Web lists-archives.com

Re: [Samba] DHCP, DNS and non-domain members




Hi,

On 23 Nov 2017 17:35 Rowland Penny via samba wrote:
> On Thu, 23 Nov 2017 17:05:00 +0100
> Martin Renner via samba <samba@xxxxxxxxxxxxxxx> wrote:
>
>> Hi Rowland,
>>
>> my problem is, how to get the non-AD members into the DNS?
>> Especially, if they are servers and have dynamic IPs from a DHCP
>> server?
>>
>> As far as I understand, only AD members will update the DNS inside of
>> the AD. So do I have to deliver fixed IP addresses via DHCP to
>> servers and put a manual entry into the AD DNS?
>>
> You run the DHCP server on a DC, see here:
>
> https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
>
> Rowland
>

thank you for this link.

I configured everything according to the howto and disabled DNS updates in the group policy (Default
Domain Policy / Computer Configuration / Policies / Administrative Templates / Network / DNS Client
/ Dynamic Updates). But it looks like if the Windows clients still try to update their DNS entries
(even after "gpupdate /force" and reboot).

When a Windows client is booting, I can see entries in /var/log/syslog which are definitively from
the DHCP shell script:

   samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM name=test-pc.ad.company.com
tcpaddr=... type=A key=...."

both for the forward end reverse zone.

But shortly after these messages, I can see messages which seem to come from the client:

   samba_dlz: starting transaction on zone ad.company.com
   client 192.168.105.101#59890: update 'ad.company.com/IN' denied
   samba_dlz: cancelling transaction on zone ad.company.com
   samba_dlz: starting transaction on zone ad.company.com
   samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com
type=A error=insufficient access rights
   client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE':
update failed: rejected by secure update (REFUSED)

This looks to me like if the client is still trying to update its DNS entry. Did I miss anything in
the client configuration?

Regards,
Martin



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba