Hi, On 23 Nov 2017 17:35 Rowland Penny via samba wrote:> On Thu, 23 Nov 2017 17:05:00 +0100 > Martin Renner via samba <samba at lists.samba.org> wrote: > >> Hi Rowland, >> >> my problem is, how to get the non-AD members into the DNS? >> Especially, if they are servers and have dynamic IPs from a DHCP >> server? >> >> As far as I understand, only AD members will update the DNS inside of >> the AD. So do I have to deliver fixed IP addresses via DHCP to >> servers and put a manual entry into the AD DNS? >> > You run the DHCP server on a DC, see here: > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > Rowland >thank you for this link. I configured everything according to the howto and disabled DNS updates in the group policy (Default Domain Policy / Computer Configuration / Policies / Administrative Templates / Network / DNS Client / Dynamic Updates). But it looks like if the Windows clients still try to update their DNS entries (even after "gpupdate /force" and reboot). When a Windows client is booting, I can see entries in /var/log/syslog which are definitively from the DHCP shell script: samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM name=test-pc.ad.company.com tcpaddr=... type=A key=...." both for the forward end reverse zone. But shortly after these messages, I can see messages which seem to come from the client: samba_dlz: starting transaction on zone ad.company.com client 192.168.105.101#59890: update 'ad.company.com/IN' denied samba_dlz: cancelling transaction on zone ad.company.com samba_dlz: starting transaction on zone ad.company.com samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com type=A error=insufficient access rights client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE': update failed: rejected by secure update (REFUSED) This looks to me like if the client is still trying to update its DNS entry. Did I miss anything in the client configuration? Regards, Martin
On Tue, 2017-11-28 at 10:46 +0100, Martin Renner via samba wrote:> But shortly after these messages, I can see messages which seem to come from the client: > > samba_dlz: starting transaction on zone ad.company.com > client 192.168.105.101#59890: update 'ad.company.com/IN' denied > samba_dlz: cancelling transaction on zone ad.company.com > samba_dlz: starting transaction on zone ad.company.com > samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com > type=A error=insufficient access rights > client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE': > update failed: rejected by secure update (REFUSED) > > This looks to me like if the client is still trying to update its DNS entry. Did I miss anything in > the client configuration?DNS entries are owned on a first-to-claim basis by the account that creates it, so if DHCP creates it, the PC will be denied. Long ago I remember a dhcp option to hint to the client that the server was doing the DNS updates, perhaps that might help. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
On Tue, 28 Nov 2017 10:46:43 +0100 Martin Renner via samba <samba at lists.samba.org> wrote:> Hi, > > On 23 Nov 2017 17:35 Rowland Penny via samba wrote: > > On Thu, 23 Nov 2017 17:05:00 +0100 > > Martin Renner via samba <samba at lists.samba.org> wrote: > > > >> Hi Rowland, > >> > >> my problem is, how to get the non-AD members into the DNS? > >> Especially, if they are servers and have dynamic IPs from a DHCP > >> server? > >> > >> As far as I understand, only AD members will update the DNS inside > >> of the AD. So do I have to deliver fixed IP addresses via DHCP to > >> servers and put a manual entry into the AD DNS? > >> > > You run the DHCP server on a DC, see here: > > > > https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 > > > > Rowland > > > > thank you for this link. > > I configured everything according to the howto and disabled DNS > updates in the group policy (Default Domain Policy / Computer > Configuration / Policies / Administrative Templates / Network / DNS > Client / Dynamic Updates). But it looks like if the Windows clients > still try to update their DNS entries (even after "gpupdate /force" > and reboot). > > When a Windows client is booting, I can see entries > in /var/log/syslog which are definitively from the DHCP shell script: > > samba_dlz: allowing update of signer=dhcpduser\@AD.COMPANY.COM > name=test-pc.ad.company.com tcpaddr=... type=A key=...." > > both for the forward end reverse zone. > > But shortly after these messages, I can see messages which seem to > come from the client: > > samba_dlz: starting transaction on zone ad.company.com > client 192.168.105.101#59890: update 'ad.company.com/IN' denied > samba_dlz: cancelling transaction on zone ad.company.com > samba_dlz: starting transaction on zone ad.company.com > samba_dlz: disallowing update of signer=TEST-PC\$\@AD.COMPANY.COM > name=test-PC.ad.company.com type=A error=insufficient access rights > client 192.168.105.101#63148/key TEST-PC\$\@AD.COMPANY.COM: > updating zone 'ad.company.com/NONE': update failed: rejected by > secure update (REFUSED) > > This looks to me like if the client is still trying to update its DNS > entry. Did I miss anything in the client configuration? >It certainly looks like your windows clients are trying to update their own records and this will not work because they don't own them now ;-) You need to find out why the GPO isn't being used. This has nothing to do with the DHCP script. Rowland
On Tue, 28 Nov 2017 22:54:57 +1300 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> On Tue, 2017-11-28 at 10:46 +0100, Martin Renner via samba wrote: > > But shortly after these messages, I can see messages which seem to > > come from the client: > > > > samba_dlz: starting transaction on zone ad.company.com > > client 192.168.105.101#59890: update 'ad.company.com/IN' denied > > samba_dlz: cancelling transaction on zone ad.company.com > > samba_dlz: starting transaction on zone ad.company.com > > samba_dlz: disallowing update of > > signer=TEST-PC\$\@AD.COMPANY.COM name=test-PC.ad.company.com type=A > > error=insufficient access rights client 192.168.105.101#63148/key > > TEST-PC\$\@AD.COMPANY.COM: updating zone 'ad.company.com/NONE': > > update failed: rejected by secure update (REFUSED) > > > > This looks to me like if the client is still trying to update its > > DNS entry. Did I miss anything in the client configuration? > > DNS entries are owned on a first-to-claim basis by the account that > creates it, so if DHCP creates it, the PC will be denied.Correct ;-)> > Long ago I remember a dhcp option to hint to the client that the > server was doing the DNS updates, perhaps that might help.No, you just need to stop the windows clients trying to update their own records, this has nothing to do with DHCP. Rowland
Hi,> It certainly looks like your windows clients are trying to update their > own records and this will not work because they don't own them now ;-) > > You need to find out why the GPO isn't being used. This has nothing to > do with the DHCP script. > > Rowland >indeed, the Group Policy was not working. On the tab "Details" of the "Default Domain Policy" the object state was set to "all settings deactivated". After changing this to "activated", the client did no longer update the DNS entries. Thanks, Martin