samba - Sep 2015 - Problem with dynamic DNS

On Tue, Sep 08, 2015 at 10:19:34AM +0100, Rowland Penny
wrote:
> On 08/09/15 09:25, Aki Tuomi wrote:
> >Why would I do that? This is a *computer* not *user* adding the record.
> >It is supposed to match the "grant INTERNAL.DOMAIN.TLD ms-self * A
AAAA;" rule
> >but it does not. For some mystical reason.
> >
> >Aki
> >
> >On Tue, Sep 08, 2015 at 10:18:03AM +0200, L.P.H. van Belle wrote:
> >>Did you add the user that adds the dns setting in the dnsadmins
group in the ad?
> >>
> >>
> >>
> >>>-----Oorspronkelijk bericht-----
> >>>Van: Aki Tuomi [mailto:cmouse at cmouse.fi]
> >>>Verzonden: dinsdag 8 september 2015 10:08
> >>>Aan: L.P.H. van Belle
> >>>CC: samba at lists.samba.org
> >>>Onderwerp: Re: [Samba] Problem with dynamic DNS
> >>>
> >>>Yeah. I have that setting, but for some reason samba refuses to
accept the
> >>>AAAA *deletion* request (probably because it does not exist).
> >>>
> >>>It differs from Win7 which only sends A delete + add. And as I
said, the
> >>>windows 7
> >>>workstation has no issues with this.
> >>>
> >>>Aki
> >>>
> >>>On Tue, Sep 08, 2015 at 10:03:56AM +0200, L.P.H. van Belle
wrote:
> >>>>(please reply to the list)
> >>>>
> >>>>If the record does not exist, then you have an other
problem.
> >>>>
> >>>>Because samba does support this :
> >>>>
> >>>>cat /var/lib/samba/private/named.conf.update
> >>>>/* this file is auto-generated - do not edit */
> >>>>update-policy {
> >>>>         grant INTERNAL.DOMAIN.TLD ms-self * A AAAA;
> >>>>         grant Administrator at INTERNAL.DOMAIN.TLD
wildcard * A AAAA SRV
> >>>CNAME;
> >>>>         grant DC1$@internal.domain.tld wildcard * A AAAA
SRV CNAME;
> >>>>         grant DC2$@internal.domain.tld wildcard * A AAAA
SRV CNAME;
> >>>>};
> >>>>
> >>
> >>
> >>-- 
> >>To unsubscribe from this list go to the following URL and read the
> >>instructions:  https://lists.samba.org/mailman/options/samba
> 
> You could try adding 'allow dns updates = nonsecure and secure' to
> smb.conf and restarting samba
> 
> Rowland
> 
Unfortunately that did not help either, as the clients are using TSIG
signatures.
This seems to be some kind of windows 10 specific issue, as it is working
differently
to previous windows versions.

Aki

I found the problem. There was a record in LDAP backend that was not visible on
DNS (for some reason). Running

 ldapdelete -H ldap://gwad.fi
DC=GW-PC03,DC=gwad.fi,CN=MicrosoftDNS,DC=DomainDnsZones,DC=gwad,DC=fi

helped to remove the offending record. In case someone else is banging head to
wall with this problem.

Aki
> Unfortunately that did not help either, as the clients are using TSIG
signatures.
> This seems to be some kind of windows 10 specific issue, as it is working
differently
> to previous windows versions.
> 
> Aki
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 08/09/15 13:37, Aki Tuomi wrote:
> I found the problem. There was a record in LDAP backend that was not
visible on
> DNS (for some reason). Running
>
>   ldapdelete -H ldap://gwad.fi
DC=GW-PC03,DC=gwad.fi,CN=MicrosoftDNS,DC=DomainDnsZones,DC=gwad,DC=fi
You should be able to see all the dns records, I don't use ldap-utils, 
but with ldbsearch you need to use '--cross-ncs' to see the dns records.

Rowland
>
> helped to remove the offending record. In case someone else is banging head
to
> wall with this problem.
>
> Aki
>
>> Unfortunately that did not help either, as the clients are using TSIG
signatures.
>> This seems to be some kind of windows 10 specific issue, as it is
working differently
>> to previous windows versions.
>>
>> Aki
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba