samba - Nov 2016 - Reverse zones fail with secure updates

Hello,

     I'm using Samba 4.5.1 as a ADDC and the internal DNS. If I use 
'allow dns updates = secure' in my smb.conf. Only A records update. The 
applicable reverse zone fails to update. If I switch to using non secure 
updates both the A and the PTR records are updated. Is someone else able 
to confirm this behavior? Thanks.


-- 
- James

Hai James, 

What is the connection's DNS suffix of the pc?
And did you setup TLS in you samba? 


Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all )

And is it ticked "Use this connections dns suffix in dns registration"
(In dhcp option 81.)

Or use Group policy editors. 
- Computer Configuration\Administrative Templates\Network\DNS Client
	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
	-Register DNS records with connection-specific DNS suffix: enabled
	-Register PTR Records: enabled
	-Dynamic Update: enabled

Or use static ips, then A and PTR are registered by the computer. 

Key is to remember, Windows uses the connection-specific DNS suffix to register
DNS records.


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens lingpanda101
via
> samba
> Verzonden: maandag 21 november 2016 21:14
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] Reverse zones fail with secure updates
> 
> Hello,
> 
>      I'm using Samba 4.5.1 as a ADDC and the internal DNS. If I use
> 'allow dns updates = secure' in my smb.conf. Only A records update.
The
> applicable reverse zone fails to update. If I switch to using non secure
> updates both the A and the PTR records are updated. Is someone else able
> to confirm this behavior? Thanks.
> 
> 
> --
> - James
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Sorry your missing a screen dump..  

This part, 
> And is it ticked "Use this connections dns suffix in dns
registration"
> (In dhcp option 81.)
Found in windows, network interface, TCP settings, tab DNS, in the bottem. 


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
> via samba
> Verzonden: dinsdag 22 november 2016 9:38
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse zones fail with secure updates
> 
> Hai James,
> 
> What is the connection's DNS suffix of the pc?
> And did you setup TLS in you samba?
> 
> 
> Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all )
> 
> And is it ticked "Use this connections dns suffix in dns
registration"
> (In dhcp option 81.)
> 
> Or use Group policy editors.
> - Computer Configuration\Administrative Templates\Network\DNS Client
> 	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
> 	-Register DNS records with connection-specific DNS suffix: enabled
> 	-Register PTR Records: enabled
> 	-Dynamic Update: enabled
> 
> Or use static ips, then A and PTR are registered by the computer.
> 
> Key is to remember, Windows uses the connection-specific DNS suffix to
> register DNS records.
> 
> 
> Greetz,
> 
> Louis
> 
> 
> > -----Oorspronkelijk bericht-----
> > Van: samba [mailto:samba-bounces at lists.samba.org] Namens
lingpanda101
> via
> > samba
> > Verzonden: maandag 21 november 2016 21:14
> > Aan: samba at lists.samba.org
> > Onderwerp: [Samba] Reverse zones fail with secure updates
> >
> > Hello,
> >
> >      I'm using Samba 4.5.1 as a ADDC and the internal DNS. If I
use
> > 'allow dns updates = secure' in my smb.conf. Only A records
update. The
> > applicable reverse zone fails to update. If I switch to using non
secure
> > updates both the A and the PTR records are updated. Is someone else
able
> > to confirm this behavior? Thanks.
> >
> >
> > --
> > - James
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

Hi Louis,

       Comments inline

On 11/22/2016 3:38 AM, L.P.H. van Belle via samba wrote:
> Hai James,
>
> What is the connection's DNS suffix of the pc?
domain.local
> And did you setup TLS in you samba?
No. How?
>
>
> Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all )
>
> And is it ticked "Use this connections dns suffix in dns
registration"
> (In dhcp option 81.)
Our routers handle DHCP.
>
> Or use Group policy editors.
> - Computer Configuration\Administrative Templates\Network\DNS Client
> 	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
> 	-Register DNS records with connection-specific DNS suffix: enabled
> 	-Register PTR Records: enabled
> 	-Dynamic Update: enabled
I tried this method as well.
>
> Or use static ips, then A and PTR are registered by the computer.
Static IP's only register if I disable secure
updates.
>   
>
> Key is to remember, Windows uses the connection-specific DNS suffix to
register DNS records.
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
lingpanda101 via
>> samba
>> Verzonden: maandag 21 november 2016 21:14
>> Aan: samba at lists.samba.org
>> Onderwerp: [Samba] Reverse zones fail with secure updates
>>
>> Hello,
>>
>>       I'm using Samba 4.5.1 as a ADDC and the internal DNS. If I
use
>> 'allow dns updates = secure' in my smb.conf. Only A records
update. The
>> applicable reverse zone fails to update. If I switch to using non
secure
>> updates both the A and the PTR records are updated. Is someone else
able
>> to confirm this behavior? Thanks.
>>
>>
>> --
>> - James
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
- James

On 11/22/2016 3:43 AM, L.P.H. van Belle via samba wrote:
> Sorry your missing a screen dump..
>
> This part,
>> And is it ticked "Use this connections dns suffix in dns
registration"
>> (In dhcp option 81.)
> Found in windows, network interface, TCP settings, tab DNS, in the bottem.
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens L.P.H. van
Belle
>> via samba
>> Verzonden: dinsdag 22 november 2016 9:38
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Reverse zones fail with secure updates
>>
>> Hai James,
>>
>> What is the connection's DNS suffix of the pc?
>> And did you setup TLS in you samba?
>>
>>
>> Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all
)
>>
>> And is it ticked "Use this connections dns suffix in dns
registration"
>> (In dhcp option 81.)
>>
>> Or use Group policy editors.
>> - Computer Configuration\Administrative Templates\Network\DNS Client
>> 	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
>> 	-Register DNS records with connection-specific DNS suffix: enabled
>> 	-Register PTR Records: enabled
>> 	-Dynamic Update: enabled
>>
>> Or use static ips, then A and PTR are registered by the computer.
>>
>> Key is to remember, Windows uses the connection-specific DNS suffix to
>> register DNS records.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
lingpanda101
>> via
>>> samba
>>> Verzonden: maandag 21 november 2016 21:14
>>> Aan: samba at lists.samba.org
>>> Onderwerp: [Samba] Reverse zones fail with secure updates
>>>
>>> Hello,
>>>
>>>       I'm using Samba 4.5.1 as a ADDC and the internal DNS. If
I use
>>> 'allow dns updates = secure' in my smb.conf. Only A records
update. The
>>> applicable reverse zone fails to update. If I switch to using non
secure
>>> updates both the A and the PTR records are updated. Is someone else
able
>>> to confirm this behavior? Thanks.
>>>
>>>
>>> --
>>> - James
>>>
>>>
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
I'll point out what I have set in my smb.conf

samba-tool testparm -v | grep tls

         ldap ssl = start tls
         tls cafile = tls/ca.pem
         tls certfile = tls/cert.pem
         tls crlfile          tls dh params file          tls enabled = Yes
         tls keyfile = tls/key.pem
         tls priority = NORMAL:-VERS-SSL3.0
         tls verify peer = ca_and_name

-- 
- James

Comments inline
> -----Oorspronkelijk bericht-----
> Van: lingpanda101 [mailto:lingpanda101 at gmail.com]
> Verzonden: dinsdag 22 november 2016 15:32
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Reverse zones fail with secure updates
> 
> Hi Louis,
> 
>        Comments inline
> 
> On 11/22/2016 3:38 AM, L.P.H. van Belle via samba wrote:
> > Hai James,
> >
> > What is the connection's DNS suffix of the pc?
> domain.local
Uhm.. , if you are in production dont change it but a .local (and .lan) 
Are reserved by Apple's mDNS (zeroconf/avahi) 
> > And did you setup TLS in you samba?
> No. How?
https://wiki.samba.org/index.php/Configuring_LDAP_over_SSL_(LDAPS)_on_a_Samba_AD_DC

> >
> >
> > Look here, in the advanded tcp settings of the pc.  ( or ipconfig /all
)
> >
> > And is it ticked "Use this connections dns suffix in dns
registration"
> > (In dhcp option 81.)
> Our routers handle DHCP.
Ok then do you routers send option 81, of the dns suffic. 
If not possible, then the Group policy is you last option. 
> >
> > Or use Group policy editors.
> > - Computer Configuration\Administrative Templates\Network\DNS Client
> > 	-Connection Specific DNS Suffix: enabled, and set to your.domain.tld
> > 	-Register DNS records with connection-specific DNS suffix: enabled
> > 	-Register PTR Records: enabled
> > 	-Dynamic Update: enabled
> I tried this method as well.
This works, i use a setup like this. 
! Must be a computer policy, and you must reboot 2x to see if it works. 
> >
> > Or use static ips, then A and PTR are registered by the computer.
> Static IP's only register if I disable secure updates.
Due to no tls/ssl 

> >
> >
> > Key is to remember, Windows uses the connection-specific DNS suffix to
> register DNS records.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
lingpanda101
> via
> >> samba
> >> Verzonden: maandag 21 november 2016 21:14
> >> Aan: samba at lists.samba.org
> >> Onderwerp: [Samba] Reverse zones fail with secure updates
> >>
> >> Hello,
> >>
> >>       I'm using Samba 4.5.1 as a ADDC and the internal DNS. If
I use
> >> 'allow dns updates = secure' in my smb.conf. Only A
records update. The
> >> applicable reverse zone fails to update. If I switch to using non
> secure
> >> updates both the A and the PTR records are updated. Is someone
else
> able
> >> to confirm this behavior? Thanks.
> >>
> >>
> >> --
> >> - James
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> --
> - James