Michael A Weber
2016-Sep-30 18:27 UTC
[Samba] Workstation AD members failing DNS updates - and worse!
Greetings, everyone. I have Samba 4.4.5, built from source on CentOS 6.8 using Bind 9.8.2 and configured in the last couple months. It’s in place and functioning, but I’m having a few issues I’m trying to iron out. First, the workstations added to the AD domain are not able to make DNS updates if the IP address changes after the domain join. However, at the time of the AD join, the DNS entries were created successfully. This, however, is now a secondary problem as I have a new, potentially larger issue that I cannot identify its cause and I believe needs to be addressed before we get workstations updating DNS entries. When I was configuring everything, I tested the DNS configuration and managed to iron out all the SELinux problems with samba_dnsupdate —verbose —all-names, and that did function correctly… …but now if I run it, it is failing. 27 updates it wants to perform, and all 27 fail with similar (this is sanitized): 27 DNS updates and 0 DNS deletes needed update(nsupdate): A addc.domain2.domain1.tld 192.168.237.21 Calling nsupdate for A addc.domain2.domain1.tld 192.168.237.21 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: addc.domain2.domain1.tld. 900 IN A 192.168.237.21 update failed: NOTAUTH Failed nsupdate: 2 I’ve googled the NOTAUTH errors but cannot find anything particular to my system which may be the cause, I’ve gone back and verified all my configuration information is seemingly correct per the wiki pages, checked permissions on needed .keytab and .conf files, checked logs for any SELinux errors, and nothing. I can’t figure out what I may have changed which made my working configuration stop working. So, I’d like to get this working first and then try to get the workstation DNS updates functioning, too. Any ideas? I’m completely lost (or, looking at things for so many hours have glossed over my poor eyes and I just can’t see what is the problem). Best, Mike
Mark Nienberg
2016-Oct-05 17:21 UTC
[Samba] Workstation AD members failing DNS updates - and worse!
On Fri, Sep 30, 2016 at 11:27 AM, Michael A Weber via samba < samba at lists.samba.org> wrote:> I have Samba 4.4.5, built from source on CentOS 6.8 using Bind 9.8.2 and > configured in the last couple months. It’s in place and functioning, but > I’m having a few issues I’m trying to iron out. > > First, the workstations added to the AD domain are not able to make DNS > updates if the IP address changes after the domain join. However, at the > time of the AD join, the DNS entries were created successfully. > > This, however, is now a secondary problem as I have a new, potentially > larger issue that I cannot identify its cause and I believe needs to be > addressed before we get workstations updating DNS entries. > > When I was configuring everything, I tested the DNS configuration and > managed to iron out all the SELinux problems with samba_dnsupdate —verbose > —all-names, and that did function correctly… > > …but now if I run it, it is failing. > > 27 updates it wants to perform, and all 27 fail with similar (this is > sanitized): > > 27 DNS updates and 0 DNS deletes needed > update(nsupdate): A addc.domain2.domain1.tld 192.168.237.21 > Calling nsupdate for A addc.domain2.domain1.tld 192.168.237.21 (add) > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > addc.domain2.domain1.tld. 900 IN A 192.168.237.21 > > update failed: NOTAUTH > Failed nsupdate: 2 > > I’ve googled the NOTAUTH errors but cannot find anything particular to my > system which may be the cause, I’ve gone back and verified all my > configuration information is seemingly correct per the wiki pages, checked > permissions on needed .keytab and .conf files, checked logs for any SELinux > errors, and nothing. I can’t figure out what I may have changed which made > my working configuration stop working. > > So, I’d like to get this working first and then try to get the workstation > DNS updates functioning, too. > > Any ideas? I’m completely lost (or, looking at things for so many hours > have glossed over my poor eyes and I just can’t see what is the problem). >You might try adding this to smb.conf at least for debugging. If it works again then you can focus on the auth issues. allow dns updates = nonsecure