Web lists-archives.com

[Samba] Dynamic updates of windows clients




Hello

We have installed 4 Sernet AD controllers on Debian 8.7 with bind9. If we run ipconfig /registerdns on a windowsclient , an
error message is in the logfiles:

31-Mar-2017 11:08:49.270 client 192.168.99.6#50357 (client006.my.domain.de): query: client006.my.domain.de IN SOA + (192.168.99.8) 31-Mar-2017 11:08:49.274 client 192.168.99.6#51046 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone my.domain.de 31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update 'my.domain.de/IN' denied 31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone my.domain.de 31-Mar-2017 11:08:49.282 client 192.168.99.6#58242 (196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T (192.168.99.8) 31-Mar-2017 11:08:49.285 client 192.168.99.6#51560 (6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA + (192.168.99.8) 31-Mar-2017 11:08:49.288 client 192.168.99.6#58260 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone 99.30.172.in-addr.arpa 31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update '99.30.172.in-addr.arpa/IN' denied 31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone 99.30.172.in-addr.arpa 31-Mar-2017 11:08:49.297 client 192.168.99.6#60163 (196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T (192.168.99.8) 31-Mar-2017 11:08:49.270 client 192.168.99.6#50357 (client006.my.domain.de): query: client006.my.domain.de IN SOA + (192.168.99.8) 31-Mar-2017 11:08:49.274 client 192.168.99.6#51046 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone my.domain.de 31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update 'my.domain.de/IN' denied 31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone my.domain.de 31-Mar-2017 11:08:49.282 client 192.168.99.6#58242 (196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T (192.168.99.8) 31-Mar-2017 11:08:49.285 client 192.168.99.6#51560 (6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA + (192.168.99.8) 31-Mar-2017 11:08:49.288 client 192.168.99.6#58260 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone 99.30.172.in-addr.arpa 31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update '99.30.172.in-addr.arpa/IN' denied 31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone 99.30.172.in-addr.arpa 31-Mar-2017 11:08:49.297 client 192.168.99.6#60163 (196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T (192.168.99.8)

If we executed
samba_dnsupdate --verbose --all-names
no errors are displayed.

The rights of /var/lib/samba/private/dns/sam.ldb.d/*
are 660.

relevated content of /etc/bind/named.conf.options
-------------------------------------------------
allow-update { any;};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
dnssec-validation no;
dnssec-enable no;

We run
------
samba_upgradedns --dns-backend=BIND9_DLZ

/etc/samba/smb.conf
-------------------
server services = -dns

named -V
--------
BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e> built by make with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-aaaa' 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks -DDIG_SIGCHASE -O2'
compiled by GCC 4.9.2
using OpenSSL version: OpenSSL 1.0.1t  3 May 2016
using libxml2 version: 2.9.1

Timesync
---------
correct time

In the named.config.local we have not create an zone for "my.domain.de". I think this is not nessesary.

dpkg -l | grep sernet
----------------------
ii libwbclient0:amd64 99:4.5.7-16 amd64 Glue package for sernet-samba-libs. ii sernet-samba 99:4.5.7-16 amd64 SMB/CIFS file, print, and login server for Unix ii sernet-samba-ad 99:4.5.7-16 amd64 Samba Active Directory Domain Controller ii sernet-samba-client 99:4.5.7-16 amd64 a LanManager-like simple client for Unix ii sernet-samba-common 99:4.5.7-16 all Samba common files used by both the server and the client ii sernet-samba-keyring 1.5 all GnuPG archive keys of the SerNet Samba archive ii sernet-samba-libs:amd64 99:4.5.7-16 amd64 Samba common library files used by both the server and the client ii sernet-samba-libsmbclient0:amd64 99:4.5.7-16 amd64 Shared library that allows applications to talk to SMB servers ii sernet-samba-winbind 99:4.5.7-16 amd64 Samba nameservice integration server

Can anybody help me?

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba