samba - May 2021 - once again reverse DNS - bind_dlz

Hi again,

dhcp configured as per the SAMBA wiki.
Workstations update automatically.
generally - almost everything works :)

sometimes errors occur:

May 20 14:08:37 ad named [8041]: samba_dlz: disallowing update of signer
TEST_LAP \ $ \ @ TEST.LAN name = Test_Lap.test.lan type = AAAA error
insufficient access rights
May 20 14:08:37 ad named [8041]: client @ 0x7f11fc021e30 10/10/10.101 #
50217 / key TEST_LAP \ $ \ @ TEST.LAN: updating zone 'test.lan / NONE':
update failed: rejected by secure update ( REFUSED)

I added lines to smb.conf:

dns update command = / usr / sbin / samba_dnsupdate --use-samba-tool
allow dns updates = nonsecure and secure

unfortunately it doesn't work

Thanks,

Jan

wt., 18 maj 2021 o 10:28 Jan JMPBL <jmpblto at gmail.com> napisa?(a):
> Thank you for your response.
> my named.conf.options file as below
>
> ipv6 - disabled
>
> options {
>         directory "/var/cache/bind";
>         recursion yes;
>         allow-query { any; };
>         forwarders { 8.8.8.8; 8.8.4.4; };
>         dnssec-enable no;
>         dnssec-validation no;
>         dnssec-lookaside no;
>         listen-on-v6 { none; };
>         notify no;
>         auth-nxdomain yes;
>         empty-zones-enable no;
>
>         // DNS dynamic updates via Kerberos
>         //var/lib/samba/bind-dns/dns.keytab;
>         tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
>        minimal-responses yes;
> };
>
> I have not read anywhere that the reverse zone is not updated
> automatically. It usually says it works :)
> I will try to configure the dhcp server to update DNS zones. Do you have
> any good "how to" how to configure it?
>
> Thanks,
>
> Jan
>
>
> wt., 18 maj 2021 o 10:02 L.P.H. van Belle via samba <samba at
lists.samba.org>
> napisa?(a):
>
>> AND.. Before i forget, does the ipv6 reverse zone exist?
>>
>> If you need a private IPv6 number.
>> Have a look at this.
>> wget
>>
https://sunknudsen.com/static/media/privacy-guides/how-to-self-host-hardened-strongswan-ikev2-ipsec-vpn-server-for-ios-and-macos/ulagen.py
>>
>> python3 ulagen.py | grep "First subnet" | awk '{print
"IPV6_ULA="$3}'
>>
>> (ULA= see https://en.wikipedia.org/wiki/Unique_local_address )
>>
>> (original source of that script :
>> https://gist.github.com/andrewlkho/31341da4f5953b8d977aab368e6280a8 )
>> Can be handy.
>>
>> Last, if you running on debian buster,
>>
>>       minimal-responses yes; << add this in named.conf.options in
the
>> defaults.
>>         (see also :
>> https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server )
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>> > -----Oorspronkelijk bericht-----
>> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Jan
>> > JMPBL via samba
>> > Verzonden: maandag 17 mei 2021 23:19
>> > Aan: Rowland penny
>> > CC: sambalist
>> > Onderwerp: Re: [Samba] once again reverse DNS - bind_dlz
>> >
>> > Hi,
>> > thank you,
>> > all changed as you suggested.
>> >
>> > still the reverse zone does not update automatically.
>> > doesn't recognize names. e.g. rsat.test.lan
>> >
>> > root @ ad: ~ # host 10.10.10.160
>> > Host 160.10.10.10.in-addr.arpa. not found: 3 (NXDOMAIN)
>> >
>> > from windows
>> > C: \ Users \ administrator.TEST.001> nslookup 10/10/10.50
>> > Server: UnKnown
>> > Address: 10.10.10.50
>> >
>> > *** UnKnown can't find 10.10.10.50: Non-existent domain
>> >
>> > do you have any more ideas?
>> >
>> > Thanks,
>> >
>> > Jan
>> >
>> > pon., 17 maj 2021 o 22:27 Rowland penny via samba
>> > <samba at lists.samba.org>
>> > napisa??(a):
>> >
>> > > On 17/05/2021 20:50, Jan JMPBL wrote:
>> > > > Hi,
>> > > > debug result below:
>> > > >
>> > >
>> > > Not much wrong, just a couple of dns problems, one that is
>> > your major
>> > > problem.
>> > >
>> > > Change your /etc/resolv.conf to this:
>> > >
>> > > nameserver 10.10.10.50
>> > > search test.lan
>> > >
>> > > Then change /etc/bind/named.conf.options to match this:
>> > >
>> > > options {
>> > >      directory "/var/cache/bind";
>> > >
>> > >          recursion yes;
>> > >          allow-query { any; };
>> > >
>> > >          forwarders { 8.8.8.8; 8.8.4.4; };
>> > >
>> > >          dnssec-enable no;
>> > >          dnssec-validation no;
>> > >
>> > >          listen-on-v6 { none; };
>> > >          notify no;
>> > >          auth-nxdomain yes;
>> > >          empty-zones-enable no;
>> > >          // DNS dynamic updates via Kerberos
>> > > /var/lib/samba/bind-dns/dns.keytab;
>> > >          tkey-gssapi-keytab
"/var/lib/samba/bind-dns/dns.keytab";
>> > > };
>> > >
>> > > You should also install the libkrb5-26-heimdal package
>> > >
>> > > Rowland
>> > >
>> > >
>> > >
>> > > --
>> > > To unsubscribe from this list go to the following URL and
read the
>> > > instructions:  https://lists.samba.org/mailman/options/samba
>> > >
>> > --
>> > To unsubscribe from this list go to the following URL and read the
>> > instructions:  https://lists.samba.org/mailman/options/samba
>> >
>> >
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>

On 20/05/2021 13:26, Jan JMPBL via samba wrote:
> Hi again,
>
> dhcp configured as per the SAMBA wiki.
> Workstations update automatically.
> generally - almost everything works :)
>
> sometimes errors occur:
>
> May 20 14:08:37 ad named [8041]: samba_dlz: disallowing update of signer
> TEST_LAP \ $ \ @ TEST.LAN name = Test_Lap.test.lan type = AAAA error >
insufficient access rights
> May 20 14:08:37 ad named [8041]: client @ 0x7f11fc021e30 10/10/10.101 #
> 50217 / key TEST_LAP \ $ \ @ TEST.LAN: updating zone 'test.lan /
NONE':
> update failed: rejected by secure update ( REFUSED)

You need to stop your Windows clients from trying to update their own 
records.
>
> I added lines to smb.conf:
>
> dns update command = / usr / sbin / samba_dnsupdate --use-samba-tool
> allow dns updates = nonsecure and secure
>
> unfortunately it doesn't work

It wouldn't, those lines have nothing to do with your problem.

Rowland

Reason this happens is most probely that the PC is not the "owner" of
the dns A record and that it cant update. Or correct the rights on the dns
records, or just remove the A+AAAA and PTR records and reboot the pc.

But in the end thats all irrelevant, first this. 

Test_Lap << that name. 

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/naming-conventions-for-computer-domain-site-ou#:~:text=DNS%20names%20can%20contain%20only,components%20of%20domain%20style%20names.

Quote.. 

Disallowed characters
DNS host names can't contain the following characters:

underscore (_)

So thats one to fix first. 
Make sure you NETBIOS names match with what the DNS allows. 

In characters used/allowed/not allowed 
In Lenghts of hostnames and allowed  etc etc.. 
There more on that. 
Above microsoft link shows all you need to know to setup with a minimal chance
on conflicts.

There are ways to "allow" that underscore 
You can add : check-names ignore; in the bind config, but i DONT recommend it,
because debugging will be harder if thats needed.


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland penny via samba
> Verzonden: donderdag 20 mei 2021 14:34
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] once again reverse DNS - bind_dlz
> 
> On 20/05/2021 13:26, Jan JMPBL via samba wrote:
> > Hi again,
> >
> > dhcp configured as per the SAMBA wiki.
> > Workstations update automatically.
> > generally - almost everything works :)
> >
> > sometimes errors occur:
> >
> > May 20 14:08:37 ad named [8041]: samba_dlz: disallowing 
> update of signer > > TEST_LAP \ $ \ @ TEST.LAN name =
Test_Lap.test.lan type =
> AAAA error > > insufficient access rights
> > May 20 14:08:37 ad named [8041]: client @ 0x7f11fc021e30 
> 10/10/10.101 #
> > 50217 / key TEST_LAP \ $ \ @ TEST.LAN: updating zone 
> 'test.lan / NONE':
> > update failed: rejected by secure update ( REFUSED)
> 
> 
> You need to stop your Windows clients from trying to update their own 
> records.
> 
> >
> > I added lines to smb.conf:
> >
> > dns update command = / usr / sbin / samba_dnsupdate --use-samba-tool
> > allow dns updates = nonsecure and secure
> >
> > unfortunately it doesn't work
> 
> 
> It wouldn't, those lines have nothing to do with your problem.
> 
> Rowland
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>