Elias Pereira
2018-Jul-02 17:22 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
> > I repeat, Bind 9.12.x is unsupported at this time, just because it > worked once is no reason to use it. It may have nothing to do with your > problem, but using a supported Bind version will rule it out.Ok. :) I'll reinstall using supported version 9.11.3-2 OK, your server, but I think you should be aware that I have been using> Bind9 with Samba since December 2012 and I have never used the rndc.keyWithout these entries, the error below always appears in the logs. Jul 2 12:37:23 dc3 named[20416]: configuring command channel from '/etc/bind/rndc.key' Jul 2 12:37:23 dc3 named[20416]: couldn't add command channel ::1#953: address not available That is if you are using the MIT kerberos with Samba, instead of the> default HEIMDAL.ok. I remove it. I use HEIMDAL. Client update denied error still remains in the logs. Does this error interfere with client updates with ADDC or is this something with bind? On Mon, Jul 2, 2018 at 12:31 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 2 Jul 2018 12:12:07 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > Hmm, bind 9.12.x isn't supported yet. > > > > > > He works with "dlopen > > /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so" without > > problems, at first. > > I repeat, Bind 9.12.x is unsupported at this time, just because it > worked once is no reason to use it. It may have nothing to do with your > problem, but using a supported Bind version will rule it out. > > > > > include "/etc/bind/rndc.key"; > > > controls { > > > inet 127.0.0.1 allow { localhost; } keys { rndc-key;}; > > > }; > > > You do not need the four lines above > > > > > > Ok, but if I leave it, does not have problems either, I believe!? > > OK, your server, but I think you should be aware that I have been using > Bind9 with Samba since December 2012 and I have never used the rndc.key > > > > > You mention '#public IP' twice, are they both the same IP and is it > > > the DC ipaddress and if so, why are you trying to forward the DC to > > > itself ? > > > > > > No, two different networks. > > xxx.xxx.xxx.0/26 > > xxx.xxx.xxx.128/26 > > > > Sometimes the "samba_dlz: spnego update failed" appears in the log. I > > found this link talks about the problem. > > https://bugzilla.redhat.com/show_bug.cgi?id=1528867 > > > > I added the "KRB5RCACHETYPE="none"" on the /etc/default/bind9, but the > > error message keeps. > > > > That is if you are using the MIT kerberos with Samba, instead of the > default HEIMDAL. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Rowland Penny
2018-Jul-02 17:49 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
On Mon, 2 Jul 2018 14:22:36 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> > > > I repeat, Bind 9.12.x is unsupported at this time, just because it > > worked once is no reason to use it. It may have nothing to do with > > your problem, but using a supported Bind version will rule it out. > > > Ok. :) > > I'll reinstall using supported version 9.11.3-2 > > OK, your server, but I think you should be aware that I have been > using > > Bind9 with Samba since December 2012 and I have never used the > > rndc.key > > > Without these entries, the error below always appears in the logs. > > Jul 2 12:37:23 dc3 named[20416]: configuring command channel from > '/etc/bind/rndc.key' > Jul 2 12:37:23 dc3 named[20416]: couldn't add command > channel ::1#953: address not available >okay, perhaps I should have said that I have never had any mention of rndc.key in the bind conf files. I use Devuan and this splits the named conf files into separate parts, I only alter two of these: /etc/bind/named.conf.options options { directory "/var/cache/bind"; version "0.0.7"; forwarders { 8.8.8.8; 8.8.4.4; }; dnssec-validation no; auth-nxdomain yes; # conform to RFC1035 =no listen-on-v6 { none; }; listen-on port 53 { 192.168.0.6; 127.0.0.1; }; notify no; empty-zones-enable no; // Add any subnets or hosts you want to allow to use this DNS server allow-query { 192.168.0.0/24; 127.0.0.1/32; }; // Add any subnets or hosts you want to allow to use recursive queries allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; }; /etc/bind/named.conf.local include "/var/lib/samba/private/named.conf"; When I restart Bind9, I get (amongst the other lines) these lines in /var/log/syslog Jul 2 18:32:57 dc4 named[3133]: set up managed keys zone for view _default, file 'managed-keys.bind' Jul 2 18:32:57 dc4 named[3133]: configuring command channel from '/etc/bind/rndc.key' Jul 2 18:32:57 dc4 named[3133]: command channel listening on 127.0.0.1#953 Jul 2 18:32:57 dc4 named[3133]: configuring command channel from '/etc/bind/rndc.key' Jul 2 18:32:57 dc4 named[3133]: command channel listening on ::1#953 So I don't have the lines in the named conf files but it is still used, you need to find out why it doesn't work for you.> > Client update denied error still remains in the logs.I don't know what error you are getting, even if you have posted it, can you post the full error. Can you please post all the lines from syslog around the error and not just the error.> > Does this error interfere with client updates with ADDC or is this > something with bind?No, the rndc error is for the command channel and I am sure this isn't affecting updates. Rowland
Elias Pereira
2018-Jul-03 01:56 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
> > I don't know what error you are getting, even if you have posted it, > can you post the full error. Can you please post all the lines from > syslog around the error and not just the error.The only logs that show is below. ./daemon.log.1:33430:Jul 2 06:16:28 dc3 named[9754]: client 10.10.4.3#52074: update 'campus.company.intra/IN' denied ./daemon.log.1:33432:Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#58780: update 'campus. company.intra /IN' denied ./daemon.log.1:33433:Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#56611: update 'campus. company.intra /IN' denied ./daemon.log.1:33436:Jul 2 06:18:53 dc3 named[9754]: client 10.10.5.12#60664: update 'campus. company.intra /IN' denied ./daemon.log.1:33442:Jul 2 06:24:43 dc3 named[9754]: client 10.10.5.12#55716: update 'campus. company.intra /IN' denied Maybe execute dlz_bind9_11.so in *debug* <https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module>mode for more information? On Mon, Jul 2, 2018 at 2:50 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 2 Jul 2018 14:22:36 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > I repeat, Bind 9.12.x is unsupported at this time, just because it > > > worked once is no reason to use it. It may have nothing to do with > > > your problem, but using a supported Bind version will rule it out. > > > > > > Ok. :) > > > > I'll reinstall using supported version 9.11.3-2 > > > > OK, your server, but I think you should be aware that I have been > > using > > > Bind9 with Samba since December 2012 and I have never used the > > > rndc.key > > > > > > Without these entries, the error below always appears in the logs. > > > > Jul 2 12:37:23 dc3 named[20416]: configuring command channel from > > '/etc/bind/rndc.key' > > Jul 2 12:37:23 dc3 named[20416]: couldn't add command > > channel ::1#953: address not available > > > > okay, perhaps I should have said that I have never had any mention of > rndc.key in the bind conf files. I use Devuan and this splits the named > conf files into separate parts, I only alter two of these: > > /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > version "0.0.7"; > > forwarders { 8.8.8.8; 8.8.4.4; }; > > dnssec-validation no; > > auth-nxdomain yes; # conform to RFC1035 =no > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.6; 127.0.0.1; }; > notify no; > empty-zones-enable no; > > // Add any subnets or hosts you want to allow to use this DNS > server > allow-query { 192.168.0.0/24; 127.0.0.1/32; }; > // Add any subnets or hosts you want to allow to use recursive > queries > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > > /etc/bind/named.conf.local > > include "/var/lib/samba/private/named.conf"; > > When I restart Bind9, I get (amongst the other lines) these lines > in /var/log/syslog > > Jul 2 18:32:57 dc4 named[3133]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Jul 2 18:32:57 dc4 named[3133]: configuring command channel from > '/etc/bind/rndc.key' > Jul 2 18:32:57 dc4 named[3133]: command channel listening on 127.0.0.1#953 > Jul 2 18:32:57 dc4 named[3133]: configuring command channel from > '/etc/bind/rndc.key' > Jul 2 18:32:57 dc4 named[3133]: command channel listening on ::1#953 > > So I don't have the lines in the named conf files but it is still used, > you need to find out why it doesn't work for you. > > > > > Client update denied error still remains in the logs. > > I don't know what error you are getting, even if you have posted it, > can you post the full error. Can you please post all the lines from > syslog around the error and not just the error. > > > > > Does this error interfere with client updates with ADDC or is this > > something with bind? > > No, the rndc error is for the command channel and I am sure this isn't > affecting updates. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Maybe Matching Threads
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied