Web lists-archives.com

[Samba] Workstations cannot update DNS




I am trying to get DDNS working, so workstations can update their ip.

The domain is msi.mycompany.com

The DC server works, as well as group policies. 

I set rights to these files
> chgrp bind /var/lib/samba/private/
> chmod 750 /var/lib/samba/private/
> chgrp bind /var/lib/samba/private/dns.keytab
> chmod 640 /var/lib/samba/private/dns.keytab

journalctl shows this.
May 14 14:22:32 audit[2117]: AVC apparmor="DENIED" operation="file_lock" 
profile="/usr/sbin/named" name="/var/lib/samba/private/dns.keytab" 
pid=2117 comm="isc-worker0000" requested_mask="k" denied_mask="k" 
fsuid=111 ouid=0
May 14 14:22:32 kernel: audit: type=1400 audit(1557865352.085:35): 
apparmor="DENIED" operation="file_lock" profile="/usr/sbin/named" 
name="/var/lib/samba/private/dns.keytab" pid=2117 comm="isc-worker0000" 
requested_mask="k" denied_mask="k" fsuid=111 ouid=0

When I run.
> named -u bind -f -g 2>&1 | tee /tmp/named.log
I get this.
14-May-2019 14:22:32.085 samba_dlz: starting transaction on zone 
msi.mycompany.com
14-May-2019 14:22:32.086 client @0x7febec0c6c50 172.23.93.246#59744: 
update 'msi.mycompany.com/IN' denied
14-May-2019 14:22:32.087 samba_dlz: cancelling transaction on zone 
msi.mycompany.com

When I run.
> samba_upgradedns --dns-backend=BIND9_DLZ

I get this.
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/MSI.MYCOMPANY.COM.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc0 account already exists
See /var/lib/samba/bind-dns/named.conf for an example configuration 
include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required 
for secure DNS updates
Finished upgrading DNS

Any ideas?


Thank you,

Durwin


This email message and any attachments are for the sole use of the 
intended recipient(s) and may contain proprietary and/or confidential 
information which may be privileged or otherwise protected from 
disclosure. Any unauthorized review, use, disclosure or distribution is 
prohibited. If you are not the intended recipient(s), please contact the 
sender by reply email and destroy the original message and any copies of 
the message as well as any attachments to the original message.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba