Dario Lesca
2020-Mar-05 14:23 UTC
[Samba] Samba 4.12.0 on Fedora32: bind DNS still say "named: client @...: update 'fedora.loc/IN' denied"
Hi, I'm doing some tests of samba DC 4.12.0 + MIT (experimental) Kerberos + Bind DNS + Dhcpd + Chronyd on Fedora 32 beta. All work fine except this issue: The dhcp work, and the script for record the name of clients into dns is disable (like Rowland suggest). https://lists.samba.org/archive/samba-technical/2020-February/134875.html If I join a new windows client to domain all work fine and I can login with domain users or connect to other shared resource But into syslog of DC server every few minutes I see this error: mar 05 14:45:43 addc1.fedora.loc dhcpd[773]: DHCPREQUEST for 192.168.122.102 from 52:54:00:7e:c7:bb (win10b) via ens3 mar 05 14:45:43 addc1.fedora.loc dhcpd[773]: DHCPACK on 192.168.122.102 to 52:54:00:7e:c7:bb (win10b) via ens3 mar 05 14:45:43 addc1.fedora.loc named[718]: samba_dlz: starting transaction on zone fedora.loc mar 05 14:45:43 addc1.fedora.loc named[718]: client @0x7f5ef03e5ed0 192.168.122.102#56448: update 'fedora.loc/IN' denied and the client it's not register into DNS zone What I have missing, or badly configured ? It's possible, when the client is join to domain or after a dhcp request, record the name of windows client into DNS, like (I image) happens when it is join with a MS-DC server? Many thanks -- Dario Lesca (inviato dal mio Linux Fedora 31 Workstation)
Rowland penny
2020-Mar-05 15:07 UTC
[Samba] Samba 4.12.0 on Fedora32: bind DNS still say "named: client @...: update 'fedora.loc/IN' denied"
On 05/03/2020 14:23, Dario Lesca via samba wrote:> Hi, I'm doing some tests of samba DC 4.12.0 + MIT (experimental) > Kerberos + Bind DNS + Dhcpd + Chronyd on Fedora 32 beta.I think I said use either the dhcp script or allow your clients to update their own records. The problem is, if you previously used the DHCP script, the clients records no longer belong to the clients, so they will not be able to update them. Try deleting the records and allow the clients to recreate them. Finally, do not use the Fedora Samba packages as a DC in production, only use them for testing, they are marked experimental for a reason. Rowland
Dario Lesca
2020-Mar-05 15:51 UTC
[Samba] Samba 4.12.0 on Fedora32: bind DNS still say "named: client @...: update 'fedora.loc/IN' denied"
Il giorno gio, 05/03/2020 alle 15.07 +0000, Rowland penny via samba ha scritto:> I think I said use either the dhcp script or allow your clients to > update their own records. The problem is, if you previously used the > DHCP script, the clients records no longer belong to the clients, so > they will not be able to update them. Try deleting the records and > allow > the clients to recreate them.Into DNS now there is no reference for these win10 clients or IP. I have remove the first win10 client (win10a) from DNS before join it, and I have try with another new win10 pc (win10b), before join it to domain its IP/name does not exist into domain and DNS This is the output of samba-tool dns query cmd=[samba-tool dns query localhost fedora.loc @ ALL -Uadministrator] Name=, Records=3, Children=0 SOA: serial=7, refresh=900, retry=600, expire=86400, minttl=3600, ns=addc1.fedora.loc., email=hostmaster.fedora.loc. (flags=600000f0, serial=7, ttl=3600) NS: addc1.fedora.loc. (flags=600000f0, serial=4, ttl=900) A: 192.168.122.100 (flags=600000f0, serial=4, ttl=900) Name=_msdcs, Records=0, Children=0 Name=_sites, Records=0, Children=1 Name=_tcp, Records=0, Children=4 Name=_udp, Records=0, Children=2 Name=addc1, Records=1, Children=0 A: 192.168.122.100 (flags=f0, serial=1, ttl=900) Name=centos8, Records=1, Children=0 A: 192.168.122.11 (flags=f0, serial=2, ttl=900) Name=DomainDnsZones, Records=0, Children=2 Name=ForestDnsZones, Records=0, Children=2 Name=test, Records=1, Children=0 A: 192.168.122.33 (flags=f0, serial=5, ttl=3600) What other check I can do ?> Finally, do not use the Fedora Samba packages as a DC in production, > only use them for testing, they are marked experimental for a reason.Yes, I know, this is a test envinroment for test Fedora Package and MIT Kerberos in order to make it, sooner or later, stop being experimental Thanks -- Dario Lesca (inviato dal mio Linux Fedora 31 Workstation)
Reasonably Related Threads
- Samba 4.12.0 on Fedora32: bind DNS still say "named: client @...: update 'fedora.loc/IN' denied"
- SRV-records not replicated with BIND9_DLZ
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba4 Domain Member Server "Getent show diferents UID"
- Samba4 Domain Member Server "Getent show diferents UID"