samba - Jan 2018 - DHCP-DNS problems

On 18 December 2017 at 16:20, Rowland Penny via samba <samba at
lists.samba.org
> wrote:
>
>
> Even this looks wrong, I would expect something like this:
>
> Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from
> cc:4e:ec:e9:c8:d3 via eth0
> Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3
> via eth0
> Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> 1:ec:8:6b:c:cb:c2 Name: devstation
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] >
/usr/local/bin/dhcp-dyndns.sh
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation
> Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on
> zone samdom.example.com
>
> You don't seem to have the lines that contain the required info.
>
Yes, funny it doesn't show up in /var/log/messages, but journalctl shows
it.  Here is an equivalent output:
Dec 18 14:45:20 dc02.rv

Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID:
1:a0:ce:c8:e:35:7c Name: Dadis-MBP
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0]
/usr/local/bin/dhcp-dyndns.sh
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[2] 192.168.62.107
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
1:a0:ce:c8:e:35:7c
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4] Dadis-MBP
Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update failed: 22
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 5632
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for 192.168.62.107 from
a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on 192.168.62.107 to
a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
paypal.adtag.where.com A: no valid signature found
Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
crl.pki.goog A: no valid signature found
Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18 14:47:54.504700,  0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
Dec 18 14:47:54 dc02.rvx.is samba[449]:
 ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code
110
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID:
1:a0:ce:c8:e:35:7c Name: Dadis-MBP
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[0]
/usr/local/bin/dhcp-dyndns.sh
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[2] 192.168.62.107
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
1:a0:ce:c8:e:35:7c
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4] Dadis-MBP
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
www.perforce.com A: no valid signature found
Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378: perforce.com
A: no valid signature found
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update failed: 22
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 5632


>
> No, the script uses nsupdate to update the records in AD.
>
Aha, ok, then it makes sense that restarting named will fix it. It would
appear that named goes into some sort of huff.

>
> Can you post (or send them to me direct), the script you are using
> (yes, I know it is the on wiki, but I want to check yours), your
> dhcpd.conf file and your named.conf file(s)
>
Sure.  This is a two-weeks-old setup, and like I said, it works initially,
then gets into trouble..  I'll send you the config.


-- 
Kv,
Kristján Valur Jónsson, RVX

On Mon, 18 Dec 2017 17:24:18 +0000
Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:
> On 18 December 2017 at 16:20, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
> 
> >
> >
> > Even this looks wrong, I would expect something like this:
> >
> > Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from
> > cc:4e:ec:e9:c8:d3 via eth0
> > Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to
> > cc:4e:ec:e9:c8:d3 via eth0
> > Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> > 1:ec:8:6b:c:cb:c2 Name: devstation
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] > >
/usr/local/bin/dhcp-dyndns.sh
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
> > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] > >
1:ec:8:6b:c:cb:c2 Dec 18 07:47:33 dc3 dhcpd: execute_statement
> > argv[4] = devstation Dec 18 07:47:33 dc3 named[22890]: samba_dlz:
> > starting transaction on zone samdom.example.com
> >
> > You don't seem to have the lines that contain the required info.
> >
> Yes, funny it doesn't show up in /var/log/messages, but journalctl
> shows it.  
If that is the case, then I will not fix the logging, it works on my
computer.
> Here is an equivalent output:
> Dec 18 14:45:20 dc02.rv
> 
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107
> DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0] >
/usr/local/bin/dhcp-dyndns.sh
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1] > add
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[2]
> = 192.168.62.107
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3] >
1:a0:ce:c8:e:35:7c
> Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4] >
Dadis-MBP
> Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
> Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update failed: 22
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
> /usr/local/bin/dhcp-dyndns.sh exit status 5632
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for
> 192.168.62.107 from a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
> Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on 192.168.62.107 to
> a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
> Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
> paypal.adtag.where.com A: no valid signature found
> Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
> crl.pki.goog A: no valid signature found
> Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18 14:47:54.504700,
> 0] ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> Dec 18 14:47:54 dc02.rvx.is samba[449]:
>  ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error
> code 110
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107
> DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[0] >
/usr/local/bin/dhcp-dyndns.sh
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1] > add
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[2]
> = 192.168.62.107
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3] >
1:a0:ce:c8:e:35:7c
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4] >
Dadis-MBP
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
> Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
> Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
> www.perforce.com A: no valid signature found
> Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378:
> perforce.com A: no valid signature found
> Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update failed: 22
> Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
> /usr/local/bin/dhcp-dyndns.sh exit status 5632
> 
> 
> 
> >
> > No, the script uses nsupdate to update the records in AD.
> >
> Aha, ok, then it makes sense that restarting named will fix it. It
> would appear that named goes into some sort of huff.
> 
> 
> >
> > Can you post (or send them to me direct), the script you are using
> > (yes, I know it is the on wiki, but I want to check yours), your
> > dhcpd.conf file and your named.conf file(s)
> >
> Sure.  This is a two-weeks-old setup, and like I said, it works
> initially, then gets into trouble..  I'll send you the config.
Mine has worked for over 5 years ;-)
I will await the files.

Rowland

On Tue, 2 Jan 2018 15:11:59 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> Here are log files from my two DCs that are set up in redundant DHCP
> mode. One of them is running with the -v flag in dhcp-dyndns, hence
> is much more verbose.
> dc02 is the primary, dc03 is secondary
> log_dc02, log_dc03, show a failed dyndns session from Fridriks_iphone.
> 
> After restarting named (systemctl restart bind), there is a
> successful dhcp from my Redmi phone, in log2_dc02, log2_dc03
> 
> See anything?
> 
> 
> On 18 December 2017 at 17:42, Rowland Penny via samba
> <samba at lists.samba.org
> > wrote:
> 
> > On Mon, 18 Dec 2017 17:24:18 +0000
> > Kristján Valur Jónsson via samba <samba at lists.samba.org>
wrote:
> >
> > > On 18 December 2017 at 16:20, Rowland Penny via samba
> > > <samba at lists.samba.org
> > > > wrote:
> > >
> > > >
> > > >
> > > > Even this looks wrong, I would expect something like this:
> > > >
> > > > Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111
from
> > > > cc:4e:ec:e9:c8:d3 via eth0
> > > > Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to
> > > > cc:4e:ec:e9:c8:d3 via eth0
> > > > Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> > > > 1:ec:8:6b:c:cb:c2 Name: devstation
> > > > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] >
> > > /usr/local/bin/dhcp-dyndns.sh
> > > > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> > > > Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] >
> > > 192.168.0.88 Dec 18 07:47:33 dc3 dhcpd: execute_statement
> > > > argv[3] = 1:ec:8:6b:c:cb:c2 Dec 18 07:47:33 dc3 dhcpd:
> > > > execute_statement argv[4] = devstation Dec 18 07:47:33 dc3
> > > > named[22890]: samba_dlz: starting transaction on zone
> > > > samdom.example.com
> > > >
> > > > You don't seem to have the lines that contain the
required info.
> > > >
> > > Yes, funny it doesn't show up in /var/log/messages, but
journalctl
> > > shows it.
> >
> > If that is the case, then I will not fix the logging, it works on my
> > computer.
> >
> > > Here is an equivalent output:
> > > Dec 18 14:45:20 dc02.rv
> > >
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP:
192.168.62.107
> > > DHCID: 1:a0:ce:c8:e:35:7c Name: Dadis-MBP
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0]
> > > = /usr/local/bin/dhcp-dyndns.sh
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1]
> > > = add Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement
> > > argv[2] = 192.168.62.107
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
> > > = 1:a0:ce:c8:e:35:7c
> > > Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4]
> > > = Dadis-MBP
> > > Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
> > > Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
> > > Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update
> > > failed: 22 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
> > > /usr/local/bin/dhcp-dyndns.sh exit status 5632
> > > Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for
> > > 192.168.62.107 from a0:ce:c8:0e:35:7c (Dadis-MBP) via
> > > 192.168.62.254 Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on
> > > 192.168.62.107 to a0:ce:c8:0e:35:7c (Dadis-MBP) via
192.168.62.254
> > > Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
> > > paypal.adtag.where.com A: no valid signature found
> > > Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
> > > crl.pki.goog A: no valid signature found
> > > Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18
> > > 14:47:54.504700,
> > > 0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
> > > Dec 18 14:47:54 dc02.rvx.is
> > > samba[449]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS
> > > update - with error code 110 Dec 18 14:49:01 dc02.rvx.is
> > > dhcpd[318]: Commit: IP: 192.168.62.107 DHCID: 1:a0:ce:c8:e:35:7c
> > > Name: Dadis-MBP Dec 18 14:49:01 dc02.rvx.is dhcpd[318]:
> > > execute_statement argv[0] = /usr/local/bin/dhcp-dyndns.sh
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1]
> > > = add Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement
> > > argv[2] = 192.168.62.107
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
> > > = 1:a0:ce:c8:e:35:7c
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4]
> > > = Dadis-MBP
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
> > > Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
> > > Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
> > > www.perforce.com A: no valid signature found
> > > Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378:
> > > perforce.com A: no valid signature found
> > > Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
> > > Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update
> > > failed: 22 Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
> > > /usr/local/bin/dhcp-dyndns.sh exit status 5632
> > >
> > >
> > >
> > > >
> > > > No, the script uses nsupdate to update the records in AD.
> > > >
> > > Aha, ok, then it makes sense that restarting named will fix it.
It
> > > would appear that named goes into some sort of huff.
> > >
> > >
> > > >
> > > > Can you post (or send them to me direct), the script you are
> > > > using (yes, I know it is the on wiki, but I want to check
> > > > yours), your dhcpd.conf file and your named.conf file(s)
> > > >
> > > Sure.  This is a two-weeks-old setup, and like I said, it works
> > > initially, then gets into trouble..  I'll send you the
config.
> >
> > Mine has worked for over 5 years ;-)
> > I will await the files.
> >
> > Rowland
> >
> >
> >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> >
> 
> 
> 
OK, I have have looked at the logs you sent me, it looks like you have
a kerberos problem, can you post
your /etc/hosts, /etc/hostname, /etc/krb5.conf, /etc/dhcp/dhcpd.conf,
your named files and smb.conf file.

Rowland

On Tue, 2 Jan 2018 16:15:14 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> Sure, here it is.
> However, notice that named appears to enter a state where it refuses
> the updates, and restarting *only *named, fixes it.  Unsure how to
> explain that. I also tried removing the cached samba credentials
> from /tmp and recreating them, etc, but no luck.  The credentials as
> used by dhcp-dyndns appear to be ok, only named won't accept them....
> Anyway, see the attached archive.
> 
Not a lot wrong there, apart from:

/etc/hostname should only contain, the short hostname e.g. dc02

I would change /etc/hosts on dc02 to this:
127.0.0.1 localhost
::1 localhost
<dc02 ipaddress> dc02.rvx.is dc02
Repeat for the other DCs

smb.conf seems to be missing 'idmap_ldb:use rfc2307  = yes'

'named.conf' has this line: recursion yes;

nine lines above it is this:

- If you are building an AUTHORITATIVE DNS server, do NOT enable
  recursion.

All AD DCs running a dns server are 'AUTHORITATIVE'

You seem to be running dhcp in ways I never thought of, but it should
work, I think that for some reason the kerberos ticket is expiring and
not being renewed.

Try making the changes I suggested above and see how you go on. If it
fails again, check if '/tmp/dhcp-dyndns.cc' exists and if it has
expired. If it doesn't exist or has expired, try running this as root:

kinit -F -k -t /etc/dhcpduser.keytab -c /tmp/dhcp-dyndns.cc
dhcpduser at XXX.XX

Where 'XXX.XX' is your uppercase realm name.

Rowland

On Wed, 3 Jan 2018 10:49:36 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> Thanks for your comments.  The settings are as they are since I used
> the default Centos settings as much as possible, adopting the
> functional difference from the wiki.
I understand this, it is just that when I try out red-hat distros, I
have to make the changes I suggested, or it doesn't work for me ;-)
> Interesting bit about recursion, will fix.  Actually this explains one
> funny bit:  These DCs are servicing our internal domain, rvx.is, in
> the 192.168.x.x. range.  However, we also do have an external
> (internet visible) domain server outside, for such external stuff
> such as www.rvx.is. Choosing the same dns name for the internal and
> external net was not my idea. 
Your AD domain should have been a subdomain of your main domain, but
saying this will not help you now, unless you can start again because
you cannot change a Samba AD domain name.
> and making dns lookups inside, things
> not found will also recurse to the external ones.
It is 'forward' not 'recurse' ;-)
Your AD dns server should be authoritative for the AD domain and should
forward anything unknown to a dns server outside the AD dns domain.
>  I'm not sure how
> that is a bad thing, but it is actually not needed so I will switch
> it off.
> 
> As for the kerberos ticket:  I already explained that I tried
> removing and refreshing the ticket in the /tmp folder.  None of this
> has any effect. Only restarting Bind will cause things to start
> working.  To me, it looks rather that bind is suddenly having trouble
> accepting kerberos authentication.
Is it that Bind is having problems, or is the ticket expiring and not
getting renewed ?
> Is it possible that named is caching the authentication, comparing the
> incoming ticket with something it has already verified, and if the
> ticket changes (because /tmp/dhcp-dyndns.cc was regenerated) that
> named will refuse the connection?  
Not that I am aware of (unless it is something to do with systemd ?)
When the ticket is renewed, it just gets replaced.
>Is this authentication part of
> named itself or dlz_bind9_9.so?  (I'm running "BIND
> 9.9.4-RedHat-9.9.4-51.el7_4.1 (Extended Support Version)"), and SMB
> 4.7.4. compiled from sources.
The script uses 'nsupdate' (a part of Bind) to carry out the updates
and uses kerberos for the authentication. Unless the red-hat version of
9.9.4 is different from the 9.9.4 version that comes with ubuntu 14.04,
it should just work.
> 
> 
> Things are running smoothly now, once they start failing again, I'll
> scour the logs for clues.  Thanks.
> 
Hopefully it will work, but I am not holding my breath ;-)

Rowland

On Mon, 8 Jan 2018 17:14:57 +0000
Kristján Valur Jónsson <kristjan at rvx.is> wrote:
> On 2 January 2018 at 17:03, Rowland Penny via samba
> <samba at lists.samba.org> wrote:
> 
> >
> > smb.conf seems to be missing 'idmap_ldb:use rfc2307  = yes'
> >
> > Is this necessary?  The recent windows remote tools lack the
> > ability to
> easily edit these fields.
> Also, see this from the wiki,
> https://wiki.samba.org/index.php/Setting_up_RFC2307_in_AD
> 
> "It is recommended not to use those mappings on the DCs. The default
> idmap ldb mechanism is fine for domain controllers and less error
> prone."
> 
You can add 'idmap_ldb:use rfc2307  = yes' to DCs, the main problem is
that a DC can only obtain the users uidNumber and primarygroupid from
AD.
If you use the default idmap ldb on DCs, this also has problems, you
are very likely to get different ID numbers on different DCs unless you
sync idmap.ldb from the first DC to all others, You will also get yet
another ID on Unix domain members if you use the winbind 'rid' backend.
The only way to get consistent IDs everywhere is to use the winbind
'ad' backend.

Rowland