samba - Oct 2016 - Error update ddnc with static ips and samba 4.4.5

Hi,

With samba 4.4.5 with bind DLZ we have detected an error message with
machines that has static ip

Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction on zone
domain.com
Oct  8 16:52:47 server named[4247]: client 172.22.187.193#55746: update '
domain.com/IN' denied
Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction on
zone domain.com
Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction on zone
domain.com
Oct  8 16:52:47 server named[4247]: samba_dlz: disallowing update of
signer=SERVER\$\@domain.com name=SERVER.domain.com type=AAAA
error=insufficient access rights
Oct  8 16:52:47 server named[4247]: client 172.22.187.193#54706/key
SERVER\$\@domain.com: updating zone 'domain.com/NONE': update failed:
rejected by secure update (REFUSED)
Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction on
zone domain.com

We have detected that machines with dhcp (It was configured as is described
in samba wiki dhcp and samba 4) are updating correclty and any message with
error is reported, only with static ips

I have found some messages win samba list  describing this error after a
samba upgrade, and suggest recreate inverse zone, but our environment is a
new environment with 4.4.5, migrated from samba 3

Where is the problem?

On Mon, 10 Oct 2016 19:18:17 +0200
Trenta sis via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> With samba 4.4.5 with bind DLZ we have detected an error message with
> machines that has static ip
> 
> Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> on zone domain.com
> Oct  8 16:52:47 server named[4247]: client 172.22.187.193#55746:
> update ' domain.com/IN' denied
> Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction
> on zone domain.com
> Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> on zone domain.com
> Oct  8 16:52:47 server named[4247]: samba_dlz: disallowing update of
> signer=SERVER\$\@domain.com name=SERVER.domain.com type=AAAA
> error=insufficient access rights
> Oct  8 16:52:47 server named[4247]: client 172.22.187.193#54706/key
> SERVER\$\@domain.com: updating zone 'domain.com/NONE': update
failed:
> rejected by secure update (REFUSED)
> Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction
> on zone domain.com
> 
> We have detected that machines with dhcp (It was configured as is
> described in samba wiki dhcp and samba 4) are updating correclty and
> any message with error is reported, only with static ips
> 
> I have found some messages win samba list  describing this error
> after a samba upgrade, and suggest recreate inverse zone, but our
> environment is a new environment with 4.4.5, migrated from samba 3
> 
> Where is the problem?
Are these windows clients, if so, you need to stop any windows clients
from trying to update their own dns records. You can do this on a
machine by machine basis, or there is a GPO.

Rowland

hi,

thanks for your information, we have dhcp (configured as wiki samba
example) and is working perfect only fails with machines with static ip.
I have tried to disable option update dns record and then this errors is
not showed but seems that with pure active directory this doesn't fail...
It is normal?


thanks> Hi,
>
> With samba 4.4.5 with bind DLZ we have detected an error message with
> machines that has static ip
>
> Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> on zone domain.com
> Oct  8 16:52:47 server named[4247]: client 172.22.187.193#55746:
> update ' domain.com/IN' denied
> Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction
> on zone domain.com
> Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> on zone domain.com
> Oct  8 16:52:47 server named[4247]: samba_dlz: disallowing update of
> signer=SERVER\$\@domain.com name=SERVER.domain.com type=AAAA
> error=insufficient access rights
> Oct  8 16:52:47 server named[4247]: client 172.22.187.193#54706/key
> SERVER\$\@domain.com: updating zone 'domain.com/NONE': update
failed:
> rejected by secure update (REFUSED)
> Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction
> on zone domain.com
>
> We have detected that machines with dhcp (It was configured as is
> described in samba wiki dhcp and samba 4) are updating correclty and
> any message with error is reported, only with static ips
>
> I have found some messages win samba list  describing this error
> after a samba upgrade, and suggest recreate inverse zone, but our
> environment is a new environment with 4.4.5, migrated from samba 3
>
> Where is the problem?
Are these windows clients, if so, you need to stop any windows clients
from trying to update their own dns records. You can do this on a
machine by machine basis, or there is a GPO.

Rowland



2016-10-10 19:18 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:
>
> Hi,
>
> With samba 4.4.5 with bind DLZ we have detected an error message with
> machines that has static ip
>
> Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction on
> zone domain.com
> Oct  8 16:52:47 server named[4247]: client 172.22.187.193#55746: update
'
> domain.com/IN' denied
> Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction on
> zone domain.com
> Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction on
> zone domain.com
> Oct  8 16:52:47 server named[4247]: samba_dlz: disallowing update of
> signer=SERVER\$\@domain.com name=SERVER.domain.com type=AAAA
> error=insufficient access rights
> Oct  8 16:52:47 server named[4247]: client 172.22.187.193#54706/key
> SERVER\$\@domain.com: updating zone 'domain.com/NONE': update
failed:
> rejected by secure update (REFUSED)
> Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling transaction on
> zone domain.com
>
> We have detected that machines with dhcp (It was configured as is
> described in samba wiki dhcp and samba 4) are updating correclty and any
> message with error is reported, only with static ips
>
> I have found some messages win samba list  describing this error after a
> samba upgrade, and suggest recreate inverse zone, but our environment is a
> new environment with 4.4.5, migrated from samba 3
>
> Where is the problem?
>
>

On Sun, 16 Oct 2016 21:55:12 +0200
Trenta sis via samba <samba at lists.samba.org> wrote:
> hi,
> 
> thanks for your information, we have dhcp (configured as wiki samba
> example) and is working perfect only fails with machines with static
> ip. I have tried to disable option update dns record and then this
> errors is not showed but seems that with pure active directory this
> doesn't fail... It is normal?
> 
> 
> thanks> Hi,
> >
> > With samba 4.4.5 with bind DLZ we have detected an error message
> > with machines that has static ip
> >
> > Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> > on zone domain.com
> > Oct  8 16:52:47 server named[4247]: client 172.22.187.193#55746:
> > update ' domain.com/IN' denied
> > Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling
> > transaction on zone domain.com
> > Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> > on zone domain.com
> > Oct  8 16:52:47 server named[4247]: samba_dlz: disallowing update of
> > signer=SERVER\$\@domain.com name=SERVER.domain.com type=AAAA
> > error=insufficient access rights
> > Oct  8 16:52:47 server named[4247]: client 172.22.187.193#54706/key
> > SERVER\$\@domain.com: updating zone 'domain.com/NONE': update
> > failed: rejected by secure update (REFUSED)
> > Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling
> > transaction on zone domain.com
> >
> > We have detected that machines with dhcp (It was configured as is
> > described in samba wiki dhcp and samba 4) are updating correclty and
> > any message with error is reported, only with static ips
> >
> > I have found some messages win samba list  describing this error
> > after a samba upgrade, and suggest recreate inverse zone, but our
> > environment is a new environment with 4.4.5, migrated from samba 3
> >
> > Where is the problem?
> 
> Are these windows clients, if so, you need to stop any windows clients
> from trying to update their own dns records. You can do this on a
> machine by machine basis, or there is a GPO.
> 
> Rowland
> 
> 
> 
> 2016-10-10 19:18 GMT+02:00 Trenta sis <trenta.sis at gmail.com>:
> 
> >
> > Hi,
> >
> > With samba 4.4.5 with bind DLZ we have detected an error message
> > with machines that has static ip
> >
> > Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> > on zone domain.com
> > Oct  8 16:52:47 server named[4247]: client 172.22.187.193#55746:
> > update ' domain.com/IN' denied
> > Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling
> > transaction on zone domain.com
> > Oct  8 16:52:47 server named[4247]: samba_dlz: starting transaction
> > on zone domain.com
> > Oct  8 16:52:47 server named[4247]: samba_dlz: disallowing update of
> > signer=SERVER\$\@domain.com name=SERVER.domain.com type=AAAA
> > error=insufficient access rights
> > Oct  8 16:52:47 server named[4247]: client 172.22.187.193#54706/key
> > SERVER\$\@domain.com: updating zone 'domain.com/NONE': update
> > failed: rejected by secure update (REFUSED)
> > Oct  8 16:52:47 server named[4247]: samba_dlz: cancelling
> > transaction on zone domain.com
> >
> > We have detected that machines with dhcp (It was configured as is
> > described in samba wiki dhcp and samba 4) are updating correclty
> > and any message with error is reported, only with static ips
> >
> > I have found some messages win samba list  describing this error
> > after a samba upgrade, and suggest recreate inverse zone, but our
> > environment is a new environment with 4.4.5, migrated from samba 3
> >
> > Where is the problem?
> >
> >
It is trying to update an ipv6 address, do you use these ?
and have you stopped windows trying to update ipv6 records ?

Rowland

On Mon, Oct 10, 2016 at 10:18 AM, Trenta sis via samba <
samba at lists.samba.org> wrote:
> We have detected that machines with dhcp (It was configured as is described
> in samba wiki dhcp and samba 4) are updating correclty and any message with
> error is reported, only with static ips
>
I see the same error message for two of my machines that have fixed
addresses that I manually added to DNS using the DNS Manager. I don't know
if it matters, but both of these machines are running Windows Server 2008.
All of my Win 7 workstations use dhcp and they update correctly without any
error messages.

I don't think this is a problem, everything works. Someday I may try
removing the DNS entries to see if the machines will then add themselves
back in. I had to add the DNS entries for these two servers manually before
the machines were actually part of the domain as part of my migration to AD.

On Mon, Oct 17, 2016 at 10:24 AM, Mark Nienberg <
mnlists at tippingstructural.com> wrote:
>
> On Mon, Oct 10, 2016 at 10:18 AM, Trenta sis via samba <
> samba at lists.samba.org> wrote:
>
>> We have detected that machines with dhcp (It was configured as is
>> described
>> in samba wiki dhcp and samba 4) are updating correclty and any message
>> with
>> error is reported, only with static ips
>>
>
> I see the same error message for two of my machines that have fixed
> addresses that I manually added to DNS using the DNS Manager. I don't
know
> if it matters, but both of these machines are running Windows Server 2008.
> All of my Win 7 workstations use dhcp and they update correctly without any
> error messages.
>
> I don't think this is a problem, everything works. Someday I may try
> removing the DNS entries to see if the machines will then add themselves
> back in. I had to add the DNS entries for these two servers manually before
> the machines were actually part of the domain as part of my migration to
AD.
>

I removed the entry that I had manually created in DNS for one of the
windows machines with a static IP. Then I rebooted the windows machine. The
DNS entry was re-created in DNS and the samba_dlz error no longer occurs. I
guess there must be some difference between a DNS entry that is manually
configured and one that is dynamically configured by AD even though they
look the same in DNS Manager.

Mark