver_db_enumerate_zones) dnsserver: Found DNS zone 1.168.192.in-addr.arpa [2013/02/28 16:29:45, 2] ../source4/rpc_server/dnsserver/dnsdb.c:140(dnsserver_db_enumerate_zones) dnsserver: Found DNS zone . [2013/02/28 16:29:45, 2] ../source4/rpc_server/dnsserver/dnsdb.c:140(dnsserver_db_enumerate_zones) dnsserver: Found DNS zone corp.lo [2013/02/28 16:29:45, 2] ../source4/rpc_server/dnsserver/dnsdb.c:140(dnsserver_db_enumerate_zones) dnsserver: Found DNS zone _msdcs.corp.lo [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:761(dns_server_process_update) Got a dns update request. [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:718(dns_update_allowed) Update not allowed for unsigned packet. [2013/02/28 16:29:57, 1] ../source4/dns_server/dns_query.c:501(handle_tkey) Tkey handshake completed [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:761(dns_server_process_update) Got a dns update request. [2013/02/28 16:29:57, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:395(handle_one_update) Looking at record: [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:396(handle_one_update) [2013/02/28 16:29:57, 1] ../librpc/ndr/ndr.c:245(ndr_print_debug) discard_const(update): struct dns_res_rec name : 'sto-print01.corp.lo' rr_type : DNS_QTYPE_ (0x1C) rr_class : DNS_QCLASS_ANY (0xFF) ttl : 0x (0) length : 0x (0) rdata: union dns_rdata(case 0x1C) ipv6_record : (null) unexpected : DATA_BLOB length=0 [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:395(handle_one_update) Looking at record: [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:396(handle_one_update) [2013/02/28 16:29:57, 1] ../librpc/ndr/ndr.c:245(ndr_print_debug) discard_const(update): struct dns_res_rec name : 'sto-print01.corp.lo' rr_type : DNS_QTYPE_A (0x1) rr_class : DNS_QCLASS_ANY (0xFF) ttl : 0x (0) length : 0x (0) rdata: union dns_rdata(case 0x1) ipv4_record : (null) unexpected : DATA_BLOB length=0 [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:395(handle_one_update) Looking at record: [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:396(handle_one_update) [2013/02/28 16:29:57, 1] ../librpc/ndr/ndr.c:245(ndr_print_debug) discard_const(update): struct dns_res_rec name : 'sto-print01.corp.lo' rr_type : DNS_QTYPE_A (0x1) rr_class : DNS_QCLASS_IN (0x1) ttl : 0x04b0 (1200) length : 0x0004 (4) rdata: union dns_rdata(case 0x1) ipv4_record : 192.168.1.40 unexpected : DATA_BLOB length=0 [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:761(dns_server_process_update) Got a dns update request. [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:718(dns_update_allowed) Update not allowed for unsigned packet. [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:761(dns_server_process_update) Got a dns update request. [2013/02/28 16:29:57, 1] ../source4/dns_server/dns_update.c:672(handle_updates) update count is 3 [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:395(handle_one_update) Looking at record: [2013/02/28 16:29:57, 2] ../source4/dns_server/dns_update.c:396(handle_one_update) [2013/02/28 16:29:57, 1] ../librpc/ndr/ndr.c:245(ndr_print_debug) discard_const(update): struct dns_res_rec name : 'sto-print01.corp.lo' rr_type : DNS_QTYPE_ (0x1C) rr_class : DNS_QCLASS_ANY (0xFF) ttl : 0x (0) length : 0x (0) rdata: union dns_rdata(case 0x1C) ipv6_record : (null) unexpected : DATA_BLOB length=0 [2013/02/28 16:29:57, 2] ../source4/dn