Web lists-archives.com

Re: [Samba] DHCP, DNS and non-domain members




On Tue, 28 Nov 2017 10:46:43 +0100
Martin Renner via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hi,
> 
> On 23 Nov 2017 17:35 Rowland Penny via samba wrote:
> > On Thu, 23 Nov 2017 17:05:00 +0100
> > Martin Renner via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >
> >> Hi Rowland,
> >>
> >> my problem is, how to get the non-AD members into the DNS?
> >> Especially, if they are servers and have dynamic IPs from a DHCP
> >> server?
> >>
> >> As far as I understand, only AD members will update the DNS inside
> >> of the AD. So do I have to deliver fixed IP addresses via DHCP to
> >> servers and put a manual entry into the AD DNS?
> >>
> > You run the DHCP server on a DC, see here:
> >
> > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
> >
> > Rowland
> >
> 
> thank you for this link.
> 
> I configured everything according to the howto and disabled DNS
> updates in the group policy (Default Domain Policy / Computer
> Configuration / Policies / Administrative Templates / Network / DNS
> Client / Dynamic Updates). But it looks like if the Windows clients
> still try to update their DNS entries (even after "gpupdate /force"
> and reboot).
> 
> When a Windows client is booting, I can see entries
> in /var/log/syslog which are definitively from the DHCP shell script:
> 
>    samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM
> name=test-pc.ad.company.com tcpaddr=... type=A key=...."
> 
> both for the forward end reverse zone.
> 
> But shortly after these messages, I can see messages which seem to
> come from the client:
> 
>    samba_dlz: starting transaction on zone ad.company.com
>    client 192.168.105.101#59890: update 'ad.company.com/IN' denied
>    samba_dlz: cancelling transaction on zone ad.company.com
>    samba_dlz: starting transaction on zone ad.company.com
>    samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM
> name=test-PC.ad.company.com type=A error=insufficient access rights
>    client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM:
> updating zone 'ad.company.com/NONE': update failed: rejected by
> secure update (REFUSED)
> 
> This looks to me like if the client is still trying to update its DNS
> entry. Did I miss anything in the client configuration?
> 

It certainly looks like your windows clients are trying to update their
own records and this will not work because they don't own them now ;-)

You need to find out why the GPO isn't being used. This has nothing to
do with the DHCP script.

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba