Hi List!
Want to ask community for a help....
Got a FreeBSD 9.2-RELEASE system with Samba4.0.8 Dc + AD. the BIND 9.9.4 as a
DNS service .
I trying to build dynamic DNS updating, but now i am in the deadlock.
------------------------------------------------------------------------
The Bind starting correctly:
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend
'gssapi_spnego' registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'gssapi_krb5'
registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend
'gssapi_krb5_sasl' registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend
'sasl-DIGEST-MD5' registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'schannel'
registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'spnego'
registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'ntlmssp'
registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend 'krb5'
registered
Dec 2 05:12:11 Dn named[33323]: samba_dlz: GENSEC backend
'fake_gssapi_krb5' registered
Dec 2 05:12:11 Dn named[33323]: command channel listening on 0.0.0.0#953
------------------------------------------------------------------------
But
samba_dnsupdate --verbose --all-names
got en errores:
02-Dec-2013 01:41:39.287 database: info: samba_dlz: starting transaction on zone
smbdomain.local
02-Dec-2013 01:41:39.288 update-security: error: client 192.168.0.4#49344:
update 'smbdomain.local/IN' denied
02-Dec-2013 01:41:39.289 database: info: samba_dlz: cancelling transaction on
zone smbdomain.local
02-Dec-2013 01:41:39.309 database: info: samba_dlz: starting transaction on zone
smbdomain.local
02-Dec-2013 01:41:39.309 update-security: error: client 192.168.0.4#37771:
update 'smbdomain.local/IN' denied
-------------------------------------------------------------------------------------------------------------
Probably, the check authenticity protocols are no available.......
After that I checked the maintenance of zones
# dig axfr smbdomain.local
; <<>> DiG 9.8.6-P1 <<>> axfr smbdomain.local
;; global options: +cmd
smbdomain.local. 3600 IN SOA dn.smbdomain.local.
hostmaster.smbdomain.local. 1 900 600 86400 0
smbdomain.local. 900 IN NS dn.smbdomain.local.
smbdomain.local. 900 IN A 192.168.0.4
dn.smbdomain.local. 900 IN A 192.168.0.4
_msdcs.smbdomain.local. 900 IN NS dn.smbdomain.local.
_gc._tcp.smbdomain.local. 900 IN SRV 0 100 3268 dn.smbdomain.local.
_ldap._tcp.smbdomain.local. 900 IN SRV 0 100 389 dn.smbdomain.local.
_kpasswd._udp.smbdomain.local. 900 IN SRV 0 100 464 dn.smbdomain.local.
_kpasswd._tcp.smbdomain.local. 900 IN SRV 0 100 464 dn.smbdomain.local.
_kerberos._udp.smbdomain.local. 900 IN SRV 0 100 88 dn.smbdomain.local.
_kerberos._tcp.smbdomain.local. 900 IN SRV 0 100 88 dn.smbdomain.local.
ForestDnsZones.smbdomain.local. 900 IN A 192.168.0.4
DomainDnsZones.smbdomain.local. 900 IN A 192.168.0.4
_ldap._tcp.ForestDnsZones.smbdomain.local. 900 IN SRV 0 100 389
dn.smbdomain.local.
_ldap._tcp.DomainDnsZones.smbdomain.local. 900 IN SRV 0 100 389
dn.smbdomain.local.
_gc._tcp.Default-First-Site-Name._sites.smbdomain.local. 900 IN SRV 0 100 3268
dn.smbdomain.local.
_ldap._tcp.Default-First-Site-Name._sites.smbdomain.local. 900 IN SRV 0 100 389
dn.smbdomain.local.
_kerberos._tcp.Default-First-Site-Name._sites.smbdomain.local. 900 IN SRV 0 100
88 dn.smbdomain.local.
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.smbdomain.local. 900 IN
SRV 0 100 389 dn.smbdomain.local.
_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.smbdomain.local. 900 IN
SRV 0 100 389 dn.smbdomain.local.
smbdomain.local. 3600 IN SOA dn.smbdomain.local.
hostmaster.smbdomain.local. 1 900 600 86400 0
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Nov 26 23:16:03 OMST 2013
;; XFR size: 21 records (messages 1, bytes 962)
------------------------------------------------------------------------
I tried to check zone updating manually for a local zone:
nsupdate -k Ksmbdomain.local.+157+31840.key upd_file
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;smbdomain.local. IN SOA
;; UPDATE SECTION:
smbdomain.local. 0 ANY A
smbdomain.local. 86400 IN A 192.168.0.4
update failed: REFUSED
------------------------------------------------------------------------
.... REFUSED.....
The part of my named.conf
.......................
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};
key "smbdomain.local" {
algorithm hmac-md5;
secret
"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx";
};
controls {
inet * allow { 192.168.0.0/28; 127.0.0.1; } keys {
"smbdomain.local"; "rndc-key"; };
};
options {
.......
allow-update { key rndc-key; key smbdomain.local; };
......
tkey-gssapi-keytab "/var/db/samba4/private/dns.keytab";
tkey-gssapi-credential "DNS/dn.smbdomain.local at
SMBDOMAIN.LOCAL";
tkey-domain "SMBDOMAIN.LOCAL";
};
......zones......
dlz "AD DNS Zone" {
database "dlopen /usr/local/lib/shared-modules/bind9/dlz_bind9_9.so -d
3";
};
-------------------------------------------------------------------------------
It is written allow-update must be specified in zone sections, but in this case,
named-checkconf speaks about an unknown option. Obviously, this bind version
requires to specify
allow-update in option section.
May be specify me some information source about freeBSD
Thanks
