On Thu, Feb 23, 2012 at 4:33 PM, Jeremy Davis<jdavis4102 at gmail.com>
wrote:>>>
>>>
>>>> I forgot to mention that nsupdate command should also include
-g
>>>> flag to
>>>> force
>>>> secure (kerberos) updates.
>>>>
>>>> nsupdate command = /path/to/nsupdate -g
>>>>
>>>> dlz_bind9 module only allows secure dynamic updates.
>>>>
>>>> Amitay.
>>>>
>>> I added the -g to the smb.conf and restarted samba and named but it
>>> doesn't
>>> seem to do anything. Could this be an issue with kerberos? I am
able to
>>> authenticate with my Windows machine and via the command line using
the
>>> tests on the samba4 wiki. Any ideas as to what this could be?
>> What happens when you run samba_dnsupdate --verbose?
>> What's the output from BIND?
>>
>> Amitay.
>>
Well, the samba_dnsupdate logs are the same but bind is now showing a
little different error.> samba-dnsupdate:
>
> IPs: ['2002:4b46:c8ad:0:a00:27ff:fe14:5491',
> 'fe80::a00:27ff:fe14:5491%eth0',
'fe80::a00:27ff:fee5:5840%eth1',
> '192.168.7.30', '192.168.30.1']
> Looking for DNS entry A bob-dc.com 192.168.7.30 as bob-dc.com.
> Looking for DNS entry A dc1.bob-dc.com 192.168.7.30 as dc1.bob-dc.com.
> Looking for DNS entry AAAA bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as bob-dc.com.
> Failed to find matching DNS entry AAAA bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Looking for DNS entry AAAA dc1.bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as dc1.bob-dc.com.
> Failed to find matching DNS entry AAAA dc1.bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.7.30 as
> gc._msdcs.bob-dc.com.
> Looking for DNS entry AAAA gc._msdcs.bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491 as gc._msdcs.bob-dc.com.
> Failed to find matching DNS entry AAAA gc._msdcs.bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Looking for DNS entry CNAME
> 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com dc1.bob-dc.com
> as 48c0fc0c-dcc1-425d-bcb2-a229d40ab48c._msdcs.bob-dc.com.
> Looking for DNS entry SRV _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464
> as _kpasswd._tcp.bob-dc.com.
> Checking 0 100 464 dc1.bob-dc.com. against SRV
> _kpasswd._tcp.bob-dc.com dc1.bob-dc.com 464
> Looking for DNS entry SRV _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464
> as _kpasswd._udp.bob-dc.com.
> Checking 0 100 464 dc1.bob-dc.com. against SRV
> _kpasswd._udp.bob-dc.com dc1.bob-dc.com 464
> Looking for DNS entry SRV _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88
> as _kerberos._tcp.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV
> _kerberos._tcp.bob-dc.com dc1.bob-dc.com 88
> Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.bob-dc.com
> dc1.bob-dc.com 88 as _kerberos._tcp.dc._msdcs.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV
> _kerberos._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 88
> Looking for DNS entry SRV
> _kerberos._tcp.default-first-site-name._sites.bob-dc.com
> dc1.bob-dc.com 88 as
> _kerberos._tcp.default-first-site-name._sites.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV
> _kerberos._tcp.default-first-site-name._sites.bob-dc.com
> dc1.bob-dc.com 88
> Looking for DNS entry SRV
> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
> dc1.bob-dc.com 88 as
> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV
> _kerberos._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
> dc1.bob-dc.com 88
> Looking for DNS entry SRV _kerberos._udp.bob-dc.com dc1.bob-dc.com 88
> as _kerberos._udp.bob-dc.com.
> Checking 0 100 88 dc1.bob-dc.com. against SRV
> _kerberos._udp.bob-dc.com dc1.bob-dc.com 88
> Looking for DNS entry SRV _ldap._tcp.bob-dc.com dc1.bob-dc.com 389 as
> _ldap._tcp.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV _ldap._tcp.bob-dc.com
> dc1.bob-dc.com 389
> Looking for DNS entry SRV _ldap._tcp.dc._msdcs.bob-dc.com
> dc1.bob-dc.com 389 as _ldap._tcp.dc._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV
> _ldap._tcp.dc._msdcs.bob-dc.com dc1.bob-dc.com 389
> Looking for DNS entry SRV _ldap._tcp.gc._msdcs.bob-dc.com
> dc1.bob-dc.com 3268 as _ldap._tcp.gc._msdcs.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV
> _ldap._tcp.gc._msdcs.bob-dc.com dc1.bob-dc.com 3268
> Looking for DNS entry SRV _ldap._tcp.pdc._msdcs.bob-dc.com
> dc1.bob-dc.com 389 as _ldap._tcp.pdc._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV
> _ldap._tcp.pdc._msdcs.bob-dc.com dc1.bob-dc.com 389
> Looking for DNS entry SRV
> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com
> 389 as _ldap._tcp.default-first-site-name._sites.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV
> _ldap._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 389
> Looking for DNS entry SRV
> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
> dc1.bob-dc.com 389 as
> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV
> _ldap._tcp.default-first-site-name._sites.dc._msdcs.bob-dc.com
> dc1.bob-dc.com 389
> Looking for DNS entry SRV
> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
> dc1.bob-dc.com 3268 as
> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV
> _ldap._tcp.default-first-site-name._sites.gc._msdcs.bob-dc.com
> dc1.bob-dc.com 3268
> Looking for DNS entry SRV
> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
> dc1.bob-dc.com 389 as
> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com.
> Checking 0 100 389 dc1.bob-dc.com. against SRV
> _ldap._tcp.2d1290ec-d837-4f59-8730-9deb5078c8f0.domains._msdcs.bob-dc.com
> dc1.bob-dc.com 389
> Looking for DNS entry SRV _gc._tcp.bob-dc.com dc1.bob-dc.com 3268 as
> _gc._tcp.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV _gc._tcp.bob-dc.com
> dc1.bob-dc.com 3268
> Looking for DNS entry SRV
> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
> as _gc._tcp.default-first-site-name._sites.bob-dc.com.
> Checking 0 100 3268 dc1.bob-dc.com. against SRV
> _gc._tcp.default-first-site-name._sites.bob-dc.com dc1.bob-dc.com 3268
> Looking for DNS entry A bob-dc.com 192.168.30.1 as bob-dc.com.
> Failed to find matching DNS entry A bob-dc.com 192.168.30.1
> Looking for DNS entry A dc1.bob-dc.com 192.168.30.1 as dc1.bob-dc.com.
> Failed to find matching DNS entry A dc1.bob-dc.com 192.168.30.1
> Looking for DNS entry A gc._msdcs.bob-dc.com 192.168.30.1 as
> gc._msdcs.bob-dc.com.
> Failed to find matching DNS entry A gc._msdcs.bob-dc.com 192.168.30.1
> Calling nsupdate for AAAA bob-dc.com 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> bob-dc.com. 900 IN AAAA
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for AAAA dc1.bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc1.bob-dc.com. 900 IN AAAA
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for AAAA gc._msdcs.bob-dc.com
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.bob-dc.com. 900 IN AAAA
> 2002:4b46:c8ad:0:a00:27ff:fe14:5491
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for A bob-dc.com 192.168.30.1
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> bob-dc.com. 900 IN A 192.168.30.1
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for A dc1.bob-dc.com 192.168.30.1
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> dc1.bob-dc.com. 900 IN A 192.168.30.1
>
> update failed: REFUSED
> Failed nsupdate: 2
> Calling nsupdate for A gc._msdcs.bob-dc.com 192.168.30.1
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> gc._msdcs.bob-dc.com. 900 IN A 192.168.30.1
>
> update failed: REFUSED
> Failed nsupdate: 2
> Failed update of 6 entries
>
>
> bind logs:
>
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#43717: updating
> zone 'bob-dc.com/NONE': update failed: rejected by secure update
> (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#33042: updating
> zone 'bob-dc.com/NONE': update failed: rejected by secure update
> (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on
> zone _msdcs.bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#40855: updating
> zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure
> update (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on
> zone _msdcs.bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: starting transaction on
> zone bob-dc.com
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:43 dc1 named[2498]: client 192.168.30.1#38049: updating
> zone 'bob-dc.com/NONE': update failed: rejected by secure update
> (REFUSED)
> Feb 22 22:51:43 dc1 named[2498]: samba_dlz: cancelling transaction on
> zone bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on
> zone bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#34189: updating
> zone 'bob-dc.com/NONE': update failed: rejected by secure update
> (REFUSED)
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on
> zone bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: starting transaction on
> zone _msdcs.bob-dc.com
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: spnego update failed
> Feb 22 22:51:44 dc1 named[2498]: client 192.168.30.1#41075: updating
> zone '_msdcs.bob-dc.com/NONE': update failed: rejected by secure
> update (REFUSED)
> Feb 22 22:51:44 dc1 named[2498]: samba_dlz: cancelling transaction on
> zone _msdcs.bob-dc.com
>
Forgot to copy the samba list on the latest logs. Also I just saw
Steve's email. I can say that samba is in the path as I used samba to
start the samba service. I also double checked that everything is in the
path. The above logs are the current logs that I am getting after adding
the -g option as requested by Amitay.