Michael Brown
2013-Nov-18 18:57 UTC
[Samba] Samba 4.1 acting as RODC, how to fix TSIG and configure DNS?
I've set up a lab for testing Samba 4.1 as an RODC emulating a satellite office setup, using the sernet packages on SLES11SP2. ## Problem 1 samba_dnsupdate is failing: ==> /var/log/samba/log.samba <=[2013/11/18 13:22:37.416193, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure [2013/11/18 13:22:37.416396, 0] ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) /usr/sbin/samba_dnsupdate: update failed: REFUSED Complete output from samba_dnsupdate --verbose --all-names is here: http://paste.ubuntu.com/6438840/ ... Calling nsupdate for A sles-bree.main.adlab.netdirect.ca 10.0.2.11 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: sles-bree.main.adlab.netdirect.ca. 900 IN A 10.0.2.11 Calling nsupdate for A gc._msdcs.main.adlab.netdirect.ca 10.0.2.11 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.main.adlab.netdirect.ca. 900 IN A 10.0.2.11 ; TSIG error with server: tsig verify failure update failed: REFUSED Failed nsupdate: 2 I have no idea what to do to fix this. No apparmor complaints, the time is correct, not sure where to go next. What should I do? ## Problem 2 The Samba server will also need to provide DHCP and DNS service for the local network. It looks like the internal DNS server doesn't do any caching or recursion so I'm pondering about how to best (read: simplest that works) configure the environment. (I saw this note: "# If recursive queries = yes is set, the following is also needed" but that option doesn't yet exist in samba: 'Unknown parameter encountered: "recursive queries"' What I'm thinking is: * configure samba4 to use the usual internal DNS server * set up bind: * have it listen on a secondary IP * forward requests for anything under my root AD dns domain to samba * forward requests for reverse zones in AD to samba * recurse normally for other domains * advantage: caching or: * configure samba4 to use the usual internal DNS server * set up bind: * have it listen on a secondary IP * set in smb.conf: dns forwarder = <bind ip address> Does one of these make more sense than the other? What are people doing? M. -- Michael Brown | `One of the main causes of the fall of Systems Consultant | the Roman Empire was that, lacking zero, Net Direct Inc. | they had no way to indicate successful ?: +1 519 883 1172 x5106 | termination of their C programs.' - Firth
Rowland Penny
2013-Nov-18 19:05 UTC
[Samba] Samba 4.1 acting as RODC, how to fix TSIG and configure DNS?
On 18/11/13 18:57, Michael Brown wrote:> I've set up a lab for testing Samba 4.1 as an RODC emulating a > satellite office setup, using the sernet packages on SLES11SP2. > > ## Problem 1 > samba_dnsupdate is failing: > ==> /var/log/samba/log.samba <=> [2013/11/18 13:22:37.416193, 0] > ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure > [2013/11/18 13:22:37.416396, 0] > ../lib/util/util_runcmd.c:317(samba_runcmd_io_handler) > /usr/sbin/samba_dnsupdate: update failed: REFUSED > > Complete output from samba_dnsupdate --verbose --all-names is here: > http://paste.ubuntu.com/6438840/ > > ... > Calling nsupdate for A sles-bree.main.adlab.netdirect.ca 10.0.2.11 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > sles-bree.main.adlab.netdirect.ca. 900 IN A 10.0.2.11 > > Calling nsupdate for A gc._msdcs.main.adlab.netdirect.ca 10.0.2.11 > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > gc._msdcs.main.adlab.netdirect.ca. 900 IN A 10.0.2.11 > > ; TSIG error with server: tsig verify failure > update failed: REFUSED > Failed nsupdate: 2 > > I have no idea what to do to fix this. No apparmor complaints, the > time is correct, not sure where to go next. > > What should I do? > > ## Problem 2 > The Samba server will also need to provide DHCP and DNS service for > the local network. > > It looks like the internal DNS server doesn't do any caching or > recursion so I'm pondering about how to best (read: simplest that > works) configure the environment. > > (I saw this note: "# If recursive queries = yes is set, the following > is also needed" but that option doesn't yet exist in samba: 'Unknown > parameter encountered: "recursive queries"' > > What I'm thinking is: > * configure samba4 to use the usual internal DNS server > * set up bind: > * have it listen on a secondary IP > * forward requests for anything under my root AD dns domain to samba > * forward requests for reverse zones in AD to samba > * recurse normally for other domains > * advantage: caching > > or: > > * configure samba4 to use the usual internal DNS server > * set up bind: > * have it listen on a secondary IP > * set in smb.conf: dns forwarder = <bind ip address> > > Does one of these make more sense than the other? What are people doing? > > M. >Hi, if you are going to set up bind, you might as well use it instead of the internal dns and you can then set up dhcp to work with it. Rowland