samba - Jul 2016 - samba 4.4.5 DC with bind9: DNS update failing with NOTAUTH

Hello,

I'm trying to join a samba 4 DC to an already existing samba 4 DC, both 
with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1, 
all brand new.

The existing DC runs fine, but the added DC refuses to update its local 
bind database: every attempt to update the local DNS results in "update 
failed: NOTAUTH". AD replication works perfectly.

Both systems are set up identically except for the provisioning/joining 
command. On the first I did
samba-tool domain provision --use-rfc2307 --domain=$domain 
--server-role=dc --dns-backend=BIND9_DLZ \
  --realm=$realm --adminpass=Wonttell
and on the second I do
samba-tool domain join $domain DC -Uadministrator --realm=$realm 
--dns-backend=BIND9_DLZ

Versions are the same, bind config is the same, I tried follow every 
rule I could find.

# samba_dnsupdate --verbose -d 9
INFO: Current debug levels:
   all: 9
(... more such levels ...)
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
Processing section "[global]"
Processing section "[netlogon]"
Processing section "[sysvol]"
pm_process() returned Yes
added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
netmask=255.255.255.0
IPs: ['192.168.1.9']
Module 'tombstone_reanimate' is disabled. Skip 
registration.lpcfg_servicenumber: couldn't find ldb
schema_fsmo_init: we are master[no] updates allowed[no]
schema_fsmo_init: we are master[no] updates allowed[no]
Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
need update: A ad.domain.ch 192.168.1.9
(... many more such Looking...need update blocks)
24 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 298
Received smb_krb5 packet of length 1311
update(nsupdate): A ad.domain.tld 192.168.1.9
Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ad.domain.tld.        900     IN      A       192.168.1.9

update failed: NOTAUTH
Failed nsupdate: 2
(... many more such failed updates ...)
Failed update of 24 entries
# 22:37:30 root at dc2:/root/


In /var/log/syslog there are these equivalent 24 error message every 10 
minutes:
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
Jul 17 22:52:06 dc2 samba[3960]: /usr/local/samba/sbin/samba_dnsupdate: 
update failed: NOTAUTH
and the last of the 24 entries is always followed by
Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295: 
Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES

smb.conf is minimalistic:

# Global parameters
[global]
         netbios name = DC2
         realm = AD.DOMAIN.TLD
         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
drepl, winbindd, ntp_signd, kcc, dnsupdate
         workgroup = DOMAIN
         server role = active directory domain controller

[netlogon]
         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No

Maybe somebody has an idea what I did wrong?

Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
> Hello,
>
> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
> 9.10.4-P1, all brand new.
>
> The existing DC runs fine, but the added DC refuses to update its 
> local bind database: every attempt to update the local DNS results in 
> "update failed: NOTAUTH". AD replication works perfectly.
>
> Both systems are set up identically except for the 
> provisioning/joining command. On the first I did
> samba-tool domain provision --use-rfc2307 --domain=$domain 
> --server-role=dc --dns-backend=BIND9_DLZ \
>  --realm=$realm --adminpass=Wonttell
> and on the second I do
> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
> --dns-backend=BIND9_DLZ
>
> Versions are the same, bind config is the same, I tried follow every 
> rule I could find.
>
> # samba_dnsupdate --verbose -d 9
> INFO: Current debug levels:
>   all: 9
> (... more such levels ...)
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
> netmask=255.255.255.0
> IPs: ['192.168.1.9']
> Module 'tombstone_reanimate' is disabled. Skip 
> registration.lpcfg_servicenumber: couldn't find ldb
> schema_fsmo_init: we are master[no] updates allowed[no]
> schema_fsmo_init: we are master[no] updates allowed[no]
> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
> need update: A ad.domain.ch 192.168.1.9
> (... many more such Looking...need update blocks)
> 24 DNS updates and 0 DNS deletes needed
> ldb_wrap open of secrets.ldb
> Received smb_krb5 packet of length 298
> Received smb_krb5 packet of length 1311
> update(nsupdate): A ad.domain.tld 192.168.1.9
> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ad.domain.tld.        900     IN      A       192.168.1.9
>
> update failed: NOTAUTH
> Failed nsupdate: 2
> (... many more such failed updates ...)
> Failed update of 24 entries
> # 22:37:30 root at dc2:/root/
>
>
> In /var/log/syslog there are these equivalent 24 error message every 
> 10 minutes:
> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
> Jul 17 22:52:06 dc2 samba[3960]: 
> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> and the last of the 24 entries is always followed by
> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295: 
> Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
>
> smb.conf is minimalistic:
>
> # Global parameters
> [global]
>         netbios name = DC2
>         realm = AD.DOMAIN.TLD
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN
>         server role = active directory domain controller
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> Maybe somebody has an idea what I did wrong?
>
>
>
resolv.conf on dc2 should point to dc1 during join. Is that the case?
Does kinit work on dc2?

On 18.07.2016 01:52, Achim Gottinger wrote:
>
>
> Am 18.07.2016 um 01:02 schrieb Norbert Hanke:
>> Hello,
>>
>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>> 9.10.4-P1, all brand new.
>>
>> The existing DC runs fine, but the added DC refuses to update its 
>> local bind database: every attempt to update the local DNS results in 
>> "update failed: NOTAUTH". AD replication works perfectly.
>>
>> Both systems are set up identically except for the 
>> provisioning/joining command. On the first I did
>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>> --server-role=dc --dns-backend=BIND9_DLZ \
>>  --realm=$realm --adminpass=Wonttell
>> and on the second I do
>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>> --dns-backend=BIND9_DLZ
>>
>> Versions are the same, bind config is the same, I tried follow every 
>> rule I could find.
>>
>> # samba_dnsupdate --verbose -d 9
>> INFO: Current debug levels:
>>   all: 9
>> (... more such levels ...)
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>> netmask=255.255.255.0
>> IPs: ['192.168.1.9']
>> Module 'tombstone_reanimate' is disabled. Skip 
>> registration.lpcfg_servicenumber: couldn't find ldb
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>> dc2.ad.domain.ch.
>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>> need update: A ad.domain.ch 192.168.1.9
>> (... many more such Looking...need update blocks)
>> 24 DNS updates and 0 DNS deletes needed
>> ldb_wrap open of secrets.ldb
>> Received smb_krb5 packet of length 298
>> Received smb_krb5 packet of length 1311
>> update(nsupdate): A ad.domain.tld 192.168.1.9
>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> ad.domain.tld.        900     IN      A       192.168.1.9
>>
>> update failed: NOTAUTH
>> Failed nsupdate: 2
>> (... many more such failed updates ...)
>> Failed update of 24 entries
>> # 22:37:30 root at dc2:/root/
>>
>>
>> In /var/log/syslog there are these equivalent 24 error message every 
>> 10 minutes:
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>> Jul 17 22:52:06 dc2 samba[3960]: 
>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>> and the last of the 24 entries is always followed by
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> Jul 17 22:52:06 dc2 samba[3960]: 
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>> NT_STATUS_TOO_MANY_OPENED_FILES
>>
>> smb.conf is minimalistic:
>>
>> # Global parameters
>> [global]
>>         netbios name = DC2
>>         realm = AD.DOMAIN.TLD
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = DOMAIN
>>         server role = active directory domain controller
>>
>> [netlogon]
>>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>> Maybe somebody has an idea what I did wrong?
>>
>>
>>
> resolv.conf on dc2 should point to dc1 during join. Is that the case?
> Does kinit work on dc2?
>
>
Yes, I did
    cat <<EOF >/etc/resolv.conf
    domain $domain
    nameserver $otherip
    nameserver $ip
    EOF

($ip is the local system, $otherip is the existing DC)

resulting in

    # cat /etc/resolv.conf
    domain ad.domain.ch
    nameserver 192.168.1.8
    nameserver 192.168.1.9


Before joining I did

    klist -e | grep administrator@$realm || kinit administrator

and looking at it right now half a day later I get

    # klist -e
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator at AD.DOMAIN.CH

    Valid starting     Expires            Service principal
    17/07/16 21:56:59  18/07/16 07:56:59 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
            renew until 18/07/16 21:56:55, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96

So it is expired right now, another kinit gets me a new tgt:
    # kinit -R
    kinit: Ticket expired while renewing credentials
    # kinit
    Password for administrator at AD.DOMAIN.CH:
    Warning: Your password will expire in 32 days on Sat 20 Aug 2016 
08:27:10 UTC
    # klist -e
    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: administrator at AD.DOMAIN.CH

    Valid starting     Expires            Service principal
    18/07/16 09:35:01  18/07/16 19:35:01 krbtgt/AD.DOMAIN.CH at AD.DOMAIN.CH
            renew until 19/07/16 09:34:58, Etype (skey, tkt): 
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
samba_dnsupdate still fails.

Hi Norbert,

I never used Bind as samba dns backend. But this sounds like a permission
problem so that your samba process isn't allowed to update Bind.

Possibly you should take a look at the permissions.

Regards
Tim

Am 18. Juli 2016 01:02:32 MESZ, schrieb Norbert Hanke <norbert.hanke at
gmx.ch>:
>Hello,
>
>I'm trying to join a samba 4 DC to an already existing samba 4 DC, both
>
>with BIND9_DLZ. Samba is at version 4.4.5, bind is version 9.10.4-P1, 
>all brand new.
>
>The existing DC runs fine, but the added DC refuses to update its local
>
>bind database: every attempt to update the local DNS results in "update
>
>failed: NOTAUTH". AD replication works perfectly.
>
>Both systems are set up identically except for the provisioning/joining
>
>command. On the first I did
>samba-tool domain provision --use-rfc2307 --domain=$domain 
>--server-role=dc --dns-backend=BIND9_DLZ \
>  --realm=$realm --adminpass=Wonttell
>and on the second I do
>samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>--dns-backend=BIND9_DLZ
>
>Versions are the same, bind config is the same, I tried follow every 
>rule I could find.
>
># samba_dnsupdate --verbose -d 9
>INFO: Current debug levels:
>   all: 9
>(... more such levels ...)
>lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>Processing section "[global]"
>Processing section "[netlogon]"
>Processing section "[sysvol]"
>pm_process() returned Yes
>added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>netmask=255.255.255.0
>IPs: ['192.168.1.9']
>Module 'tombstone_reanimate' is disabled. Skip 
>registration.lpcfg_servicenumber: couldn't find ldb
>schema_fsmo_init: we are master[no] updates allowed[no]
>schema_fsmo_init: we are master[no] updates allowed[no]
>Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as
>dc2.ad.domain.ch.
>Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>need update: A ad.domain.ch 192.168.1.9
>(... many more such Looking...need update blocks)
>24 DNS updates and 0 DNS deletes needed
>ldb_wrap open of secrets.ldb
>Received smb_krb5 packet of length 298
>Received smb_krb5 packet of length 1311
>update(nsupdate): A ad.domain.tld 192.168.1.9
>Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>Outgoing update query:
>;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>;; UPDATE SECTION:
>ad.domain.tld.        900     IN      A       192.168.1.9
>
>update failed: NOTAUTH
>Failed nsupdate: 2
>(... many more such failed updates ...)
>Failed update of 24 entries
># 22:37:30 root at dc2:/root/
>
>
>In /var/log/syslog there are these equivalent 24 error message every 10
>
>minutes:
>Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>Jul 17 22:52:06 dc2 samba[3960]: /usr/local/samba/sbin/samba_dnsupdate:
>
>update failed: NOTAUTH
>and the last of the 24 entries is always followed by
>Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295: 
>Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
>
>smb.conf is minimalistic:
>
># Global parameters
>[global]
>         netbios name = DC2
>         realm = AD.DOMAIN.TLD
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN
>         server role = active directory domain controller
>
>[netlogon]
>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>         read only = No
>
>[sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
>Maybe somebody has an idea what I did wrong?

On 18/07/16 00:02, Norbert Hanke wrote:
> Hello,
>
> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
> 9.10.4-P1, all brand new.
>
> The existing DC runs fine, but the added DC refuses to update its 
> local bind database: every attempt to update the local DNS results in 
> "update failed: NOTAUTH". AD replication works perfectly.
>
> Both systems are set up identically except for the 
> provisioning/joining command. On the first I did
> samba-tool domain provision --use-rfc2307 --domain=$domain 
> --server-role=dc --dns-backend=BIND9_DLZ \
>  --realm=$realm --adminpass=Wonttell
> and on the second I do
> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
> --dns-backend=BIND9_DLZ
>
> Versions are the same, bind config is the same, I tried follow every 
> rule I could find.
>
> # samba_dnsupdate --verbose -d 9
> INFO: Current debug levels:
>   all: 9
> (... more such levels ...)
> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
> Processing section "[global]"
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> pm_process() returned Yes
> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
> netmask=255.255.255.0
> IPs: ['192.168.1.9']
> Module 'tombstone_reanimate' is disabled. Skip 
> registration.lpcfg_servicenumber: couldn't find ldb
> schema_fsmo_init: we are master[no] updates allowed[no]
> schema_fsmo_init: we are master[no] updates allowed[no]
> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as dc2.ad.domain.ch.
> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
> need update: A ad.domain.ch 192.168.1.9
> (... many more such Looking...need update blocks)
> 24 DNS updates and 0 DNS deletes needed
> ldb_wrap open of secrets.ldb
> Received smb_krb5 packet of length 298
> Received smb_krb5 packet of length 1311
> update(nsupdate): A ad.domain.tld 192.168.1.9
> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
> Outgoing update query:
> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
> ;; UPDATE SECTION:
> ad.domain.tld.        900     IN      A       192.168.1.9
>
> update failed: NOTAUTH
> Failed nsupdate: 2
> (... many more such failed updates ...)
> Failed update of 24 entries
> # 22:37:30 root at dc2:/root/
>
>
> In /var/log/syslog there are these equivalent 24 error message every 
> 10 minutes:
> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
> Jul 17 22:52:06 dc2 samba[3960]: 
> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
> and the last of the 24 entries is always followed by
> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
> Jul 17 22:52:06 dc2 samba[3960]: ../source4/dsdb/dns/dns_update.c:295: 
> Failed DNS update - NT_STATUS_TOO_MANY_OPENED_FILES
>
> smb.conf is minimalistic:
>
> # Global parameters
> [global]
>         netbios name = DC2
>         realm = AD.DOMAIN.TLD
>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
> drepl, winbindd, ntp_signd, kcc, dnsupdate
>         workgroup = DOMAIN
>         server role = active directory domain controller
>
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>         read only = No
>
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
>
> Maybe somebody has an idea what I did wrong?
>
>
>
Try reading this wiki page, it may help:

https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins

Rowland

On 18.07.2016 20:10, Rowland penny wrote:
> On 18/07/16 00:02, Norbert Hanke wrote:
>> Hello,
>>
>> I'm trying to join a samba 4 DC to an already existing samba 4 DC, 
>> both with BIND9_DLZ. Samba is at version 4.4.5, bind is version 
>> 9.10.4-P1, all brand new.
>>
>> The existing DC runs fine, but the added DC refuses to update its 
>> local bind database: every attempt to update the local DNS results in 
>> "update failed: NOTAUTH". AD replication works perfectly.
>>
>> Both systems are set up identically except for the 
>> provisioning/joining command. On the first I did
>> samba-tool domain provision --use-rfc2307 --domain=$domain 
>> --server-role=dc --dns-backend=BIND9_DLZ \
>>  --realm=$realm --adminpass=Wonttell
>> and on the second I do
>> samba-tool domain join $domain DC -Uadministrator --realm=$realm 
>> --dns-backend=BIND9_DLZ
>>
>> Versions are the same, bind config is the same, I tried follow every 
>> rule I could find.
>>
>> # samba_dnsupdate --verbose -d 9
>> INFO: Current debug levels:
>>   all: 9
>> (... more such levels ...)
>> lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
>> Processing section "[global]"
>> Processing section "[netlogon]"
>> Processing section "[sysvol]"
>> pm_process() returned Yes
>> added interface eth0 ip=192.168.1.9 bcast=192.168.1.255 
>> netmask=255.255.255.0
>> IPs: ['192.168.1.9']
>> Module 'tombstone_reanimate' is disabled. Skip 
>> registration.lpcfg_servicenumber: couldn't find ldb
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> schema_fsmo_init: we are master[no] updates allowed[no]
>> Looking for DNS entry A dc2.ad.domain.ch 192.168.1.9 as 
>> dc2.ad.domain.ch.
>> Looking for DNS entry A ad.domain.ch 192.168.1.9 as ad.domain.ch.
>> Failed to find matching DNS entry A ad.domain.ch 192.168.1.9
>> need update: A ad.domain.ch 192.168.1.9
>> (... many more such Looking...need update blocks)
>> 24 DNS updates and 0 DNS deletes needed
>> ldb_wrap open of secrets.ldb
>> Received smb_krb5 packet of length 298
>> Received smb_krb5 packet of length 1311
>> update(nsupdate): A ad.domain.tld 192.168.1.9
>> Calling nsupdate for A ad.domain.tld 192.168.1.9 (add)
>> Outgoing update query:
>> ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
>> ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
>> ;; UPDATE SECTION:
>> ad.domain.tld.        900     IN      A       192.168.1.9
>>
>> update failed: NOTAUTH
>> Failed nsupdate: 2
>> (... many more such failed updates ...)
>> Failed update of 24 entries
>> # 22:37:30 root at dc2:/root/
>>
>>
>> In /var/log/syslog there are these equivalent 24 error message every 
>> 10 minutes:
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.742592, 0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>> Jul 17 22:52:06 dc2 samba[3960]: 
>> /usr/local/samba/sbin/samba_dnsupdate: update failed: NOTAUTH
>> and the last of the 24 entries is always followed by
>> Jul 17 22:52:06 dc2 samba[3960]: [2016/07/17 22:52:06.866877, 0] 
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>> Jul 17 22:52:06 dc2 samba[3960]: 
>> ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>> NT_STATUS_TOO_MANY_OPENED_FILES
>>
>> smb.conf is minimalistic:
>>
>> # Global parameters
>> [global]
>>         netbios name = DC2
>>         realm = AD.DOMAIN.TLD
>>         server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, 
>> drepl, winbindd, ntp_signd, kcc, dnsupdate
>>         workgroup = DOMAIN
>>         server role = active directory domain controller
>>
>> [netlogon]
>>         path = /usr/local/samba/var/locks/sysvol/ad.domain.tld/scripts
>>         read only = No
>>
>> [sysvol]
>>         path = /usr/local/samba/var/locks/sysvol
>>         read only = No
>>
>> Maybe somebody has an idea what I did wrong?
>>
>>
>>
>
> Try reading this wiki page, it may help:
>
> https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins
>
> Rowland
>
>
Yes I did that from the begining. The entries were indeed missing and 
added them.

I also tried adding with a lower-case dc2 instead of DC2. It did not 
make a difference.

But now it surprises me that adding worked at all. Isn't a "*samba-tool
dns add ..." about the same as what **samba_dnsupdate does when adding 
entries?*

*And I just checked: the two added entries are still there and are 
resolvable through both DNS servers.* It's a mystery to me.