samba - Jun 2018 - Samba, AD, 'short' name resolving...

Im wondering why your log below shows this order, i just noticed. 

Why is the computer tring to set the A records 2 x. 
Lines 1-13, show a successfull commit of the A/AAAA records. 
( TSIG key ok ) 

If you count the below lines, after line 13, my logs shows. 
samba_dlz: starting transaction on zone 1.168.192.in-addr.arpa 
Yours is trying again to update 
samba_dlz: starting transaction on zone ad.fvg.lnf.it 

So the only thing i can think of is. 
1- you get the update for your zone : ad.fvg.lnf.it  
2- the gets in sucessfully. 
3- it does it again, but bind changed the key. 
client 10.5.2.64#61734/key ( first attempt, ok ) 
client 10.5.2.64#50303/key ( second attempt, fail ) 

Where is the reverse zone? 

I dont know it this is the fix, but its the only thing i can find for now. 
But i do think this is the problem. ( since every thing happend at exact : Jun
15 05:48:40)

Greetz, 

Louis




> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Marco Gaiarin via samba
> Verzonden: vrijdag 15 juni 2018 10:57
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...
> 
> Mandi! L.P.H. van Belle via samba
>   In chel di` si favelave...
> 
> > > I don't understand it either, the rndc.key is absolutely 
> not used by
> > > Samba or Bind9 in an AD domain.
> > Then great to hear im not alone.  :-/ 
> > But by adding that part, my TSIG error message was gone 
> from my logs. 
> 
> Added, but catched that:
> 
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50403: 
> update 'ad.fvg.lnf.it/IN' denied
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'ALBERT.ad.fvg.lnf.it' AAAA
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#61734/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': adding an RR at
'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#57791: 
> update 'ad.fvg.lnf.it/IN' denied
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing 
> update of signer=ALBERT\$\@AD.FVG.LNF.IT 
> name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A 
> key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'ALBERT.ad.fvg.lnf.it' AAAA
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': deleting rrset at
'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: client 
> 10.5.2.64#50303/key ALBERT\$\@AD.FVG.LNF.IT: updating zone 
> 'ad.fvg.lnf.it/NONE': adding an RR at
'ALBERT.ad.fvg.lnf.it' A
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added 
> rdataset ALBERT.ad.fvg.lnf.it 
> 'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
>  Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed 
> transaction on zone ad.fvg.lnf.it
>  Jun 15 05:48:45 vdcsv2 named[6494]: client 10.5.2.64#50303: 
> request has invalid signature: TSIG 
> 1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49 
> (ALBERT\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)
> 
> 
> Looking at:
> 
> 	https://wiki.debian.org/Bind9#File_.2Fetc.2Fbind.2Fnamed.conf
> 
> the note:
> 
> 	// Configure the communication channel for 
> Administrative BIND9 with rndc
> 	// By default, they key is in the rndc.key file and is 
> used by rndc and bind9 
> 	// on the localhost
> 
> seems to me that inclusion of rndc.conf and access on localhost is the
> default, and so it is not needed.
> 
> -- 
> dott. Marco Gaiarin				        GNUPG 
> Key ID: 240A3D66
>   Associazione ``La Nostra Famiglia''          
> http://www.lanostrafamiglia.it/
>   Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al 
> Tagliamento (PN)
>   marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   
> f +39-0434-842797
> 
> 		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
>       http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000
> 	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Fri, 15 Jun 2018 11:47:22 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Im wondering why your log below shows this order, i just noticed. 
> 
> Why is the computer tring to set the A records 2 x. 
> Lines 1-13, show a successfull commit of the A/AAAA records. 
> ( TSIG key ok ) 
It is a bit more than that, if you look closely, everything is
duplicated except the last line. Why it is doing this, I have no idea.

If you split up the last portion, you get this:

Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting transaction on zone
ad.fvg.lnf.it
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: cancelling transaction on zone
ad.fvg.lnf.it
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: starting transaction on zone
ad.fvg.lnf.it
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of
signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=AAAA
key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of
signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A
key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: allowing update of
signer=ALBERT\$\@AD.FVG.LNF.IT name=ALBERT.ad.fvg.lnf.it tcpaddr= type=A
key=1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49/160/0
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: subtracted rdataset
ALBERT.ad.fvg.lnf.it
'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: added rdataset
ALBERT.ad.fvg.lnf.it
'ALBERT.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.64'
Jun 15 05:48:40 vdcsv2 named[6494]: samba_dlz: committed transaction on zone
ad.fvg.lnf.it

######

Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#57791: update
'ad.fvg.lnf.it/IN' denied
Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50303/key
ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'ALBERT.ad.fvg.lnf.it' AAAA
Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50303/key
ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting
rrset at 'ALBERT.ad.fvg.lnf.it' A
Jun 15 05:48:40 vdcsv2 named[6494]: client 10.5.2.64#50303/key
ALBERT\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an
RR at 'ALBERT.ad.fvg.lnf.it' A
Jun 15 05:48:45 vdcsv2 named[6494]: client 10.5.2.64#50303: request has invalid
signature: TSIG 1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49
(ALBERT\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)

I think the first part is dnsupdate doing the update and the second
part is the client trying to update its own record and failing.
Just what is telling 'dnsupdate' to update the records ??
> 
> Where is the reverse zone? 
> 
There doesn't seem to be one.

Rowland

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 15 juni 2018 12:12
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...
> 
> On Fri, 15 Jun 2018 11:47:22 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > Im wondering why your log below shows this order, i just noticed. 
> > 
> > Why is the computer tring to set the A records 2 x. 
> > Lines 1-13, show a successfull commit of the A/AAAA records. 
> > ( TSIG key ok ) 
> 
> It is a bit more than that, if you look closely, everything is
> duplicated except the last line. Why it is doing this, I have no idea.
You mean as of line 13?  
The first 13 lines in my logs are exact the same, but after 13, i update my
reverse zone.
Imo, we need a full config also of bind to get a better idea of this. 
> ..... 
> 'ad.fvg.lnf.it/NONE': adding an RR at
'ALBERT.ad.fvg.lnf.it' A
> Jun 15 05:48:45 vdcsv2 named[6494]: client 10.5.2.64#50303: 
> request has invalid signature: TSIG 
> 1628-ms-7.213-4064bc3.c1816194-6fb1-11e8-5eb7-3464a91c1e49 
> (ALBERT\$\@AD.FVG.LNF.IT): tsig verify failure (BADSIG)
> 
> I think the first part is dnsupdate doing the update and the second
> part is the client trying to update its own record and failing.
> Just what is telling 'dnsupdate' to update the records ??
> 
> > 
> > Where is the reverse zone? 
> > 
> 
> There doesn't seem to be one.
> 
> Rowland
>  
Greetz, 

Louis

On Fri, 15 Jun 2018 12:17:55 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> You mean as of line 13?  
Yes
> The first 13 lines in my logs are exact the same, but after 13, i
> update my reverse zone. Imo, we need a full config also of bind to
> get a better idea of this. 
Probably a good idea, but we also need to know if the OP is using DHCP.

Rowland

It does not matter if you use static or DHCP. 
If its setup correct it works fine, at least it works fine here.

I use dhcp and static ips, within 4 ranges, all work fine. 
All my pcs register as they should. 

And yes, Marco uses a dhcp server outside the AD. 
And i do the same atm, to thats should not matter also. 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rowland Penny via samba
> Verzonden: vrijdag 15 juni 2018 12:24
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Samba, AD, 'short' name resolving...
> 
> On Fri, 15 Jun 2018 12:17:55 +0200
> "L.P.H. van Belle via samba" <samba at lists.samba.org>
wrote:
> 
> > You mean as of line 13?  
> 
> Yes
> 
> > The first 13 lines in my logs are exact the same, but after 13, i
> > update my reverse zone. Imo, we need a full config also of bind to
> > get a better idea of this. 
> 
> Probably a good idea, but we also need to know if the OP is 
> using DHCP.
> 
> Rowland
>  
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>