On 17/11/15 15:31, Sam wrote:> Another mistake : The louis's script ddns-kerberos-check.sh was not
> running in hourly.cron directory ( i make a chmod 770 to resolve that )
>
> to recall here what I did:
> - I cloned the Windows 2000 server AD servers on a private network and
> I migrated to samba4
> - Meanwhile, users have continued to use the Windows 2000 AD servers
> on the production network
> - I replaced the production servers by samba4 servers from the private
> network.
>
> In fact, the online computers when we deleted the windows 2000 servers
> AD are rejected.
> If I try a computer created and joined in the new samba4 AD it's
> working too.
>
> Are there some things to set before replacing the old DCs? ( like
> shortening the leases times on the actual DHCP? )
> Or must I restart the above migration procedure without leaving the
> running windows 2000 servers for users during that time?
>
> Here is the last extract of syslog :
>
> *for a new linux client :*
> Nov 17 13:43:59 S4 dhcpd: data: host_decl_name: not available
> Nov 17 13:43:59 S4 dhcpd: execute_statement argv[0] =
> /etc/dhcp/bin/dhcp-dyndns-debian.sh
> Nov 17 13:43:59 S4 dhcpd: execute_statement argv[1] = add
> Nov 17 13:43:59 S4 dhcpd: execute_statement argv[2] = 172.20.4.28
> Nov 17 13:43:59 S4 dhcpd: execute_statement argv[3] = dhcp-172-20-4-28
> Nov 17 13:43:59 S4 dhcpd: execute_statement argv[4] = 0:50:56:8f:6:f4
> Nov 17 13:43:59 S4 dhcpd: DHCPREQUEST for 172.20.4.28 from
> 00:50:56:8f:06:f4 via eth0
> Nov 17 13:43:59 S4 dhcpd: DHCPACK on 172.20.4.28 to 00:50:56:8f:06:f4
> via eth0
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=dhcp-172-20-4-28.ariane.intra
> tcpaddr=172.20.2.2 type=A key=1292405312.sig-s4.ariane.intra/160/0
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=dhcp-172-20-4-28.ariane.intra
> tcpaddr=172.20.2.2 type=A key=1292405312.sig-s4.ariane.intra/160/0
> Nov 17 13:43:59 S4 named[2309]: client 172.20.2.2#48911: updating zone
> 'ariane.intra/NONE': deleting rrset at
'dhcp-172-20-4-28.ariane.intra' A
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: subtracted rdataset
> dhcp-172-20-4-28.ariane.intra
> 'dhcp-172-20-4-28.ariane.intra.#0113600#011IN#011A#011172.20.4.28'
> Nov 17 13:43:59 S4 named[2309]: client 172.20.2.2#48911: updating zone
> 'ariane.intra/NONE': adding an RR at
'dhcp-172-20-4-28.ariane.intra' A
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: added rdataset
> dhcp-172-20-4-28.ariane.intra
> 'dhcp-172-20-4-28.ariane.intra.#0113600#011IN#011A#011172.20.4.28'
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: committed transaction on
> zone ariane.intra
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: starting transaction on
> zone 4.20.172.in-addr.arpa
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=28.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=2742923346.sig-s4.ariane.intra/160/0
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=28.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=2742923346.sig-s4.ariane.intra/160/0
> Nov 17 13:43:59 S4 named[2309]: client 172.20.2.2#55304: updating zone
> '4.20.172.in-addr.arpa/NONE': deleting rrset at
> '28.4.20.172.in-addr.arpa' PTR
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: subtracted rdataset
> 28.4.20.172.in-addr.arpa
>
'28.4.20.172.in-addr.arpa.#0113600#011IN#011PTR#011dhcp-172-20-4-28.ariane.intra.'
> Nov 17 13:43:59 S4 named[2309]: client 172.20.2.2#55304: updating zone
> '4.20.172.in-addr.arpa/NONE': adding an RR at
> '28.4.20.172.in-addr.arpa' PTR
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: added rdataset
> 28.4.20.172.in-addr.arpa
>
'28.4.20.172.in-addr.arpa.#0113600#011IN#011PTR#011dhcp-172-20-4-28.ariane.intra.'
> Nov 17 13:43:59 S4 named[2309]: samba_dlz: committed transaction on
> zone 4.20.172.in-addr.arpa
> Nov 17 13:43:59 S4 dhcpd: DDNS: adding records for 172.20.4.28
> (dhcp-172-20-4-28.ariane.intra) succeeded
>
> *For a new win7 client**:*
> Nov 17 14:10:38 S4 dhcpd: execute_statement argv[0] =
> /etc/dhcp/bin/dhcp-dyndns-debian.sh
> Nov 17 14:10:38 S4 dhcpd: execute_statement argv[1] = add
> Nov 17 14:10:38 S4 dhcpd: execute_statement argv[2] = 172.20.4.1
> Nov 17 14:10:38 S4 dhcpd: execute_statement argv[3] = client7-PC
> Nov 17 14:10:38 S4 dhcpd: execute_statement argv[4] = 0:50:56:8f:18:c0
> Nov 17 14:10:38 S4 dhcpd: DHCPREQUEST for 172.20.4.1 from
> 00:50:56:8f:18:c0 (client7-PC) via eth0
> Nov 17 14:10:38 S4 dhcpd: DHCPACK on 172.20.4.1 to 00:50:56:8f:18:c0
> (client7-PC) via eth0
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: disallowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=client7-PC.ariane.intra type=A
> error=insufficient access rights
> Nov 17 14:10:38 S4 named[2309]: client 172.20.2.2#49326: updating zone
> 'ariane.intra/NONE': update failed: rejected by secure update
(REFUSED)
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#60306: update
> 'ariane.intra/IN' denied
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone 4.20.172.in-addr.arpa
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=1.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=3681185047.sig-s4.ariane.intra/160/0
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=dhcpd-user\@ARIANE.INTRA name=1.4.20.172.in-addr.arpa
> tcpaddr=172.20.2.2 type=PTR key=3681185047.sig-s4.ariane.intra/160/0
> Nov 17 14:10:38 S4 named[2309]: client 172.20.2.2#35232: updating zone
> '4.20.172.in-addr.arpa/NONE': deleting rrset at
> '1.4.20.172.in-addr.arpa' PTR
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: subtracted rdataset
> 1.4.20.172.in-addr.arpa
>
'1.4.20.172.in-addr.arpa.#0113600#011IN#011PTR#011client7-PC.ariane.intra.'
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: transaction already started
> for zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: sdlz newversion on origin ariane.intra
> failed : failure
> Nov 17 14:10:38 S4 named[2309]: client 172.20.2.2#35232: updating zone
> '4.20.172.in-addr.arpa/NONE': adding an RR at
> '1.4.20.172.in-addr.arpa' PTR
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: added rdataset
> 1.4.20.172.in-addr.arpa
>
'1.4.20.172.in-addr.arpa.#0113600#011IN#011PTR#011client7-PC.ariane.intra.'
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: committed transaction on
> zone 4.20.172.in-addr.arpa
> Nov 17 14:10:38 S4 dhcpd: DDNS: adding records for 172.20.4.1
> (client7-PC.ariane.intra) FAILED: nsupdate status 2
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#51087: update
> 'ariane.intra/IN' denied
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=client7-pc\$\@ARIANE.INTRA name=client7-PC.ariane.intra
> tcpaddr= type=AAAA
> key=260-ms-7.2-1bcc44.6c4f03db-8d28-11e5-ab9f-0050568f18c0/160/0
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=client7-pc\$\@ARIANE.INTRA name=client7-PC.ariane.intra
> tcpaddr= type=A
> key=260-ms-7.2-1bcc44.6c4f03db-8d28-11e5-ab9f-0050568f18c0/160/0
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=client7-pc\$\@ARIANE.INTRA name=client7-PC.ariane.intra
> tcpaddr= type=A
> key=260-ms-7.2-1bcc44.6c4f03db-8d28-11e5-ab9f-0050568f18c0/160/0
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#60224: updating zone
> 'ariane.intra/NONE': deleting rrset at
'client7-PC.ariane.intra' AAAA
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#60224: updating zone
> 'ariane.intra/NONE': deleting rrset at
'client7-PC.ariane.intra' A
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: subtracted rdataset
> client7-PC.ariane.intra
> 'client7-PC.ariane.intra.#0111200#011IN#011A#011172.20.4.1'
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#60224: updating zone
> 'ariane.intra/NONE': adding an RR at
'client7-PC.ariane.intra' A
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: added rdataset
> client7-PC.ariane.intra
> 'client7-PC.ariane.intra.#0111200#011IN#011A#011172.20.4.1'
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: committed transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intraNov 17 14:10:38 S4 named[2309]: client
> 172.20.4.1#51226: update 'ariane.intra/IN' denied
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: cancelling transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: starting transaction on
> zone ariane.intra
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=client7-pc\$\@ARIANE.INTRA name=client7-PC.ariane.intra
> tcpaddr= type=AAAA
> key=260-ms-7.2-1bcc44.6c4f03db-8d28-11e5-ab9f-0050568f18c0/160/0
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=client7-pc\$\@ARIANE.INTRA name=client7-PC.ariane.intra
> tcpaddr= type=A
> key=260-ms-7.2-1bcc44.6c4f03db-8d28-11e5-ab9f-0050568f18c0/160/0
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: allowing update of
> signer=client7-pc\$\@ARIANE.INTRA name=client7-PC.ariane.intra
> tcpaddr= type=A
> key=260-ms-7.2-1bcc44.6c4f03db-8d28-11e5-ab9f-0050568f18c0/160/0
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#58165: updating zone
> 'ariane.intra/NONE': deleting rrset at
'client7-PC.ariane.intra' AAAA
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#58165: updating zone
> 'ariane.intra/NONE': deleting rrset at
'client7-PC.ariane.intra' A
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: subtracted rdataset
> client7-PC.ariane.intra
> 'client7-PC.ariane.intra.#0111200#011IN#011A#011172.20.4.1'
> Nov 17 14:10:38 S4 named[2309]: client 172.20.4.1#58165: updating zone
> 'ariane.intra/NONE': adding an RR at
'client7-PC.ariane.intra' A
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: added rdataset
> client7-PC.ariane.intra
> 'client7-PC.ariane.intra.#0111200#011IN#011A#011172.20.4.1'
> Nov 17 14:10:38 S4 named[2309]: samba_dlz: committed transaction on
> zone ariane.intra
>
> Thanks all!
> Sam
>
> Le 16/11/2015 19:12, Rowland Penny a écrit :
>> On 16/11/15 17:12, Sam wrote:
>>> Hello all,
>>>
>>> I have two new server samba4, with isc-dhcp and Bind. ( Thanks to
>>> Louis 's scripts )
>>> The AD was migrate from 2 Windows 2000 servers last friday, with a
>>> copy of them in a private lan.
>>> Today we have shutdown the old windows 2000 server and put the 2
new
>>> samba4 in place of them.
>>> The problem is that the DHCP does not update the DNS
systematically...
>>> That works with laptops ( which have not been connected to the lan
>>> last week ), but without reverse ptr too...
>>>
>>> I can see some error in the syslog file :
>>> Nov 16 17:19:39 S4 named[2269]: samba_dlz b9_format: unhandled
>>> record type 0
>>> Nov 16 17:19:53 S4 named[2269]: samba_dlz: starting transaction on
>>> zone ariane.intra
>>> Nov 16 17:19:53 S4 named[2269]: client 172.21.37.104#51400: update
>>> 'ariane.intra/IN' denied
>>> Nov 16 17:19:53 S4 named[2269]: samba_dlz: cancelling transaction
on
>>> zone ariane.intra
>>> Nov 16 17:19:53 S4 named[2269]: samba_dlz: starting transaction on
>>> zone ariane.intra
>>> Nov 16 17:19:53 S4 named[2269]: samba_dlz: disallowing update of
>>> signer=l-s4gt963\$\@ARIANE.INTRA name=L-S4GT963.ariane.intra type=A
>>> error=insufficient access rights
>>> Nov 16 17:19:53 S4 named[2269]: client 172.21.37.104#50486:
updating
>>> zone 'ariane.intra/NONE': update failed: rejected by secure
update
>>> (REFUSED)
>>> Nov 16 17:19:53 S4 named[2269]: samba_dlz: cancelling transaction
on
>>> zone ariane.intra
>>>
>>> I identified these potential mistakes and try to resolve it without
>>> better results :
>>> - I was trying to update dns in server1 from the server2 dhcp
>>> - In smb.conf I set allow dns updates = secure ( and not nonsecure
>>> and secure like in the samba wiki )
>>>
>>> Thanks for helping!
>>> Best regards.
>>>
>>> Sam
>>
>> It looks to me as if your windows clients are trying to update their
>> own records, there is a GPO to stop this.
>> You should run dhcp and bind on the same DC. You do not need to
>> change anything in smb.conf if your setup is correct.
>>
>> Rowland
>>
>
OK, provided that:
A) you are running the DHCP server on the DC
B) you are also running Bind9 on the same DC
C) you have created the user in AD that the script uses.
it should work
You may be better using the scripts I posted the link to earlier, it
doesn't use the cron script and you don't need to modify the bash
script, this is also the set up I am running, so I can assure you that
it does work.
Rowland