Norbert Hanke
2016-Jul-18 09:45 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
On 18.07.2016 01:52, Achim Gottinger wrote:> > > Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >> Hello, >> >> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >> 9.10.4-P1, all brand new. >> >> The existing DC runs fine, but the added DC refuses to update its >> local bind database: every attempt to update the local DNS results in >> "update failed: NOTAUTH". AD replication works perfectly. >> >> Both systems are set up identically except for the >> provisioning/joining command. On the first I did >> samba-tool domain provision --use-rfc2307 --domain=$domain >> --server-role=dc --dns-backend=BIND9_DLZ \ >> --realm=$realm --adminpass=Wonttell >> and on the second I do >> samba-tool domain join $domain DC -Uadministrator --realm=$realm >> --dns-backend=BIND9_DLZ >> >> Versions are the same, bind config is the same, I tried follow every >> rule I could find. >> >> # samba_dnsupdate --verbose -d 9 >> INFO: Current debug levels: >> all: 9 >> (... more such levels ...) >> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >> Processing section "[global]" >> Processing section "[netlogon]" >> Processing section "[sysvol]" >> pm_process() returned Yes >> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >> netmask=255.255.255.0 >> IPs: ['192.168.1.9'] >> Module 'tombstone_reanimate' is disabled. Skip >> registration.lpcfg_servicenumber: couldn't find ldb >> schema_fsmo_init: we are master[no] updates allowed[no] >> schema_fsmo_init: we are master[no] updates allowed[no] >> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >> dc2.ad.domain.ch. >> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >> need update: A ad.domain.ch 192.168.1.9 >> (... many more such Looking...need update blocks) >> 24 DNS updates and 0 DNS deletes needed >> ldb_wrap open of secrets.ldb >> Received smb_krb5 packet of length 298 >> Received smb_krb5 packet of length 1311 >> update(nsupdate): A ad.domain.tld 192.168.1.9 >> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >> Outgoing update query: >> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >> ;; UPDATE SECTION: >> ad.domain.tld. 900 IN A 192.168.1.9 >> >> update failed: NOTAUTH >> Failed nsupdate: 2 >> (... many more such failed updates ...) >> Failed update of 24 entries >> # 22:37:30 root at dc2:/root/ >> >> >> In /var/log/syslog there are these equivalent 24 error message every >> 10 minutes: >> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >> Jul 17 22:52:06 dc2 samba[3960]: >> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >> and the last of the 24 entries is always followed by >> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >> Jul 17 22:52:06 dc2 samba[3960]: >> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >> NT_STATUS_TOO_MANY_OPENED_FILES >> >> smb.conf is minimalistic: >> >> # Global parameters >> [global] >> netbios name = DC2 >> realm = AD.DOMAIN.TLD >> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >> drepl, winbindd, ntp_signd, kcc, dnsupdate >> workgroup = DOMAIN >> server role = active directory domain controller >> >> [netlogon] >> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >> read only = No >> >> [sysvol] >> path = /usr/local/samba/var/locks/sysvol >> read only = No >> >> Maybe somebody has an idea what I did wrong? >> >> >> > resolv.conf on dc2 should point to dc1 during join. Is that the case? > Does kinit work on dc2? > >Yes, I did cat <<EOF >/etc/resolv.conf domain $domain nameserver $otherip nameserver $ip EOF ($ip is the local system, $otherip is the existing DC) resulting in # cat /etc/resolv.conf domain ad.domain.ch nameserver 192.168.1.8 nameserver 192.168.1.9 Before joining I did klist -e | grep administrator@$realm || kinit administrator and looking at it right now half a day later I get # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at AD.DOMAIN.CH Valid starting Expires Service principal 17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH renew until 18/07/16 21:56:55, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 So it is expired right now, another kinit gets me a new tgt: # kinit -R kinit: Ticket expired while renewing credentials # kinit Password for administrator at AD.DOMAIN.CH: Warning: Your password will expire in 32 days on Sat 20 Aug 2016 08:27:10 UTC # klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: administrator at AD.DOMAIN.CH Valid starting Expires Service principal 18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH renew until 19/07/16 09:34:58, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 samba_dnsupdate still fails.
Achim Gottinger
2016-Jul-18 20:48 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
Am 18.07.2016 um 11:45 schrieb Norbert Hanke:> On 18.07.2016 01:52, Achim Gottinger wrote: >> >> >> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>> Hello, >>> >>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >>> 9.10.4-P1, all brand new. >>> >>> The existing DC runs fine, but the added DC refuses to update its >>> local bind database: every attempt to update the local DNS results >>> in "update failed: NOTAUTH". AD replication works perfectly. >>> >>> Both systems are set up identically except for the >>> provisioning/joining command. On the first I did >>> samba-tool domain provision --use-rfc2307 --domain=$domain >>> --server-role=dc --dns-backend=BIND9_DLZ \ >>> --realm=$realm --adminpass=Wonttell >>> and on the second I do >>> samba-tool domain join $domain DC -Uadministrator --realm=$realm >>> --dns-backend=BIND9_DLZ >>> >>> Versions are the same, bind config is the same, I tried follow every >>> rule I could find. >>> >>> # samba_dnsupdate --verbose -d 9 >>> INFO: Current debug levels: >>> all: 9 >>> (... more such levels ...) >>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >>> Processing section "[global]" >>> Processing section "[netlogon]" >>> Processing section "[sysvol]" >>> pm_process() returned Yes >>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >>> netmask=255.255.255.0 >>> IPs: ['192.168.1.9'] >>> Module 'tombstone_reanimate' is disabled. Skip >>> registration.lpcfg_servicenumber: couldn't find ldb >>> schema_fsmo_init: we are master[no] updates allowed[no] >>> schema_fsmo_init: we are master[no] updates allowed[no] >>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >>> dc2.ad.domain.ch. >>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >>> need update: A ad.domain.ch 192.168.1.9 >>> (... many more such Looking...need update blocks) >>> 24 DNS updates and 0 DNS deletes needed >>> ldb_wrap open of secrets.ldb >>> Received smb_krb5 packet of length 298 >>> Received smb_krb5 packet of length 1311 >>> update(nsupdate): A ad.domain.tld 192.168.1.9 >>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >>> Outgoing update query: >>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>> ;; UPDATE SECTION: >>> ad.domain.tld. 900 IN A 192.168.1.9 >>> >>> update failed: NOTAUTH >>> Failed nsupdate: 2 >>> (... many more such failed updates ...) >>> Failed update of 24 entries >>> # 22:37:30 root at dc2:/root/ >>> >>> >>> In /var/log/syslog there are these equivalent 24 error message every >>> 10 minutes: >>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >>> Jul 17 22:52:06 dc2 samba[3960]: >>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >>> and the last of the 24 entries is always followed by >>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >>> Jul 17 22:52:06 dc2 samba[3960]: >>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >>> NT_STATUS_TOO_MANY_OPENED_FILES >>> >>> smb.conf is minimalistic: >>> >>> # Global parameters >>> [global] >>> netbios name = DC2 >>> realm = AD.DOMAIN.TLD >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>> workgroup = DOMAIN >>> server role = active directory domain controller >>> >>> [netlogon] >>> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >>> read only = No >>> >>> [sysvol] >>> path = /usr/local/samba/var/locks/sysvol >>> read only = No >>> >>> Maybe somebody has an idea what I did wrong? >>> >>> >>> >> resolv.conf on dc2 should point to dc1 during join. Is that the case? >> Does kinit work on dc2? >> >> > Yes, I did > cat <<EOF >/etc/resolv.conf > domain $domain > nameserver $otherip > nameserver $ip > EOF > > ($ip is the local system, $otherip is the existing DC) > > resulting in > > # cat /etc/resolv.conf > domain ad.domain.ch > nameserver 192.168.1.8 > nameserver 192.168.1.9 > > > Before joining I did > > klist -e | grep administrator@$realm || kinit administrator > > and looking at it right now half a day later I get > > # klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at AD.DOMAIN.CH > > Valid starting Expires Service principal > 17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH > renew until 18/07/16 21:56:55, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > > So it is expired right now, another kinit gets me a new tgt: > # kinit -R > kinit: Ticket expired while renewing credentials > # kinit > Password for administrator at AD.DOMAIN.CH: > Warning: Your password will expire in 32 days on Sat 20 Aug 2016 > 08:27:10 UTC > # klist -e > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at AD.DOMAIN.CH > > Valid starting Expires Service principal > 18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH > renew until 19/07/16 09:34:58, Etype (skey, tkt): > aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 > samba_dnsupdate still fails. >You can try to run root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ and verify that bind has read rights on the dns.keytab root at dc2:~# ls -l /var/lib/samba/private/dns.keytab -rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab Also check that the keytab contains such keys. root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab Keytab name: FILE:/var/lib/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...) 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...) 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...) 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...) 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...) 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...) 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (... 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...) 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...)
Norbert Hanke
2016-Jul-18 21:31 UTC
[Samba] samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
On 18.07.2016 22:48, Achim Gottinger wrote:> > > Am 18.07.2016 um 11:45 schrieb Norbert Hanke: >> On 18.07.2016 01:52, Achim Gottinger wrote: >>> >>> >>> Am 18.07.2016 um 01:02 schrieb Norbert Hanke: >>>> Hello, >>>> >>>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, >>>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version >>>> 9.10.4-P1, all brand new. >>>> >>>> The existing DC runs fine, but the added DC refuses to update its >>>> local bind database: every attempt to update the local DNS results >>>> in "update failed: NOTAUTH". AD replication works perfectly. >>>> >>>> Both systems are set up identically except for the >>>> provisioning/joining command. On the first I did >>>> samba-tool domain provision --use-rfc2307 --domain=$domain >>>> --server-role=dc --dns-backend=BIND9_DLZ \ >>>> --realm=$realm --adminpass=Wonttell >>>> and on the second I do >>>> samba-tool domain join $domain DC -Uadministrator --realm=$realm >>>> --dns-backend=BIND9_DLZ >>>> >>>> Versions are the same, bind config is the same, I tried follow >>>> every rule I could find. >>>> >>>> # samba_dnsupdate --verbose -d 9 >>>> INFO: Current debug levels: >>>> all: 9 >>>> (... more such levels ...) >>>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf >>>> Processing section "[global]" >>>> Processing section "[netlogon]" >>>> Processing section "[sysvol]" >>>> pm_process() returned Yes >>>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 >>>> netmask=255.255.255.0 >>>> IPs: ['192.168.1.9'] >>>> Module 'tombstone_reanimate' is disabled. Skip >>>> registration.lpcfg_servicenumber: couldn't find ldb >>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>> schema_fsmo_init: we are master[no] updates allowed[no] >>>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as >>>> dc2.ad.domain.ch. >>>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch. >>>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9 >>>> need update: A ad.domain.ch 192.168.1.9 >>>> (... many more such Looking...need update blocks) >>>> 24 DNS updates and 0 DNS deletes needed >>>> ldb_wrap open of secrets.ldb >>>> Received smb_krb5 packet of length 298 >>>> Received smb_krb5 packet of length 1311 >>>> update(nsupdate): A ad.domain.tld 192.168.1.9 >>>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add) >>>> Outgoing update query: >>>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 >>>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 >>>> ;; UPDATE SECTION: >>>> ad.domain.tld. 900 IN A 192.168.1.9 >>>> >>>> update failed: NOTAUTH >>>> Failed nsupdate: 2 >>>> (... many more such failed updates ...) >>>> Failed update of 24 entries >>>> # 22:37:30 root at dc2:/root/ >>>> >>>> >>>> In /var/log/syslog there are these equivalent 24 error message >>>> every 10 minutes: >>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] >>>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler) >>>> Jul 17 22:52:06 dc2 samba[3960]: >>>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH >>>> and the last of the 24 entries is always followed by >>>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] >>>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done) >>>> Jul 17 22:52:06 dc2 samba[3960]: >>>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - >>>> NT_STATUS_TOO_MANY_OPENED_FILES >>>> >>>> smb.conf is minimalistic: >>>> >>>> # Global parameters >>>> [global] >>>> netbios name = DC2 >>>> realm = AD.DOMAIN.TLD >>>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, >>>> drepl, winbindd, ntp_signd, kcc, dnsupdate >>>> workgroup = DOMAIN >>>> server role = active directory domain controller >>>> >>>> [netlogon] >>>> path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts >>>> read only = No >>>> >>>> [sysvol] >>>> path = /usr/local/samba/var/locks/sysvol >>>> read only = No >>>> >>>> Maybe somebody has an idea what I did wrong? >>>> >>>> >>>> >>> resolv.conf on dc2 should point to dc1 during join. Is that the case? >>> Does kinit work on dc2? >>> >>> >> Yes, I did >> cat <<EOF >/etc/resolv.conf >> domain $domain >> nameserver $otherip >> nameserver $ip >> EOF >> >> ($ip is the local system, $otherip is the existing DC) >> >> resulting in >> >> # cat /etc/resolv.conf >> domain ad.domain.ch >> nameserver 192.168.1.8 >> nameserver 192.168.1.9 >> >> >> Before joining I did >> >> klist -e | grep administrator@$realm || kinit administrator >> >> and looking at it right now half a day later I get >> >> # klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at AD.DOMAIN.CH >> >> Valid starting Expires Service principal >> 17/07/16 21:56:59 18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >> renew until 18/07/16 21:56:55, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> >> So it is expired right now, another kinit gets me a new tgt: >> # kinit -R >> kinit: Ticket expired while renewing credentials >> # kinit >> Password for administrator at AD.DOMAIN.CH: >> Warning: Your password will expire in 32 days on Sat 20 Aug 2016 >> 08:27:10 UTC >> # klist -e >> Ticket cache: FILE:/tmp/krb5cc_0 >> Default principal: administrator at AD.DOMAIN.CH >> >> Valid starting Expires Service principal >> 18/07/16 09:35:01 18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH >> renew until 19/07/16 09:34:58, Etype (skey, tkt): >> aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 >> samba_dnsupdate still fails. >> > You can try to run > > root at dc2:~# samba_upgradedns --dns-backend=BIND9_DLZ > > and verify that bind has read rights on the dns.keytab > > root at dc2:~# ls -l /var/lib/samba/private/dns.keytab > -rw-r----- 1 root bind 732 Jun 28 16:08 /var/lib/samba/private/dns.keytab > > Also check that the keytab contains such keys. > > root at dc2:~# klist -Kek /var/lib/samba/private/dns.keytab > Keytab name: FILE:/var/lib/samba/private/dns.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-crc) (...) > 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-crc) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (des-cbc-md5) (...) > 1 dns-dc2 at DOMAIN.LOCAL (des-cbc-md5) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (arcfour-hmac) (...) > 1 dns-dc2 at DOMAIN.LOCAL (arcfour-hmac) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (... > 1 dns-dc2 at DOMAIN.LOCAL (aes128-cts-hmac-sha1-96) (...) > 1 DNS/dc2.domain.local at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) > 1 dns-dc2 at DOMAIN.LOCAL (aes256-cts-hmac-sha1-96) (...) > >dns.keytab already exists: # ls -l /usr/local/samba/private/dns.keytab -rw-r----- 1 root bind 777 Jul 17 21:59 /usr/local/samba/private/dns.keytab running the upgrade does not do too much: # samba_upgradedns --dns-backend=BIND9_DLZ Reading domain information DNS accounts already exist No zone file /usr/local/samba/private/dns/AD.DOMAIN.CH.zone DNS records will be automatically created DNS partitions already exist dns-dc2 account already exists See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates Finished upgrading DNS and the keytab file is unchanged. Contents looks fine: # klist -Kek /usr/local/samba/private/dns.keytab Keytab name: FILE:/usr/local/samba/private/dns.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-crc) (...) 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-crc) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (des-cbc-md5) (...) 1 dns-DC2 at AD.DOMAIN.CH (des-cbc-md5) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (arcfour-hmac) (...) 1 dns-DC2 at AD.DOMAIN.CH (arcfour-hmac) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) 1 dns-DC2 at AD.DOMAIN.CH (aes128-cts-hmac-sha1-96) (...) 1 DNS/dc2.ad.domain.ch at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) 1 dns-DC2 at AD.DOMAIN.CH (aes256-cts-hmac-sha1-96) (...) The missing zone file is also not present on the working dc1 system.
Apparently Analagous Threads
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH
- samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH