Im always seeing that.
Feb 8 11:42:20 dc1 named[457]: samba_dlz: starting transaction on zone
internal.domain.tld
Feb 8 11:42:20 dc1 named[457]: client 192.168.0.123#56729: update
'internal.domain.tld/IN' denied
Feb 8 11:42:20 dc1 named[457]: samba_dlz: cancelling transaction on zone
internal.domain.tld
Feb 8 11:42:20 dc1 named[457]: samba_dlz: starting transaction on zone
internal.domain.tld
Feb 8 11:42:20 dc1 named[457]: samba_dlz: allowing update of
signer=PCNAME-001\$\@REALM ... etc.
Feb 8 11:42:20 dc1 named[457]: samba_dlz: starting transaction on zone
0.168.192.in-addr.arpa
Feb 8 11:42:20 dc1 named[457]: client 192.168.0.123#59836: update
0.168.192.in-addr.arpa/IN' denied
Feb 8 11:42:20 dc1 named[457]: samba_dlz: cancelling transaction on zone
0.168.192.in-addr.arpa
Feb 8 11:42:20 dc1 named[457]: samba_dlz: starting transaction on zone
0.168.192.in-addr.arpa
Feb 8 11:42:20 dc1 named[457]: samba_dlz: allowing update of signer=
PCNAME-001\$\@REALM ... etc.
But all my pc’s register fine in domain and reverse zones.. ( static ips and
dhcp ip’s )
Where the dhcp server is not in my samba AD DC domain/lan.
> > named[27869]: client 192.168.122.84#59657: update 'foo/IN'
denied
> > named[27869]: samba_dlz: cancelling transaction on zone foo
But for basti the samba_dlz is canceled...
So Basti, read this link again and do all checks..
https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End
for the dns.keytab file make sure you have the correct user here.
The example shows root:named, but for example in debian thats root:bind
I didnt catch you os..
If you have apparmor running:
https://wiki.samba.org/index.php/BIND9_DLZ_AppArmor_and_SELinux_Integration
Last parts you can try.
Check if you have : empty-zones-enable no; in you named config.
And optional add :
globaly :
( this part outside ! above your options{ )
acl all-networks {
192.168.0.0/24; 10.249.0.0/16;
};
( this part inside you options { )
// Add any subnets or hosts you want to allow to use this DNS server
allow-query { "all-networks"; 127.0.0.1/32; };
// Add any subnets or hosts you want to allow to use recursive queries
allow-recursion { "all-networks"; 127.0.0.1/32; };
I suggest focus on the keytab first since you samba_DLZ is canceled.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: woensdag 8 februari 2017 12:02
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] gpupdate use wrong url
>
> On Wed, 8 Feb 2017 11:20:13 +0100
> basti via samba <samba at lists.samba.org> wrote:
>
> > I have done the bind config like Rowland's post.
> > The problem is still the same.
> >
> > windows:
> > nslookup foo -> nxdomain
> > nslookup foo. -> ip of DC
> >
> > in linux both is return an ip
> >
> > Whats about the file named.conf.update in samba/private?
> >
> > I have try to include in named.conf or in
> >
> > dlz "AD DNS Zone"{
> > ...
> > include ../named.conf.update
> > }
> > without success.
> >
> > My bind log errors like
> > named[27869]: samba_dlz: starting transaction on zone foo
> > named[27869]: client 192.168.122.84#59657: update 'foo/IN'
denied
> > named[27869]: samba_dlz: cancelling transaction on zone foo
> >
> >
> >
> >
> >
>
> Apart from the files I posted, my bind setup is the same as yours,
> except I also run a dhcp server on the DC.
>
> I have just tried 'nslookup' on a windows 7 machine, a Samba DC and
a
> Linux domain member, they all return the same results.
>
> This line:
>
> named[27869]: client 192.168.122.84#59657: update 'foo/IN' denied
>
> Shows that your clients are being denied permission to update their own
> records. You need to investigate this, or add 'allow dns updates
> nonsecure' to the smb.conf on the Samba AD DC
>
> I think your 'nslookup' problems are being caused by having your
dns
> domain set to 'foo', which is also the same as your workgroup name
> 'foo'.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba