Elias Pereira
2018-Jul-02 13:27 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
Hello, The error described in the email title happens in version 9.10 of the bind that I have installed in our main DC. In face of that, I found the samba wiki article that talks about this problem. https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates I made a new installation via source with the suggested options: root at dc3:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var --enable-threads --enable-largefile --with-libtool --enable-shared --enable-static --with-openssl=/usr --with-gssapi=/usr --with-gnu-ld --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes --with-dlz-filesystem=yes --with-dlz-ldap=yes --with-dlz-stub=yes --with-dlopen=yes --with-geoip=/usr --enable-ipv6 CFLAGS=-fno-strict-aliasing root at dc3:~# named -v BIND 9.12.1-P2 <id:14b0e01> root at dc3:/etc/bind# named-checkconf OK samba_dnsupdate --verbose --all-names OK samba-tool dbcheck --cross-ncs --reset-well-known-acls --fix --yes OK named.conf.options options { directory "/var/cache/bind"; version "non3"; forwarders { xxx.xxx.xxx.xxx; }; #public IP allow-query { internal; }; #dnssec-enable no; dnssec-validation no; #dnssec-lookaside auto; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; auth-nxdomain no; # conform to RFC1035 listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; }; #public IP #listen-on-v6 { none; }; zone-statistics yes; statistics-file "/var/log/named/stats/named_stats.log"; }; include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; }; acl "internal" { 172.16.0.0/16; 10.10.4.0/24; 10.10.5.0/26; xxx.xxx.xxx.xxx/26; 10.59.0.0/16; 10.41.0.0/22; 10.42.2.0/24; 10.50.0.0/22; 10.51.0.0/23; 10.52.0.0/24; 10.40.0.0/16; 10.10.1.0/26; xxx.xxx.xxx.xxx/26; 10.10.10.0/26; }; For example, if the 172.16.5.86 client is offline, can it cause the error? Any idea? -- Elias Pereira
Rowland Penny
2018-Jul-02 13:48 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
On Mon, 2 Jul 2018 10:27:58 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> Hello, > > The error described in the email title happens in version 9.10 of the > bind that I have installed in our main DC. In face of that, I found > the samba wiki article that talks about this problem. > https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates > > I made a new installation via source with the suggested options: > > root at dc3:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man > --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var > --enable-threads --enable-largefile --with-libtool --enable-shared > --enable-static --with-openssl=/usr --with-gssapi=/usr --with-gnu-ld > --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes > --with-dlz-filesystem=yes --with-dlz-ldap=yes --with-dlz-stub=yes > --with-dlopen=yes --with-geoip=/usr --enable-ipv6 > CFLAGS=-fno-strict-aliasing > > root at dc3:~# named -v > BIND 9.12.1-P2 <id:14b0e01>Hmm, bind 9.12.x isn't supported yet.> > named.conf.options > options { > directory "/var/cache/bind"; > version "non3"; > forwarders { xxx.xxx.xxx.xxx; }; #public IP > allow-query { internal; }; > dnssec-validation no; > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > auth-nxdomain no; # conform to RFC1035 > listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; }; #public IP > zone-statistics yes; > statistics-file "/var/log/named/stats/named_stats.log"; > }; > > include "/etc/bind/rndc.key"; > controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > };You do not need the four lines above> > acl "internal" { > 172.16.0.0/16; > 10.10.4.0/24; > 10.10.5.0/26; > xxx.xxx.xxx.xxx/26; > 10.59.0.0/16; > 10.41.0.0/22; > 10.42.2.0/24; > 10.50.0.0/22; > 10.51.0.0/23; > 10.52.0.0/24; > 10.40.0.0/16; > 10.10.1.0/26; > xxx.xxx.xxx.xxx/26; > 10.10.10.0/26; > }; > > For example, if the 172.16.5.86 client is offline, can it cause the > error?I wouldn't think so. You mention '#public IP' twice, are they both the same IP and is it the DC ipaddress and if so, why are you trying to forward the DC to itself ? Rowland
Elias Pereira
2018-Jul-02 15:12 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
> > Hmm, bind 9.12.x isn't supported yet.He works with "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without problems, at first. include "/etc/bind/rndc.key";> controls { > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > }; > You do not need the four lines aboveOk, but if I leave it, does not have problems either, I believe!? You mention '#public IP' twice, are they both the same IP and is it> the DC ipaddress and if so, why are you trying to forward the DC to > itself ?No, two different networks. xxx.xxx.xxx.0/26 xxx.xxx.xxx.128/26 Sometimes the "samba_dlz: spnego update failed" appears in the log. I found this link talks about the problem. https://bugzilla.redhat.com/show_bug.cgi?id=1528867 I added the "KRB5RCACHETYPE="none"" on the /etc/default/bind9, but the error message keeps. Any other idea? :) On Mon, Jul 2, 2018 at 10:49 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 2 Jul 2018 10:27:58 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > The error described in the email title happens in version 9.10 of the > > bind that I have installed in our main DC. In face of that, I found > > the samba wiki article that talks about this problem. > > > https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates > > > > I made a new installation via source with the suggested options: > > > > root at dc3:~# fakeroot ./configure --prefix=/usr --mandir=/usr/share/man > > --infodir=/usr/share/info --sysconfdir=/etc/bind --localstatedir=/var > > --enable-threads --enable-largefile --with-libtool --enable-shared > > --enable-static --with-openssl=/usr --with-gssapi=/usr --with-gnu-ld > > --with-dlz-postgres=no --with-dlz-mysql=no --with-dlz-bdb=yes > > --with-dlz-filesystem=yes --with-dlz-ldap=yes --with-dlz-stub=yes > > --with-dlopen=yes --with-geoip=/usr --enable-ipv6 > > CFLAGS=-fno-strict-aliasing > > > > root at dc3:~# named -v > > BIND 9.12.1-P2 <id:14b0e01> > > Hmm, bind 9.12.x isn't supported yet. > > > > > named.conf.options > > options { > > directory "/var/cache/bind"; > > version "non3"; > > forwarders { xxx.xxx.xxx.xxx; }; #public IP > > allow-query { internal; }; > > dnssec-validation no; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > > auth-nxdomain no; # conform to RFC1035 > > listen-on port 53 { 127.0.0.1; xxx.xxx.xxx.xxx; }; #public IP > > zone-statistics yes; > > statistics-file "/var/log/named/stats/named_stats.log"; > > }; > > > > include "/etc/bind/rndc.key"; > > controls { > > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > > }; > > You do not need the four lines above > > > > > acl "internal" { > > 172.16.0.0/16; > > 10.10.4.0/24; > > 10.10.5.0/26; > > xxx.xxx.xxx.xxx/26; > > 10.59.0.0/16; > > 10.41.0.0/22; > > 10.42.2.0/24; > > 10.50.0.0/22; > > 10.51.0.0/23; > > 10.52.0.0/24; > > 10.40.0.0/16; > > 10.10.1.0/26; > > xxx.xxx.xxx.xxx/26; > > 10.10.10.0/26; > > }; > > > > For example, if the 172.16.5.86 client is offline, can it cause the > > error? > > I wouldn't think so. > > You mention '#public IP' twice, are they both the same IP and is it > the DC ipaddress and if so, why are you trying to forward the DC to > itself ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Possibly Parallel Threads
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied