Web lists-archives.com

[Samba] samba_dnsupdate REFUSED between Samba4 AD DC and Win 2008r2




Hi,

I've some trouble in getting samba internal DNS server in sync with others DNS (Windows) of my AD domain.

samba_dnsupdate returns:

update failed: REFUSED
Failed update of 1 entries

I'm running samba Version 4.5.12-Debian

root@mysamba4dc:~# dpkg -l | grep samba
ii  python-samba                   2:4.5.12+dfsg-2+deb9u3 amd64        Python bindings for Samba ii  samba                          2:4.5.12+dfsg-2+deb9u3 amd64        SMB/CIFS file, print, and login server for Unix ii  samba-common                   2:4.5.12+dfsg-2+deb9u3 all          common files used by both the Samba server and client ii  samba-common-bin               2:4.5.12+dfsg-2+deb9u3 amd64        Samba common files used by both the server and the client ii  samba-dsdb-modules             2:4.5.12+dfsg-2+deb9u3 amd64        Samba Directory Services Database ii  samba-libs:amd64               2:4.5.12+dfsg-2+deb9u3 amd64        Samba core libraries ii  samba-vfs-modules              2:4.5.12+dfsg-2+deb9u3 amd64        Samba Virtual FileSystem plugins

This is the Windows DNS log:

29/11/2018 12:03:17 0CCC PACKET  0000000004E5AD10 TCP Rcv 10.0.16.25      e2a8   U [0028       NOERROR] SOA (7)MYDOMAIN(3)com(0) 29/11/2018 12:03:17 13CC PACKET  0000000004E5AD10 TCP Snd 10.0.16.25      e2a8 R U [05a8       REFUSED] SOA (7)MYDOMAIN(3)com(0)

This is the output of samba_dnsupdate --verbose:

root@mysamba4dc:~# samba_dnsupdate --verbose
IPs: ['10.0.16.25']
Looking for DNS entry A mysamba4dc.MYDOMAIN.com 10.0.16.25 as mysamba4dc.MYDOMAIN.com. Looking for DNS entry NS MYDOMAIN.com mysamba4dc.MYDOMAIN.com as MYDOMAIN.com. Looking for DNS entry NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com as _msdcs.MYDOMAIN.com. The DNS entry NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com, queried as _msdcs.MYDOMAIN.com. does not hold this record type
need update: NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com
Looking for DNS entry A MYDOMAIN.com 10.0.16.25 as MYDOMAIN.com.
Looking for DNS entry SRV _ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYDOMAIN.com. Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV _ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.dc._msdcs.MYDOMAIN.com. Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV _ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 ris-dom-contr01.MYDOMAIN.com. against SRV _ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com. Checking 0 100 389 ris-dom-contr02.MYDOMAIN.com. against SRV _ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 ris-dom-contr01.MYDOMAIN.com. against SRV _ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.d47b6ec5-8976-40a1-ad85-6479d007ebb2.domains._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _kerberos._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYDOMAIN.com. Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV _kerberos._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Looking for DNS entry SRV _kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 as _kerberos._udp.MYDOMAIN.com. Checking 0 100 88 ris-dom-contr01.MYDOMAIN.com. against SRV _kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Checking 0 100 88 ris-dom-contr02.MYDOMAIN.com. against SRV _kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV _kerberos._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.dc._msdcs.MYDOMAIN.com. Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV _kerberos._tcp.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Looking for DNS entry SRV _kpasswd._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464 as _kpasswd._tcp.MYDOMAIN.com. Checking 0 100 464 mysamba4dc.MYDOMAIN.com. against SRV _kpasswd._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464 Looking for DNS entry SRV _kpasswd._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464 as _kpasswd._udp.MYDOMAIN.com. Checking 0 100 464 mysamba4dc.MYDOMAIN.com. against SRV _kpasswd._udp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 464 Looking for DNS entry CNAME f9757ca5-8424-4016-99d7-1fbbb232e304._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com as f9757ca5-8424-4016-99d7-1fbbb232e304._msdcs.MYDOMAIN.com. Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYSITE._sites.MYDOMAIN.com. Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com. Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _kerberos._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYSITE._sites.MYDOMAIN.com. Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV _kerberos._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Looking for DNS entry SRV _kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 as _kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com. Checking 0 100 88 mysamba4dc.MYDOMAIN.com. against SRV _kerberos._tcp.MYSITE._sites.dc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 88 Looking for DNS entry A gc._msdcs.MYDOMAIN.com 10.0.16.25 as gc._msdcs.MYDOMAIN.com. Looking for DNS entry SRV _gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 as _gc._tcp.MYDOMAIN.com. Checking 0 100 3268 mywindc02.MYDOMAIN.com. against SRV _gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV _gc._tcp.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 as _ldap._tcp.gc._msdcs.MYDOMAIN.com. Checking 0 100 3268 mywindc02.MYDOMAIN.com. against SRV _ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 Looking for DNS entry SRV _gc._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 as _gc._tcp.MYSITE._sites.MYDOMAIN.com. Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV _gc._tcp.MYSITE._sites.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 as _ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com. Checking 0 100 3268 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.MYSITE._sites.gc._msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 3268 Looking for DNS entry A DomainDnsZones.MYDOMAIN.com 10.0.16.25 as DomainDnsZones.MYDOMAIN.com. Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.DomainDnsZones.MYDOMAIN.com. Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.DomainDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com. Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.MYSITE._sites.DomainDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry A ForestDnsZones.MYDOMAIN.com 10.0.16.25 as ForestDnsZones.MYDOMAIN.com. Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.ForestDnsZones.MYDOMAIN.com. Checking 0 100 389 mywindc02.MYDOMAIN.com. against SRV _ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 mywindc01.MYDOMAIN.com. against SRV _ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 Looking for DNS entry SRV _ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389 as _ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com. Checking 0 100 389 mysamba4dc.MYDOMAIN.com. against SRV _ldap._tcp.MYSITE._sites.ForestDnsZones.MYDOMAIN.com mysamba4dc.MYDOMAIN.com 389
1 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/mywindc01.MYDOMAIN.com as mysamba4dc$
update(nsupdate): NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com
Calling nsupdate for NS _msdcs.MYDOMAIN.com mysamba4dc.MYDOMAIN.com (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_msdcs.MYDOMAIN.com.     900     IN      NS mysamba4dc.MYDOMAIN.com.

; TSIG error with server: tsig verify failure
update failed: REFUSED
Failed nsupdate: 2
Failed update of 1 entries

Any hints?

Thanks,

Giacomo



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba