samba - Apr 2017 - Dynamic updates of windows clients

Hello

We have installed 4 Sernet AD controllers on Debian 8.7 with bind9. If 
we run ipconfig /registerdns on a windowsclient , an
error message is in the logfiles:

31-Mar-2017 11:08:49.270 client 192.168.99.6#50357 
(client006.my.domain.de): query: client006.my.domain.de IN SOA + 
(192.168.99.8)
31-Mar-2017 11:08:49.274 client 192.168.99.6#51046 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone 
my.domain.de
31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update 
'my.domain.de/IN' denied
31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone 
my.domain.de
31-Mar-2017 11:08:49.282 client 192.168.99.6#58242 
(196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 
196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T 
(192.168.99.8)
31-Mar-2017 11:08:49.285 client 192.168.99.6#51560 
(6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA + 
(192.168.99.8)
31-Mar-2017 11:08:49.288 client 192.168.99.6#58260 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone 
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update 
'99.30.172.in-addr.arpa/IN' denied
31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone 
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.297 client 192.168.99.6#60163 
(196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 
196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T 
(192.168.99.8)
31-Mar-2017 11:08:49.270 client 192.168.99.6#50357 
(client006.my.domain.de): query: client006.my.domain.de IN SOA + 
(192.168.99.8)
31-Mar-2017 11:08:49.274 client 192.168.99.6#51046 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone 
my.domain.de
31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update 
'my.domain.de/IN' denied
31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone 
my.domain.de
31-Mar-2017 11:08:49.282 client 192.168.99.6#58242 
(196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 
196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T 
(192.168.99.8)
31-Mar-2017 11:08:49.285 client 192.168.99.6#51560 
(6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA + 
(192.168.99.8)
31-Mar-2017 11:08:49.288 client 192.168.99.6#58260 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone 
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update 
'99.30.172.in-addr.arpa/IN' denied
31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone 
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.297 client 192.168.99.6#60163 
(196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query: 
196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T 
(192.168.99.8)

If we executed
samba_dnsupdate --verbose --all-names
no errors are displayed.

The rights of /var/lib/samba/private/dns/sam.ldb.d/*
are 660.

relevated content of /etc/bind/named.conf.options
-------------------------------------------------
allow-update { any;};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
dnssec-validation no;
dnssec-enable no;

We run
------
samba_upgradedns --dns-backend=BIND9_DLZ

/etc/samba/smb.conf
-------------------
server services = -dns

named -V
--------
BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e> 
built by make with '--prefix=/usr' '--mandir=/usr/share/man' 
'--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6'
'--enable-rrl'
'--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks 
-DDIG_SIGCHASE -O2'
compiled by GCC 4.9.2
using OpenSSL version: OpenSSL 1.0.1t  3 May 2016
using libxml2 version: 2.9.1

Timesync
---------
correct time

In the named.config.local we have not create an zone for
"my.domain.de".
I think this is not nessesary.

dpkg -l | grep sernet
----------------------
ii  libwbclient0:amd64               99:4.5.7-16 
amd64        Glue package for sernet-samba-libs.
ii  sernet-samba                     99:4.5.7-16 
amd64        SMB/CIFS file, print, and login server for Unix
ii  sernet-samba-ad                  99:4.5.7-16 
amd64        Samba Active Directory Domain Controller
ii  sernet-samba-client              99:4.5.7-16 
amd64        a LanManager-like simple client for Unix
ii  sernet-samba-common              99:4.5.7-16 
all          Samba common files used by both the server and the client
ii  sernet-samba-keyring             1.5 
all          GnuPG archive keys of the SerNet Samba archive
ii  sernet-samba-libs:amd64          99:4.5.7-16 
amd64        Samba common library files used by both the server and the 
client
ii  sernet-samba-libsmbclient0:amd64 99:4.5.7-16 
amd64        Shared library that allows applications to talk to SMB servers
ii  sernet-samba-winbind             99:4.5.7-16 
amd64        Samba nameservice integration server

Can anybody help me?

On Sat, 1 Apr 2017 16:44:38 +0200
Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:

> The rights of /var/lib/samba/private/dns/sam.ldb.d/*
> are 660.
> 
Just in case you don't know, do not touch the files inside
private/dns/sam.ldb.d or private/sam.ldb.d

Right having got that out of the way, who
owns /var/lib/samba/private/sam.ldb ?

It should be root:bind with 660 permissions.

Rowland