Hello there. So, I have a Samba AD setup, with DHCP and samba_dlz setup as described in the wiki. However, I find that after a while, dynamic DHCPD updates stop working. The fix is for me to restart the named server. When in this state, I get log messages like: DHCPREQUEST for 192.168.52.232 (192.168.60.2) from 8c:be:be:0d:cf:3c (RedmiNote4-Gj?gur) via 192.168.52.253 Dec 18 15:39:44 dc02 dhcpd: DHCPACK on 192.168.52.232 to 8c:be:be:0d:cf:3c (RedmiNote4-Gj?gur) via 192.168.52.253 Dec 18 15:39:46 dc02 dhcpd: domain is rvx.is Dec 18 15:39:46 dc02 dhcpd: doing add Dec 18 15:39:46 dc02 dhcpd: update failed: NOTAUTH Dec 18 15:39:47 dc02 dhcpd: update failed: NOTAUTH Dec 18 15:39:47 dc02 logger: DHCP-DNS Update failed: 22 In this state, clearing the /tmp/dhcpd-dyndns.cc and/or regeneraing the /etc/dhcpduser.keytab will not fix things. Only restarting the "named" server does, after which I get stuff lke: Dec 18 15:41:38 dc02 dhcpd: domain is rvx.is Dec 18 15:41:38 dc02 dhcpd: doing add Dec 18 15:41:39 dc02 named[17215]: samba_dlz: starting transaction on zone rvx.is Dec 18 15:41:39 dc02 named[17215]: samba_dlz: allowing update of signer=dhcpduser\@RVX.IS name=RedmiNote4-Gj?gur.rvx.is tcpaddr=127.0.0.1 type=A key=17359283 17.sig-dc02.rvx.is/160/0 etc... I am running centos 7, bind 9.9.4, Samba 4.7.3 compiled from sources.>From what I can gather, /usr/local/bin/dhcpd-dyndns.sh is talking to thelocal samba daemon. Samba AD maintains the actual DNS entries. Why does the AD need confirmation with the bind daemon to update its internal database? Shouldn't the bind dameon, using samba_dlz, just contain the local DC when serving queries? Does anybody else have this problem? Cheers! -- Kv, Kristján Valur Jónsson, RVX
On Mon, 18 Dec 2017 15:55:10 +0000 Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:> Hello there. > So, I have a Samba AD setup, with DHCP and samba_dlz setup as > described in the wiki. > > However, I find that after a while, dynamic DHCPD updates stop > working. The fix is for me to restart the named server. > > When in this state, I get log messages like: > > DHCPREQUEST for 192.168.52.232 (192.168.60.2) from 8c:be:be:0d:cf:3c > (RedmiNote4-Gj?gur) via 192.168.52.253 > Dec 18 15:39:44 dc02 dhcpd: DHCPACK on 192.168.52.232 to > 8c:be:be:0d:cf:3c (RedmiNote4-Gj?gur) via 192.168.52.253 > Dec 18 15:39:46 dc02 dhcpd: domain is rvx.is > Dec 18 15:39:46 dc02 dhcpd: doing add > Dec 18 15:39:46 dc02 dhcpd: update failed: NOTAUTH > Dec 18 15:39:47 dc02 dhcpd: update failed: NOTAUTH > Dec 18 15:39:47 dc02 logger: DHCP-DNS Update failed: 22 > > > In this state, clearing the /tmp/dhcpd-dyndns.cc and/or regeneraing > the /etc/dhcpduser.keytab will not fix things. > Only restarting the "named" server does, after which I get stuff lke: > Dec 18 15:41:38 dc02 dhcpd: domain is rvx.is > Dec 18 15:41:38 dc02 dhcpd: doing add > Dec 18 15:41:39 dc02 named[17215]: samba_dlz: starting transaction on > zone rvx.isEven this looks wrong, I would expect something like this: Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from cc:4e:ec:e9:c8:d3 via eth0 Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3 via eth0 Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID: 1:ec:8:6b:c:cb:c2 Name: devstation Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88 Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2 Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on zone samdom.example.com You don't seem to have the lines that contain the required info.> Dec 18 15:41:39 dc02 named[17215]: samba_dlz: allowing update of > signer=dhcpduser\@RVX.IS name=RedmiNote4-Gj?gur.rvx.is > tcpaddr=127.0.0.1 type=A key=17359283 > 17.sig-dc02.rvx.is/160/0 > etc... > > I am running centos 7, bind 9.9.4, > Samba 4.7.3 compiled from sources. > > > From what I can gather, /usr/local/bin/dhcpd-dyndns.sh is talking to > the local samba daemon.No, the script uses nsupdate to update the records in AD.> Samba AD maintains the actual DNS entries. > Why does the AD need confirmation with the bind daemon to update its > internal database? Shouldn't the bind dameon, using samba_dlz, just > contain the local DC when serving queries? > > Does anybody else have this problem? >Not that I am aware. Can you post (or send them to me direct), the script you are using (yes, I know it is the on wiki, but I want to check yours), your dhcpd.conf file and your named.conf file(s) Rowland
On 18 December 2017 at 16:20, Rowland Penny via samba <samba at lists.samba.org> wrote:> > > Even this looks wrong, I would expect something like this: > > Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from > cc:4e:ec:e9:c8:d3 via eth0 > Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3 > via eth0 > Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID: > 1:ec:8:6b:c:cb:c2 Name: devstation > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] > /usr/local/bin/dhcp-dyndns.sh > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88 > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2 > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation > Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on > zone samdom.example.com > > You don't seem to have the lines that contain the required info. >Yes, funny it doesn't show up in /var/log/messages, but journalctl shows it. Here is an equivalent output: Dec 18 14:45:20 dc02.rv Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0] /usr/local/bin/dhcp-dyndns.sh Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[2] 192.168.62.107 Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3] 1:a0:ce:c8:e:35:7c Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4] Dadis-MBP Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update failed: 22 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 5632 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for 192.168.62.107 from a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on 192.168.62.107 to a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254 Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148: paypal.adtag.where.com A: no valid signature found Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158: crl.pki.goog A: no valid signature found Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18 14:47:54.504700, 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) Dec 18 14:47:54 dc02.rvx.is samba[449]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code 110 Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[0] /usr/local/bin/dhcp-dyndns.sh Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[2] 192.168.62.107 Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3] 1:a0:ce:c8:e:35:7c Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4] Dadis-MBP Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528: www.perforce.com A: no valid signature found Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378: perforce.com A: no valid signature found Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update failed: 22 Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute: /usr/local/bin/dhcp-dyndns.sh exit status 5632> > No, the script uses nsupdate to update the records in AD. >Aha, ok, then it makes sense that restarting named will fix it. It would appear that named goes into some sort of huff.> > Can you post (or send them to me direct), the script you are using > (yes, I know it is the on wiki, but I want to check yours), your > dhcpd.conf file and your named.conf file(s) >Sure. This is a two-weeks-old setup, and like I said, it works initially, then gets into trouble.. I'll send you the config. -- Kv, Kristján Valur Jónsson, RVX