thr3ads.net - samba - [Samba] Bind DNS Issues [Oct 2015]

If this information is useful, please help other people find it:
Share via:

David Minard

2015-Oct-27 03:57 UTC

[Samba] Bind DNS Issues

G'day All,

     I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no 
changes to the default smb.conf file that gets created at provision/DC 
join.  "samba-tool drs showrepl" show all DC replicating in and out.  
"samba-tool dbcheck" shows no errors.

     See below for named.conf.

     I'm having two issues.

     1)  After bind first starts up (systemctl restart/start bind), and 
I watch it's log, I start getting these messages:

27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505: 
update 'samba4.scem.westernsydney.edu.au/IN' denied
27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374: 
update 'samba4.scem.westernsydney.edu.au/IN' denied

     If I reload bind (systemctl reload bind), the messages stop.

     Any idea why this might be?  Are these messages an issue?


     2)  When a new windows client joins the domain, sometimes it's DNS 
entry takes a day to appear.  Other times an hour or so, and other times 
near to immediately.  The AD in question is only under extremely light 
load, as it is only y being testedat the moment in the hope that it will 
replace our existing AD next year.

     What could be causing the DNS entry to not be added immediately all 
the time?  Is it related to question 1?


Named.conf: - with minor sanitising to remove IP addresses;

acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets;
CTN_Internal_Nets;
KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; KWD_Private_Staff_Nets; 
KWD_Private_Solarcar_Nets; IC2_Internal_Nets; IC2_Private_Nets; };

#acl "Server_ADM_Network" { server_adm; };

options {
     directory "/local/etc/named";
     allow-transfer { none; };
     notify yes;
     forward only;
     allow-query { SCEM; };
# Samba4
         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";

     forwarders {
         IP.of.non-ad.dns1;
         IP.of.non-ad.dns2;
         IP.of.non-ad.dns3;
         IP.of.non-ad.dns4;
     };
};

logging{
   channel simple_log {
     file "/var/log/named.log" versions 3 size 5m;
     severity warning;
     print-time yes;
     print-severity yes;
     print-category yes;
   };
   category default{
     simple_log;
   };
};


# Master Zones

#  Samba4
     include "/usr/local/samba/private/named.conf";

     zone "." in {
         type hint;
         file "var/named.cache";
     };

     zone "0.0.127.in-addr.arpa" in {
         type master;
         allow-update { none; };
         notify no;
         file "master/localhost.rev";
     };

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

David Minard

2015-Oct-27 05:55 UTC

head link

[Samba] Bind DNS Issues

Another comment to my original e-mail:

When I "systemctl restart named samba" on each of the DCs, the missing
DNS entries appear.  Why would I need to do this?

On 27/10/15 14:57, David Minard wrote:> G'day All,
>
>     I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no 
> changes to the default smb.conf file that gets created at provision/DC 
> join.  "samba-tool drs showrepl" show all DC replicating in and
out.
> "samba-tool dbcheck" shows no errors.
>
>     See below for named.conf.
>
>     I'm having two issues.
>
>     1)  After bind first starts up (systemctl restart/start bind), and 
> I watch it's log, I start getting these messages:
>
> 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
>
>     If I reload bind (systemctl reload bind), the messages stop.
>
>     Any idea why this might be?  Are these messages an issue?
>
>
>     2)  When a new windows client joins the domain, sometimes it's DNS 
> entry takes a day to appear.  Other times an hour or so, and other 
> times near to immediately.  The AD in question is only under extremely 
> light load, as it is only y being testedat the moment in the hope that 
> it will replace our existing AD next year.
>
>     What could be causing the DNS entry to not be added immediately 
> all the time?  Is it related to question 1?
>
>
> Named.conf: - with minor sanitising to remove IP addresses;
>
> acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets; 
> CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; 
> KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets; 
> IC2_Private_Nets; };
>
> #acl "Server_ADM_Network" { server_adm; };
>
> options {
>     directory "/local/etc/named";
>     allow-transfer { none; };
>     notify yes;
>     forward only;
>     allow-query { SCEM; };
> # Samba4
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
>     forwarders {
>         IP.of.non-ad.dns1;
>         IP.of.non-ad.dns2;
>         IP.of.non-ad.dns3;
>         IP.of.non-ad.dns4;
>     };
> };
>
> logging{
>   channel simple_log {
>     file "/var/log/named.log" versions 3 size 5m;
>     severity warning;
>     print-time yes;
>     print-severity yes;
>     print-category yes;
>   };
>   category default{
>     simple_log;
>   };
> };
>
>
> # Master Zones
>
> #  Samba4
>     include "/usr/local/samba/private/named.conf";
>
>     zone "." in {
>         type hint;
>         file "var/named.cache";
>     };
>
>     zone "0.0.127.in-addr.arpa" in {
>         type master;
>         allow-update { none; };
>         notify no;
>         file "master/localhost.rev";
>     };
>
-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Rowland Penny

2015-Oct-27 08:22 UTC

head link

[Samba] Bind DNS Issues

On 27/10/15 03:57, David Minard wrote:> G'day All,
>
>     I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no 
> changes to the default smb.conf file that gets created at provision/DC 
> join.  "samba-tool drs showrepl" show all DC replicating in and
out.
> "samba-tool dbcheck" shows no errors.
>
>     See below for named.conf.
>
>     I'm having two issues.
>
>     1)  After bind first starts up (systemctl restart/start bind), and 
> I watch it's log, I start getting these messages:
>
> 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
>
>     If I reload bind (systemctl reload bind), the messages stop.
>
>     Any idea why this might be?  Are these messages an issue?
>
>
>     2)  When a new windows client joins the domain, sometimes it's DNS 
> entry takes a day to appear.  Other times an hour or so, and other 
> times near to immediately.  The AD in question is only under extremely 
> light load, as it is only y being testedat the moment in the hope that 
> it will replace our existing AD next year.
>
>     What could be causing the DNS entry to not be added immediately 
> all the time?  Is it related to question 1?
>
>
> Named.conf: - with minor sanitising to remove IP addresses;
>
> acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets; 
> CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; 
> KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets; 
> IC2_Private_Nets; };
>
> #acl "Server_ADM_Network" { server_adm; };
>
> options {
>     directory "/local/etc/named";
>     allow-transfer { none; };
>     notify yes;
>     forward only;
>     allow-query { SCEM; };
> # Samba4
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
>     forwarders {
>         IP.of.non-ad.dns1;
>         IP.of.non-ad.dns2;
>         IP.of.non-ad.dns3;
>         IP.of.non-ad.dns4;
>     };
> };
>
> logging{
>   channel simple_log {
>     file "/var/log/named.log" versions 3 size 5m;
>     severity warning;
>     print-time yes;
>     print-severity yes;
>     print-category yes;
>   };
>   category default{
>     simple_log;
>   };
> };
>
>
> # Master Zones
>
> #  Samba4
>     include "/usr/local/samba/private/named.conf";
>
>     zone "." in {
>         type hint;
>         file "var/named.cache";
>     };
>
>     zone "0.0.127.in-addr.arpa" in {
>         type master;
>         allow-update { none; };
>         notify no;
>         file "master/localhost.rev";
>     };
>
> -- 
>
> Cheers,
> David Minard.
> Ph:    0247 360 155
> Fax:    0247 360 770
>
> School of Computing, Engineering, and Mathematics
> Western Sydney University
> Building Y - Penrith Campus (Kingswood)
> Locked bag 1797
> Penrith South DC
> NSW 1797
>
> [Sometimes waking up just isn't worth the insult of the day to come.]
>
>
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

OK, I would change 'notify yes;' to 'notify no;' , you
haven't got any
slaves. I would also remove 'forward only;' , you do not want to do 
this, you want your named server to be authoritive for your AD zone.

Rowland

Rowland Penny

2015-Oct-27 08:27 UTC

head link

[Samba] Bind DNS Issues

On 27/10/15 03:57, David Minard wrote:> G'day All,
>
>     I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are no 
> changes to the default smb.conf file that gets created at provision/DC 
> join.  "samba-tool drs showrepl" show all DC replicating in and
out.
> "samba-tool dbcheck" shows no errors.
>
>     See below for named.conf.
>
>     I'm having two issues.
>
>     1)  After bind first starts up (systemctl restart/start bind), and 
> I watch it's log, I start getting these messages:
>
> 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374: 
> update 'samba4.scem.westernsydney.edu.au/IN' denied
>
>     If I reload bind (systemctl reload bind), the messages stop.
>
>     Any idea why this might be?  Are these messages an issue?
>
>
>     2)  When a new windows client joins the domain, sometimes it's DNS 
> entry takes a day to appear.  Other times an hour or so, and other 
> times near to immediately.  The AD in question is only under extremely 
> light load, as it is only y being testedat the moment in the hope that 
> it will replace our existing AD next year.
>
>     What could be causing the DNS entry to not be added immediately 
> all the time?  Is it related to question 1?
>
>
> Named.conf: - with minor sanitising to remove IP addresses;
>
> acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets; 
> CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets; 
> KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets; IC2_Internal_Nets; 
> IC2_Private_Nets; };
>
> #acl "Server_ADM_Network" { server_adm; };
>
> options {
>     directory "/local/etc/named";
>     allow-transfer { none; };
>     notify yes;
>     forward only;
>     allow-query { SCEM; };
> # Samba4
>         tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
>
>     forwarders {
>         IP.of.non-ad.dns1;
>         IP.of.non-ad.dns2;
>         IP.of.non-ad.dns3;
>         IP.of.non-ad.dns4;
>     };
> };
>
> logging{
>   channel simple_log {
>     file "/var/log/named.log" versions 3 size 5m;
>     severity warning;
>     print-time yes;
>     print-severity yes;
>     print-category yes;
>   };
>   category default{
>     simple_log;
>   };
> };
>
>
> # Master Zones
>
> #  Samba4
>     include "/usr/local/samba/private/named.conf";
>
>     zone "." in {
>         type hint;
>         file "var/named.cache";
>     };
>
>     zone "0.0.127.in-addr.arpa" in {
>         type master;
>         allow-update { none; };
>         notify no;
>         file "master/localhost.rev";
>     };
>
One thing I missed, you have 'allow-query { SCEM; };' , unless
'SCEM'
includes 127.0.0.1, it should be ' allow-query { SCEM;  127.0.0.1/32; };

Rowland

Reindl Harald

2015-Oct-27 11:58 UTC

head link

[Samba] Bind DNS Issues

Am 27.10.2015 um 04:57 schrieb David Minard:> 1)  After bind first starts up (systemctl restart/start bind), and
> I watch it's log, I start getting these messages:
>
> 27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
> 27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> update 'samba4.scem.westernsydney.edu.au/IN' denied
>
>  If I reload bind (systemctl reload bind), the messages stop
the messages have nothing to do with bind start, hence the IP triggering 
them is logged, they are trying to do ddns updates and you likely have 
something as below in your config

allow-update           {none;};

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20151027/d7ab4b1f/signature.sig>

David Minard

2015-Oct-27 22:44 UTC

head link

[Samba] Bind DNS Issues

> On 27/10/15 03:57, David Minard wrote:
> >/  G'day All,
> />/
> />/      I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are
no
> />/  changes to the default smb.conf file that gets created at
provision/DC
> />/  join.  "samba-tool drs showrepl" show all DC replicating
in and out.
> />/  "samba-tool dbcheck" shows no errors.
> />/
> />/      See below for named.conf.
> />/
> />/      I'm having two issues.
> />/
> />/      1)  After bind first starts up (systemctl restart/start bind),
and
> />/  I watch it's log, I start getting these messages:
> />/
> />/  27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/
> />/      If I reload bind (systemctl reload bind), the messages stop.
> />/
> />/      Any idea why this might be?  Are these messages an issue?
> />/
> />/
> />/      2)  When a new windows client joins the domain, sometimes
it's DNS
> />/  entry takes a day to appear.  Other times an hour or so, and other
> />/  times near to immediately.  The AD in question is only under
extremely
> />/  light load, as it is only y being testedat the moment in the hope
that
> />/  it will replace our existing AD next year.
> />/
> />/      What could be causing the DNS entry to not be added immediately
> />/  all the time?  Is it related to question 1?
> />/
> />/
> />/  Named.conf: - with minor sanitising to remove IP addresses;
> />/
> />/  acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets;
> />/  CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets;
> />/  KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets;
IC2_Internal_Nets;
> />/  IC2_Private_Nets; };
> />/
> />/  #acl "Server_ADM_Network" { server_adm; };
> />/
> />/  options {
> />/      directory "/local/etc/named";
> />/      allow-transfer { none; };
> />/      notify yes;
> />/      forward only;
> />/      allow-query { SCEM; };
> />/  # Samba4
> />/          tkey-gssapi-keytab
"/usr/local/samba/private/dns.keytab";
> />/
> />/      forwarders {
> />/          IP.of.non-ad.dns1;
> />/          IP.of.non-ad.dns2;
> />/          IP.of.non-ad.dns3;
> />/          IP.of.non-ad.dns4;
> />/      };
> />/  };
> />/
> />/  logging{
> />/    channel simple_log {
> />/      file "/var/log/named.log" versions 3 size 5m;
> />/      severity warning;
> />/      print-time yes;
> />/      print-severity yes;
> />/      print-category yes;
> />/    };
> />/    category default{
> />/      simple_log;
> />/    };
> />/  };
> />/
> />/
> />/  # Master Zones
> />/
> />/  #  Samba4
> />/      include "/usr/local/samba/private/named.conf";
> />/
> />/      zone "." in {
> />/          type hint;
> />/          file "var/named.cache";
> />/      };
> />/
> />/      zone "0.0.127.in-addr.arpa" in {
> />/          type master;
> />/          allow-update { none; };
> />/          notify no;
> />/          file "master/localhost.rev";
> />/      };
> />/
> /
> One thing I missed, you have 'allow-query { SCEM; };' , unless
'SCEM'
> includes 127.0.0.1, it should be ' allow-query { SCEM;  127.0.0.1/32;
};
>
> Rowland
     SCEM has { localhost; other.ips; }; so that should be the same as 
127.0.0.1 - I think??

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

David Minard

2015-Oct-27 22:52 UTC

head link

[Samba] Bind DNS Issues

> On 27/10/15 03:57, David Minard wrote:
> >/  G'day All,
> />/
> />/      I'm running up Samba4.2.3 with 4 DCs on Centos7.  There are
no
> />/  changes to the default smb.conf file that gets created at
provision/DC
> />/  join.  "samba-tool drs showrepl" show all DC replicating
in and out.
> />/  "samba-tool dbcheck" shows no errors.
> />/
> />/      See below for named.conf.
> />/
> />/      I'm having two issues.
> />/
> />/      1)  After bind first starts up (systemctl restart/start bind),
and
> />/  I watch it's log, I start getting these messages:
> />/
> />/  27-Oct-2015 10:12:39.820 update-security: error: client IP1#62177:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:21:11.541 update-security: error: client IP2#54301:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:29:03.733 update-security: error: client IP3#64620:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:29:03.955 update-security: error: client IP3#64354:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:32:40.810 update-security: error: client IP4#58684:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:41:29.432 update-security: error: client IP5#54505:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/  27-Oct-2015 10:44:12.265 update-security: error: client IP1#56374:
> />/  update 'samba4.scem.westernsydney.edu.au/IN' denied
> />/
> />/      If I reload bind (systemctl reload bind), the messages stop.
> />/
> />/      Any idea why this might be?  Are these messages an issue?
> />/
> />/
> />/      2)  When a new windows client joins the domain, sometimes
it's DNS
> />/  entry takes a day to appear.  Other times an hour or so, and other
> />/  times near to immediately.  The AD in question is only under
extremely
> />/  light load, as it is only y being testedat the moment in the hope
that
> />/  it will replace our existing AD next year.
> />/
> />/      What could be causing the DNS entry to not be added immediately
> />/  all the time?  Is it related to question 1?
> />/
> />/
> />/  Named.conf: - with minor sanitising to remove IP addresses;
> />/
> />/  acl "SCEM"    { KWD_Internal_Nets; PTA_Internal_Nets;
> />/  CTN_Internal_Nets; KWD_Private_Labs_Nets; PTA_Private_Labs_Nets;
> />/  KWD_Private_Staff_Nets; KWD_Private_Solarcar_Nets;
IC2_Internal_Nets;
> />/  IC2_Private_Nets; };
> />/
> />/  #acl "Server_ADM_Network" { server_adm; };
> />/
> />/  options {
> />/      directory "/local/etc/named";
> />/      allow-transfer { none; };
> />/      notify yes;
> />/      forward only;
> />/      allow-query { SCEM; };
> />/  # Samba4
> />/          tkey-gssapi-keytab
"/usr/local/samba/private/dns.keytab";
> />/
> />/      forwarders {
> />/          IP.of.non-ad.dns1;
> />/          IP.of.non-ad.dns2;
> />/          IP.of.non-ad.dns3;
> />/          IP.of.non-ad.dns4;
> />/      };
> />/  };
> />/
> />/  logging{
> />/    channel simple_log {
> />/      file "/var/log/named.log" versions 3 size 5m;
> />/      severity warning;
> />/      print-time yes;
> />/      print-severity yes;
> />/      print-category yes;
> />/    };
> />/    category default{
> />/      simple_log;
> />/    };
> />/  };
> />/
> />/
> />/  # Master Zones
> />/
> />/  #  Samba4
> />/      include "/usr/local/samba/private/named.conf";
> />/
> />/      zone "." in {
> />/          type hint;
> />/          file "var/named.cache";
> />/      };
> />/
> />/      zone "0.0.127.in-addr.arpa" in {
> />/          type master;
> />/          allow-update { none; };
> />/          notify no;
> />/          file "master/localhost.rev";
> />/      };
> />/
> />/  --
> />/
> />/  Cheers,
> />/  David Minard.
> />/  Ph:    0247 360 155
> />/  Fax:    0247 360 770
> />/
> />/  School of Computing, Engineering, and Mathematics
> />/  Western Sydney University
> />/  Building Y - Penrith Campus (Kingswood)
> />/  Locked bag 1797
> />/  Penrith South DC
> />/  NSW 1797
> />/
> />/  [Sometimes waking up just isn't worth the insult of the day to
come.]
> />/
> />/
> />/  --
> />/  This message has been scanned for viruses and
> />/  dangerous content by MailScanner, and is
> />/  believed to be clean.
> />/
> />/
> />/  --
> />/  To unsubscribe from this list go to the following URL and read the
> />/  instructions:https://lists.samba.org/mailman/options/samba
> /
>
> OK, I would change 'notify yes;' to 'notify no;' , you
haven't got any
> slaves. I would also remove 'forward only;' , you do not want to do
> this, you want your named server to be authoritive for your AD zone.
>
> Rowland
     Okay.  I've made the changes.  I'll see if this helps.  Thank you.

-- 

Cheers,
David Minard.
Ph:    0247 360 155
Fax:    0247 360 770

School of Computing, Engineering, and Mathematics
Western Sydney University
Building Y - Penrith Campus (Kingswood)
Locked bag 1797
Penrith South DC
NSW 1797

[Sometimes waking up just isn't worth the insult of the day to come.]


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Apparently Analagous Threads

Search for more apparently analagous threads

samba - Oct 2015 - Bind DNS Issues

[Samba] Bind DNS Issues

[Samba] Bind DNS Issues

[Samba] Bind DNS Issues

[Samba] Bind DNS Issues

[Samba] Bind DNS Issues

[Samba] Bind DNS Issues

[Samba] Bind DNS Issues

Apparently Analagous Threads