Elias Pereira
2018-Jul-03 01:56 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
> > I don't know what error you are getting, even if you have posted it, > can you post the full error. Can you please post all the lines from > syslog around the error and not just the error.The only logs that show is below. ./daemon.log.1:33430:Jul 2 06:16:28 dc3 named[9754]: client 10.10.4.3#52074: update 'campus.company.intra/IN' denied ./daemon.log.1:33432:Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#58780: update 'campus. company.intra /IN' denied ./daemon.log.1:33433:Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#56611: update 'campus. company.intra /IN' denied ./daemon.log.1:33436:Jul 2 06:18:53 dc3 named[9754]: client 10.10.5.12#60664: update 'campus. company.intra /IN' denied ./daemon.log.1:33442:Jul 2 06:24:43 dc3 named[9754]: client 10.10.5.12#55716: update 'campus. company.intra /IN' denied Maybe execute dlz_bind9_11.so in *debug* <https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module>mode for more information? On Mon, Jul 2, 2018 at 2:50 PM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 2 Jul 2018 14:22:36 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > I repeat, Bind 9.12.x is unsupported at this time, just because it > > > worked once is no reason to use it. It may have nothing to do with > > > your problem, but using a supported Bind version will rule it out. > > > > > > Ok. :) > > > > I'll reinstall using supported version 9.11.3-2 > > > > OK, your server, but I think you should be aware that I have been > > using > > > Bind9 with Samba since December 2012 and I have never used the > > > rndc.key > > > > > > Without these entries, the error below always appears in the logs. > > > > Jul 2 12:37:23 dc3 named[20416]: configuring command channel from > > '/etc/bind/rndc.key' > > Jul 2 12:37:23 dc3 named[20416]: couldn't add command > > channel ::1#953: address not available > > > > okay, perhaps I should have said that I have never had any mention of > rndc.key in the bind conf files. I use Devuan and this splits the named > conf files into separate parts, I only alter two of these: > > /etc/bind/named.conf.options > > options { > directory "/var/cache/bind"; > version "0.0.7"; > > forwarders { 8.8.8.8; 8.8.4.4; }; > > dnssec-validation no; > > auth-nxdomain yes; # conform to RFC1035 =no > listen-on-v6 { none; }; > listen-on port 53 { 192.168.0.6; 127.0.0.1; }; > notify no; > empty-zones-enable no; > > // Add any subnets or hosts you want to allow to use this DNS > server > allow-query { 192.168.0.0/24; 127.0.0.1/32; }; > // Add any subnets or hosts you want to allow to use recursive > queries > allow-recursion { 192.168.0.0/24; 127.0.0.1/32; }; > > tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; > }; > > > /etc/bind/named.conf.local > > include "/var/lib/samba/private/named.conf"; > > When I restart Bind9, I get (amongst the other lines) these lines > in /var/log/syslog > > Jul 2 18:32:57 dc4 named[3133]: set up managed keys zone for view > _default, file 'managed-keys.bind' > Jul 2 18:32:57 dc4 named[3133]: configuring command channel from > '/etc/bind/rndc.key' > Jul 2 18:32:57 dc4 named[3133]: command channel listening on 127.0.0.1#953 > Jul 2 18:32:57 dc4 named[3133]: configuring command channel from > '/etc/bind/rndc.key' > Jul 2 18:32:57 dc4 named[3133]: command channel listening on ::1#953 > > So I don't have the lines in the named conf files but it is still used, > you need to find out why it doesn't work for you. > > > > > Client update denied error still remains in the logs. > > I don't know what error you are getting, even if you have posted it, > can you post the full error. Can you please post all the lines from > syslog around the error and not just the error. > > > > > Does this error interfere with client updates with ADDC or is this > > something with bind? > > No, the rndc error is for the command channel and I am sure this isn't > affecting updates. > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Rowland Penny
2018-Jul-03 07:50 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
On Mon, 2 Jul 2018 22:56:39 -0300 Elias Pereira via samba <samba at lists.samba.org> wrote:> > > > I don't know what error you are getting, even if you have posted it, > > can you post the full error. Can you please post all the lines from > > syslog around the error and not just the error. > > > The only logs that show is below. > > ./daemon.log.1:33430:Jul 2 06:16:28 dc3 named[9754]: client > 10.10.4.3#52074: update 'campus.company.intra/IN' denied > ./daemon.log.1:33432:Jul 2 06:17:03 dc3 named[9754]: client > 10.10.1.2#58780: update 'campus. company.intra /IN' denied > ./daemon.log.1:33433:Jul 2 06:17:03 dc3 named[9754]: client > 10.10.1.2#56611: update 'campus. company.intra /IN' denied > ./daemon.log.1:33436:Jul 2 06:18:53 dc3 named[9754]: client > 10.10.5.12#60664: update 'campus. company.intra /IN' denied > ./daemon.log.1:33442:Jul 2 06:24:43 dc3 named[9754]: client > 10.10.5.12#55716: update 'campus. company.intra /IN' denied > > Maybe execute dlz_bind9_11.so in *debug* > <https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module>mode > for more information? >You could try that, but that log fragment looks a bit different from mine. Okay, I do not have any lines similar to yours, but if I did, I feel they would look like this: Jul 2 06:16:28 dc3 named[9754]: client 10.10.4.3#52074: update 'campus.company.intra/IN' denied Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#58780: update 'campus. company.intra /IN' denied Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#56611: update 'campus. company.intra /IN' denied Jul 2 06:18:53 dc3 named[9754]: client 10.10.5.12#60664: update 'campus. company.intra /IN' denied Jul 2 06:24:43 dc3 named[9754]: client 10.10.5.12#55716: update 'campus. company.intra /IN' denied Note the lack of './daemon.log.1:33430:'. I have '/var/log/deamon.log' and it contains lines in the format above, they all start with the date. The lines show that various clients are being denied updating a record, this may be perfectly okay, they may not own the record. Do you have anything else updating the records, DHCP for instance. If so, the problem does not lie on the DC, it lies on the clients and they need to be told to stop trying to update their own records. Rowland
Elias Pereira
2018-Jul-03 13:37 UTC
[Samba] client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
> > auth-nxdomain yes; # conform to RFC1035 =noWhy do you use this variable as "yes"? :) Note the lack of './daemon.log.1:33430:'. I have '/var/log/deamon.log'> and it contains lines in the format above, they all start with the date.I used a grep to find the lines with "denied" and posted. If I get the logs directly from syslog, it usually appears with the date at startup. Jul 3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800 172.16.4.252#51989: update 'campus.company.intra/IN' denied Jul 3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800 10.10.4.119#63432: update 'campus.company.intra/IN' denied Jul 3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800 172.16.4.252#62280: update 'campus.company.intra/IN' denied Jul 3 10:07:52 dc3 named[31128]: client @0x7fd9a4070a90 10.10.4.50#58891: update The lines show that various clients are being denied updating a record,> this may be perfectly okay, they may not own the record. Do you have > anything else updating the records, DHCP for instance. If so, the > problem does not lie on the DC, it lies on the clients and they need to > be told to stop trying to update their own records.Our dchp is a pfsense and the settings are basic. Any other thing that I can do for test? On Tue, Jul 3, 2018 at 4:51 AM Rowland Penny via samba < samba at lists.samba.org> wrote:> On Mon, 2 Jul 2018 22:56:39 -0300 > Elias Pereira via samba <samba at lists.samba.org> wrote: > > > > > > > I don't know what error you are getting, even if you have posted it, > > > can you post the full error. Can you please post all the lines from > > > syslog around the error and not just the error. > > > > > > The only logs that show is below. > > > > ./daemon.log.1:33430:Jul 2 06:16:28 dc3 named[9754]: client > > 10.10.4.3#52074: update 'campus.company.intra/IN' denied > > ./daemon.log.1:33432:Jul 2 06:17:03 dc3 named[9754]: client > > 10.10.1.2#58780: update 'campus. company.intra /IN' denied > > ./daemon.log.1:33433:Jul 2 06:17:03 dc3 named[9754]: client > > 10.10.1.2#56611: update 'campus. company.intra /IN' denied > > ./daemon.log.1:33436:Jul 2 06:18:53 dc3 named[9754]: client > > 10.10.5.12#60664: update 'campus. company.intra /IN' denied > > ./daemon.log.1:33442:Jul 2 06:24:43 dc3 named[9754]: client > > 10.10.5.12#55716: update 'campus. company.intra /IN' denied > > > > Maybe execute dlz_bind9_11.so in *debug* > > < > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#Debugging_the_BIND9_DLZ_Module > >mode > > for more information? > > > > You could try that, but that log fragment looks a bit different from > mine. Okay, I do not have any lines similar to yours, but if I did, I > feel they would look like this: > > Jul 2 06:16:28 dc3 named[9754]: client 10.10.4.3#52074: update > 'campus.company.intra/IN' denied > Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#58780: update 'campus. > company.intra /IN' denied > Jul 2 06:17:03 dc3 named[9754]: client 10.10.1.2#56611: update 'campus. > company.intra /IN' denied > Jul 2 06:18:53 dc3 named[9754]: client 10.10.5.12#60664: update 'campus. > company.intra /IN' denied > Jul 2 06:24:43 dc3 named[9754]: client 10.10.5.12#55716: update 'campus. > company.intra /IN' denied > > Note the lack of './daemon.log.1:33430:'. I have '/var/log/deamon.log' > and it contains lines in the format above, they all start with the date. > > The lines show that various clients are being denied updating a record, > this may be perfectly okay, they may not own the record. Do you have > anything else updating the records, DHCP for instance. If so, the > problem does not lie on the DC, it lies on the clients and they need to > be told to stop trying to update their own records. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
Possibly Parallel Threads
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied
- client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied