Mandi! L.P.H. van Belle via samba In chel di` si favelave...> > c) seems to use some ''random'' AD DNS, not the one in the site, for > > example. > Yes that is correct. ( The DC Locator Process does that ) > If you dont want that, you can assign by GPO a preffered server. > You can set it as preffered server per site in the GPO. ( note, a pc needs 2 reboots ) > Set the variable logon server in a GPO. > Thats one of the options.I've looked at options (and the link you posted) but i'm a bit puzzled. Reading the (un)menaningful explanation, seems to me that by default the DC locator have to prefere local DC (that have cost 0) insted of remote ones (that have cost 100 or more). I've enabled 'try next closest site' but seems to me is not the solution...> And try this setting. > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; > };Still i've not clear how this stanza have to do with dns and windows client, but... i'll add. ;-) -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Wed, 13 Jun 2018 18:41:02 +0200 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > c) seems to use some ''random'' AD DNS, not the one in the site, > > > for example. > > Yes that is correct. ( The DC Locator Process does that ) > > If you dont want that, you can assign by GPO a preffered server. > > You can set it as preffered server per site in the GPO. ( note, a > > pc needs 2 reboots ) Set the variable logon server in a GPO. > > Thats one of the options. > > I've looked at options (and the link you posted) but i'm a bit > puzzled. > > Reading the (un)menaningful explanation, seems to me that by default > the DC locator have to prefere local DC (that have cost 0) insted of > remote ones (that have cost 100 or more). > > I've enabled 'try next closest site' but seems to me is not the > solution... > > > > And try this setting. > > include "/etc/bind/rndc.key"; > > controls { > > inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; > > }; > > Still i've not clear how this stanza have to do with dns and windows > client, but... i'll add. ;-) >I don't understand it either, the rndc.key is absolutely not used by Samba or Bind9 in an AD domain. Rowland
> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Rowland Penny via samba > Verzonden: woensdag 13 juni 2018 18:50 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...> > > > I've enabled 'try next closest site' but seems to me is not the > > solution... > > > > > > > And try this setting. > > > include "/etc/bind/rndc.key"; > > > controls { > > > inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; > > > }; > > > > Still i've not clear how this stanza have to do with dns and windows > > client, but... i'll add. ;-) > > > > I don't understand it either, the rndc.key is absolutely not used by > Samba or Bind9 in an AD domain. > > Rowland >Then great to hear im not alone. :-/ But by adding that part, my TSIG error message was gone from my logs. I think the internal GSS-TSIG is used/passed, but in this case, i dont know exact, For now, it works and it did no harm. I did find that when searching for GSS-TSIG, cant find the link atm. So try it and see if the error goes away in the logs, if thats the case, then we needs someone who can explain this. Greetz. Louis
Mandi! L.P.H. van Belle via samba In chel di` si favelave...> > I don't understand it either, the rndc.key is absolutely not used by > > Samba or Bind9 in an AD domain. > Then great to hear im not alone. :-/ > But by adding that part, my TSIG error message was gone from my logs.Added, but catched that: Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50403: update 'ad.fvg.lnf.it/IN' denied Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' AAAA Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' A Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted rdataset ALBERT.ad.fvg.lnf.it 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'ALBERT.ad.fvg.lnf.it' A Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added rdataset ALBERT.ad.fvg.lnf.it 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#57791: update 'ad.fvg.lnf.it/IN' denied Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting transaction on zone ad.fvg.lnf.it Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' AAAA Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' A Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted rdataset ALBERT.ad.fvg.lnf.it 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'ALBERT.ad.fvg.lnf.it' A Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added rdataset ALBERT.ad.fvg.lnf.it 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed transaction on zone ad.fvg.lnf.it Jun 15 05:48:45 vdcsv2 named[6494]: client 10.5.2.64#50303: request has invalid signature: TSIG 1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49 (ALBERT\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG) Looking at: https://wiki.debian.org/Bind9#File_.2Fetc.2Fbind.2Fnamed.conf the note: // Configure the communication channel for Administrative BIND9 with rndc // By default, they key is in the rndc.key file and is used by rndc and bind9 // on the localhost seems to me that inclusion of rndc.conf and access on localhost is the default, and so it is not needed. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
Im wondering why your log below shows this order, i just noticed. Why is the computer tring to set the A records 2 x. Lines 1-13, show a successfull commit of the A/AAAA records. ( TSIG key ok ) If you count the below lines, after line 13, my logs shows. samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa Yours is trying again to update samba_dlz: starting transaction on zone ad.fvg.lnf.it So the only thing i can think of is. 1- you get the update for your zone : ad.fvg.lnf.it 2- the gets in sucessfully. 3- it does it again, but bind changed the key. client 10.5.2.64#61734/key ( first attempt, ok ) client 10.5.2.64#50303/key ( second attempt, fail ) Where is the reverse zone? I dont know it this is the fix, but its the only thing i can find for now. But i do think this is the problem. ( since every thing happend at exact : Jun 15 05:48:40) Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Marco Gaiarin via samba > Verzonden: vrijdag 15 juni 2018 10:57 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving... > > Mandi! L.P.H. van Belle via samba > In chel di` si favelave... > > > > I don't understand it either, the rndc.key is absolutely > not used by > > > Samba or Bind9 in an AD domain. > > Then great to hear im not alone. :-/ > > But by adding that part, my TSIG error message was gone > from my logs. > > Added, but catched that: > > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50403: > update 'ad.fvg.lnf.it/IN' denied > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing > update of signer=ALBERT\$\@AD.FVG.LNF.IT > name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA > key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing > update of signer=ALBERT\$\@AD.FVG.LNF.IT > name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A > key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing > update of signer=ALBERT\$\@AD.FVG.LNF.IT > name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A > key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 > Jun 15 05:48:40 vdcsv2 named[6494]: client > 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone > 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' AAAA > Jun 15 05:48:40 vdcsv2 named[6494]: client > 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone > 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' A > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted > rdataset ALBERT.ad.fvg.lnf.it > 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' > Jun 15 05:48:40 vdcsv2 named[6494]: client > 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone > 'ad.fvg.lnf.it/NONE': adding an RR at 'ALBERT.ad.fvg.lnf.it' A > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added > rdataset ALBERT.ad.fvg.lnf.it > 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#57791: > update 'ad.fvg.lnf.it/IN' denied > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing > update of signer=ALBERT\$\@AD.FVG.LNF.IT > name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA > key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing > update of signer=ALBERT\$\@AD.FVG.LNF.IT > name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A > key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing > update of signer=ALBERT\$\@AD.FVG.LNF.IT > name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A > key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0 > Jun 15 05:48:40 vdcsv2 named[6494]: client > 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone > 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' AAAA > Jun 15 05:48:40 vdcsv2 named[6494]: client > 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone > 'ad.fvg.lnf.it/NONE': deleting rrset at 'ALBERT.ad.fvg.lnf.it' A > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted > rdataset ALBERT.ad.fvg.lnf.it > 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' > Jun 15 05:48:40 vdcsv2 named[6494]: client > 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone > 'ad.fvg.lnf.it/NONE': adding an RR at 'ALBERT.ad.fvg.lnf.it' A > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added > rdataset ALBERT.ad.fvg.lnf.it > 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64' > Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed > transaction on zone ad.fvg.lnf.it > Jun 15 05:48:45 vdcsv2 named[6494]: client 10.5.2.64#50303: > request has invalid signature: TSIG > 1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49 > (ALBERT\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG) > > > Looking at: > > https://wiki.debian.org/Bind9#File_.2Fetc.2Fbind.2Fnamed.conf > > the note: > > // Configure the communication channel for > Administrative BIND9 with rndc > // By default, they key is in the rndc.key file and is > used by rndc and bind9 > // on the localhost > > seems to me that inclusion of rndc.conf and access on localhost is the > default, and so it is not needed. > > -- > dott. Marco Gaiarin GNUPG > Key ID: 240A3D66 > Associazione ``La Nostra Famiglia'' > http://www.lanostrafamiglia.it/ > Polo FVG - Via della Bontà, 7 - 33078 - San Vito al > Tagliamento (PN) > marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 > f +39-0434-842797 > > Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! > http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 > (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA) > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >