Thanks a lot. I'll take a read through it and see if I can get it working. ________________________________________ From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com] Sent: Monday, November 09, 2015 5:02 PM To: samba at lists.samba.org Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain On 09/11/15 21:28, Philip Banh wrote:> Hey Rowland, > > Below is a cutdown version of my DHCP. As you can see, I haven't really set anything up for ddns-update. While using Samba4's internal DNS I had the setting 'ddns-update-style interim;' and it seemed to have worked fine. But with bind I'm not sure what else is needed. > > Thanks for taking a look at it. > Philip > > # > # DHCP Server Configuration file. > # see /usr/share/doc/dhcp*/dhcpd.conf.sample > # see 'man 5 dhcpd.conf' > # > # option definitions common to all supported networks... > option domain-name "DOMAIN"; > option domain-name-servers 172.17.0.170, 172.17.0.171; > > filename "pxelinux.0"; > next-server 172.17.0.50; > > default-lease-time 600; > max-lease-time 7200; > > # Use this to enble / disable dynamic dns updates globally. > #ddns-updates on; # not really necessary, ddns-update-style is good enough > ddns-update-style interim; > deny client-updates; > ignore-client-updates; > #allow client-updates; > > #update-static-leases on; > key DHCP_UPDATER { > algorithm HMAC-MD5.SIG-ALG.REG.INT; > > #Paste in the generated key here. Should be in quotes > secret "SECRET"; > }; > # If this DHCP server is the official DHCP server for the local > # network, the authoritative directive should be uncommented. > authoritative; > > class "Others" { > > ..... > > } > > subnet 172.17.0.0 netmask 255.255.255.0 { > option routers 172.17.0.1; > > pool { > range 172.17.0.201 172.17.0.254; > option broadcast-address 172.17.0.255; > deny members of "Others"; > } > > .....The rest of vlans > > log-facility local6; > > ________________________________________ > From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com] > Sent: Monday, November 09, 2015 4:15 PM > To: samba at lists.samba.org > Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain > > On 09/11/15 20:48, Philip Banh wrote: >> Hi there, >> >> I'm in the process of switching from using Samba4 internal DNS to using BIND as my backend DNS. However, I'm currently running into some issues with the transition. >> >> Here's an example of the messages I'm getting from /var/log/messages logs: >> >> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#59051: update 'DOMAIN/IN' denied >> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN >> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: client 172.17.0.30#42206: update 'DOMAIN/IN' denied >> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN >> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#51563: update 'DOMAIN/IN' denied >> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN >> Nov 9 15:35:32 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >> >> * 172.17.0.30 being my DHCP server. >> >> Does anyone know what's causing the above messages? And how do you proceed in a setup with Samba4 AD / BIND with DDNS. >> >> My guess here is I'm having troubles with setting up the DHCP properly to communicate with BIND, so the DNS isn't being updated. >> >> Please let me know what other information I can provide. >> >> Thanks, >> Philip >> >> >> >> > Can you post your dhcpd.conf ? > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaOne thing I forgot to say is that my setup is based on what I found here: http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Hi again,
While I've seen a lot of solution use that script, I'm wondering to
myself is there any other solution? I'm also curious still does anyone know
what these messages mean:
Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: starting transaction
on zone coreontario2.ca
Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: client 172.17.0.30*#33362: update
'coreontario2.ca/IN' denied
Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: cancelling transaction
on zone coreontario2.ca
*The client that is trying to do the update is the DHCP.
Again, my guess is my DHCP isn't sending secure updates for Samba_dlz (BIND)
and it only wants to accept secure updates. If that's the case is there a
way to make ISC DHCP do secure updates...but it seems like the work around
eventually leads back to that script. Any ways its worth a shot...
Also I know about smb.conf allow dns 'update = nonsecure and
secure'...but I dont' see it having any affect. Since I'm at it
might as well post the smb.conf:
[global]
workgroup = DOMAIN
realm = DOMAIN
netbios name = NS01
server role = active directory domain controller
printing = bsd
allow dns updates = nonsecure and secure
nsupdate command = /usr/local/bin/nsupdate -g
server services = -dns
server services = dnsupdate
[netlogon]
path = /usr/local/samba/var/locks/sysvol/coreontario.ca/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Any input is appreciate.
Thanks!
Philip
________________________________________
From: samba [samba-bounces at lists.samba.org] on behalf of Philip Banh
[Philip.Banh at oahpp.ca]
Sent: Monday, November 09, 2015 5:51 PM
To: Rowland Penny; samba at lists.samba.org
Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
Thanks a lot. I'll take a read through it and see if I can get it working.
________________________________________
From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny
[rowlandpenny241155 at gmail.com]
Sent: Monday, November 09, 2015 5:02 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
On 09/11/15 21:28, Philip Banh wrote:> Hey Rowland,
>
> Below is a cutdown version of my DHCP. As you can see, I haven't really
set anything up for ddns-update. While using Samba4's internal DNS I had the
setting 'ddns-update-style interim;' and it seemed to have worked fine.
But with bind I'm not sure what else is needed.
>
> Thanks for taking a look at it.
> Philip
>
> #
> # DHCP Server Configuration file.
> # see /usr/share/doc/dhcp*/dhcpd.conf.sample
> # see 'man 5 dhcpd.conf'
> #
> # option definitions common to all supported networks...
> option domain-name "DOMAIN";
> option domain-name-servers 172.17.0.170, 172.17.0.171;
>
> filename "pxelinux.0";
> next-server 172.17.0.50;
>
> default-lease-time 600;
> max-lease-time 7200;
>
> # Use this to enble / disable dynamic dns updates globally.
> #ddns-updates on; # not really necessary, ddns-update-style is good enough
> ddns-update-style interim;
> deny client-updates;
> ignore-client-updates;
> #allow client-updates;
>
> #update-static-leases on;
> key DHCP_UPDATER {
> algorithm HMAC-MD5.SIG-ALG.REG.INT;
>
> #Paste in the generated key here. Should be in quotes
> secret "SECRET";
> };
> # If this DHCP server is the official DHCP server for the local
> # network, the authoritative directive should be uncommented.
> authoritative;
>
> class "Others" {
>
> .....
>
> }
>
> subnet 172.17.0.0 netmask 255.255.255.0 {
> option routers 172.17.0.1;
>
> pool {
> range 172.17.0.201 172.17.0.254;
> option broadcast-address 172.17.0.255;
> deny members of "Others";
> }
>
> .....The rest of vlans
>
> log-facility local6;
>
> ________________________________________
> From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny
[rowlandpenny241155 at gmail.com]
> Sent: Monday, November 09, 2015 4:15 PM
> To: samba at lists.samba.org
> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain
>
> On 09/11/15 20:48, Philip Banh wrote:
>> Hi there,
>>
>> I'm in the process of switching from using Samba4 internal DNS to
using BIND as my backend DNS. However, I'm currently running into some
issues with the transition.
>>
>> Here's an example of the messages I'm getting from
/var/log/messages logs:
>>
>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: starting
transaction on zone DOMAIN
>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#59051:
update 'DOMAIN/IN' denied
>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling
transaction on zone DOMAIN
>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: starting
transaction on zone DOMAIN
>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: client 172.17.0.30#42206:
update 'DOMAIN/IN' denied
>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: cancelling
transaction on zone DOMAIN
>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: starting
transaction on zone DOMAIN
>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#51563:
update 'DOMAIN/IN' denied
>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling
transaction on zone DOMAIN
>> Nov 9 15:35:32 pho-dcpvl-01N named[27524]: samba_dlz: starting
transaction on zone DOMAIN
>>
>> * 172.17.0.30 being my DHCP server.
>>
>> Does anyone know what's causing the above messages? And how do you
proceed in a setup with Samba4 AD / BIND with DDNS.
>>
>> My guess here is I'm having troubles with setting up the DHCP
properly to communicate with BIND, so the DNS isn't being updated.
>>
>> Please let me know what other information I can provide.
>>
>> Thanks,
>> Philip
>>
>>
>>
>>
> Can you post your dhcpd.conf ?
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
One thing I forgot to say is that my setup is based on what I found here:
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny
2015-Nov-10 21:10 UTC
[Samba] Samba_dlz: canceling trasaction on zone domain
On 10/11/15 20:57, Philip Banh wrote:> Hi again, > > While I've seen a lot of solution use that script, I'm wondering to myself is there any other solution? I'm also curious still does anyone know what these messages mean: > > Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: starting transaction on zone coreontario2.ca > Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: client 172.17.0.30*#33362: update 'coreontario2.ca/IN' denied > Nov 10 15:45:50 pho-dcpvl-01N named-sdb[9596]: samba_dlz: cancelling transaction on zone coreontario2.ca > > *The client that is trying to do the update is the DHCP. > > Again, my guess is my DHCP isn't sending secure updates for Samba_dlz (BIND) and it only wants to accept secure updates. If that's the case is there a way to make ISC DHCP do secure updates...but it seems like the work around eventually leads back to that script. Any ways its worth a shot... > > Also I know about smb.conf allow dns 'update = nonsecure and secure'...but I dont' see it having any affect. Since I'm at it might as well post the smb.conf: > > [global] > workgroup = DOMAIN > realm = DOMAIN > netbios name = NS01 > server role = active directory domain controller > printing = bsd > allow dns updates = nonsecure and secure > nsupdate command = /usr/local/bin/nsupdate -g > server services = -dns > server services = dnsupdate > [netlogon] > path = /usr/local/samba/var/locks/sysvol/coreontario.ca/scripts > read only = No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > Any input is appreciate. > > Thanks! > Philip > ________________________________________ > From: samba [samba-bounces at lists.samba.org] on behalf of Philip Banh [Philip.Banh at oahpp.ca] > Sent: Monday, November 09, 2015 5:51 PM > To: Rowland Penny; samba at lists.samba.org > Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain > > Thanks a lot. I'll take a read through it and see if I can get it working. > > ________________________________________ > From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com] > Sent: Monday, November 09, 2015 5:02 PM > To: samba at lists.samba.org > Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain > > On 09/11/15 21:28, Philip Banh wrote: >> Hey Rowland, >> >> Below is a cutdown version of my DHCP. As you can see, I haven't really set anything up for ddns-update. While using Samba4's internal DNS I had the setting 'ddns-update-style interim;' and it seemed to have worked fine. But with bind I'm not sure what else is needed. >> >> Thanks for taking a look at it. >> Philip >> >> # >> # DHCP Server Configuration file. >> # see /usr/share/doc/dhcp*/dhcpd.conf.sample >> # see 'man 5 dhcpd.conf' >> # >> # option definitions common to all supported networks... >> option domain-name "DOMAIN"; >> option domain-name-servers 172.17.0.170, 172.17.0.171; >> >> filename "pxelinux.0"; >> next-server 172.17.0.50; >> >> default-lease-time 600; >> max-lease-time 7200; >> >> # Use this to enble / disable dynamic dns updates globally. >> #ddns-updates on; # not really necessary, ddns-update-style is good enough >> ddns-update-style interim; >> deny client-updates; >> ignore-client-updates; >> #allow client-updates; >> >> #update-static-leases on; >> key DHCP_UPDATER { >> algorithm HMAC-MD5.SIG-ALG.REG.INT; >> >> #Paste in the generated key here. Should be in quotes >> secret "SECRET"; >> }; >> # If this DHCP server is the official DHCP server for the local >> # network, the authoritative directive should be uncommented. >> authoritative; >> >> class "Others" { >> >> ..... >> >> } >> >> subnet 172.17.0.0 netmask 255.255.255.0 { >> option routers 172.17.0.1; >> >> pool { >> range 172.17.0.201 172.17.0.254; >> option broadcast-address 172.17.0.255; >> deny members of "Others"; >> } >> >> .....The rest of vlans >> >> log-facility local6; >> >> ________________________________________ >> From: samba [samba-bounces at lists.samba.org] on behalf of Rowland Penny [rowlandpenny241155 at gmail.com] >> Sent: Monday, November 09, 2015 4:15 PM >> To: samba at lists.samba.org >> Subject: Re: [Samba] Samba_dlz: canceling trasaction on zone domain >> >> On 09/11/15 20:48, Philip Banh wrote: >>> Hi there, >>> >>> I'm in the process of switching from using Samba4 internal DNS to using BIND as my backend DNS. However, I'm currently running into some issues with the transition. >>> >>> Here's an example of the messages I'm getting from /var/log/messages logs: >>> >>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#59051: update 'DOMAIN/IN' denied >>> Nov 9 15:34:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN >>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: client 172.17.0.30#42206: update 'DOMAIN/IN' denied >>> Nov 9 15:35:24 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN >>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: client 172.17.0.30#51563: update 'DOMAIN/IN' denied >>> Nov 9 15:35:26 pho-dcpvl-01N named[27524]: samba_dlz: cancelling transaction on zone DOMAIN >>> Nov 9 15:35:32 pho-dcpvl-01N named[27524]: samba_dlz: starting transaction on zone DOMAIN >>> >>> * 172.17.0.30 being my DHCP server. >>> >>> Does anyone know what's causing the above messages? And how do you proceed in a setup with Samba4 AD / BIND with DDNS. >>> >>> My guess here is I'm having troubles with setting up the DHCP properly to communicate with BIND, so the DNS isn't being updated. >>> >>> Please let me know what other information I can provide. >>> >>> Thanks, >>> Philip >>> >>> >>> >>> >> Can you post your dhcpd.conf ? >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > One thing I forgot to say is that my setup is based on what I found here: > > http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynamic-dns-updates-against-secure-microsoft-dns/ > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/sambaI just setup bind & dhcp on my new DC today, using the info I posted earlier, I had just one problem, it didn't work :-D Traced it to the fact that I am now using a self-compiled Samba and wbinfo wasn't in bash path, added this: PATH=/usr/local/samba/sbin:/usr/local/samba/bin:$PATH to the top of the script cured this and it is now working :-) ov 10 20:55:43 dc1 dhcpd: Commit: IP: 192.168.0.101 DHCID: 1:68:b5:99:2c:98:fa Name: HP-Printer Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[0] = /etc/dhcp/bin/dhcp-dyndns.sh Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[1] = add Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[2] = 192.168.0.101 Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[3] = 1:68:b5:99:2c:98:fa Nov 10 20:55:43 dc1 dhcpd: execute_statement argv[4] = HP-Printer Nov 10 20:55:43 dc1 named[1461]: samba_dlz: starting transaction on zone samdom.example.com Nov 10 20:55:43 dc1 named[1461]: samba_dlz: allowing update of signer=dhcpduser\@SAMDOM.EXAMPLE.COM name=HP-Printer.samdom.example.com tcpaddr=127.0.0.1 type=A key=2086870239.sig-dc1.samdom.example.com/160/0 ............... ................. Nov 10 20:55:43 dc1 root: DHCP-DNS Update succeeded Rowland