samba - Jul 2018 - client @0x7f6ed800bc20 172.16.5.86#62582: update 'campus.company.intra/IN' denied

>
> To be honest, I cannot remember just why I set it, I can just tell you
> that I have used it that way for nearly six years now, but if you
> insist in knowing, I will search my old notes to find the reason.

If it's not much work for you, I'd like to know why. :)

Is the above block in syslog as posted, or is it another 'grep'
block.
> If the lines are not together, please post all the lines around them.

No. Direct from syslog and they are grouped in this way that I posted. I
just did not post all, because there are several lines.

If your pfsense thing is just providing dhcp info to clients and
they
> are supposed to update their own records, then it isn't a dhcp problem.

ok.


On Tue, Jul 3, 2018 at 11:02 AM Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Tue, 3 Jul 2018 10:37:29 -0300
> Elias Pereira via samba <samba at lists.samba.org> wrote:
>
> > >
> > > auth-nxdomain yes;    # conform to RFC1035 =no
> >
> >
> > Why do you use this variable as "yes"? :)
>
> To be honest, I cannot remember just why I set it, I can just tell you
> that I have used it that way for nearly six years now, but if you
> insist in knowing, I will search my old notes to find the reason.
>
> >
> > Note the lack of './daemon.log.1:33430:'. I have
'/var/log/deamon.log'
> > > and it contains lines in the format above, they all start with
the
> > > date.
> >
> >
> > I used a grep
>
> NEVER grep for lines in a logfile, you break the context.
>
> > to find the lines with "denied" and posted. If I get
> > the logs directly from syslog, it usually appears with the date at
> > startup.
> >
> > Jul  3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800
> > 172.16.4.252#51989: update 'campus.company.intra/IN' denied
> > Jul  3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800
> > 10.10.4.119#63432: update 'campus.company.intra/IN' denied
> > Jul  3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800
> > 172.16.4.252#62280: update 'campus.company.intra/IN' denied
> > Jul  3 10:07:52 dc3 named[31128]: client @0x7fd9a4070a90
> > 10.10.4.50#58891: update
>
> Is the above block in syslog as posted, or is it another 'grep'
block.
> If the lines are not together, please post all the lines around them.
>
> >
> > The lines show that various clients are being denied updating a
> > record,
> > > this may be perfectly okay, they may not own the record. Do you
have
> > > anything else updating the records, DHCP for instance. If so, the
> > > problem does not lie on the DC, it lies on the clients and they
> > > need to be told to stop trying to update their own records.
> >
> >
> > Our dchp is a pfsense and the settings are basic.
>
> If your pfsense thing is just providing dhcp info to clients and they
> are supposed to update their own records, then it isn't a dhcp problem.
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
Elias Pereira

@Rowland Penny <rpenny at samba.org>

The link below indicates that the error message may come from windows

"In the default configuration a Windows client will try to register its
name with A record in the DNS domain it thinks it belongs to."
https://docs.menandmice.com/pages/viewpage.action?pageId=6360958

Tomorrow I'll create a GPO to disable this option. Do you think it is safe
to disable this option in windows?
https://dougrathbone.com/blog/2010/02/23/stopping-windows-from-updating-dynamic-dns

On Tue, Jul 3, 2018 at 1:28 PM Elias Pereira <empbilly at gmail.com>
wrote:
> To be honest, I cannot remember just why I set it, I can just tell you
>> that I have used it that way for nearly six years now, but if you
>> insist in knowing, I will search my old notes to find the reason.
>
>
> If it's not much work for you, I'd like to know why. :)
>
> Is the above block in syslog as posted, or is it another 'grep'
block.
>> If the lines are not together, please post all the lines around them.
>
>
> No. Direct from syslog and they are grouped in this way that I posted. I
> just did not post all, because there are several lines.
>
> If your pfsense thing is just providing dhcp info to clients and they
>> are supposed to update their own records, then it isn't a dhcp
problem.
>
>
> ok.
>
>
> On Tue, Jul 3, 2018 at 11:02 AM Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Tue, 3 Jul 2018 10:37:29 -0300
>> Elias Pereira via samba <samba at lists.samba.org> wrote:
>>
>> > >
>> > > auth-nxdomain yes;    # conform to RFC1035 =no
>> >
>> >
>> > Why do you use this variable as "yes"? :)
>>
>> To be honest, I cannot remember just why I set it, I can just tell you
>> that I have used it that way for nearly six years now, but if you
>> insist in knowing, I will search my old notes to find the reason.
>>
>> >
>> > Note the lack of './daemon.log.1:33430:'. I have
'/var/log/deamon.log'
>> > > and it contains lines in the format above, they all start
with the
>> > > date.
>> >
>> >
>> > I used a grep
>>
>> NEVER grep for lines in a logfile, you break the context.
>>
>> > to find the lines with "denied" and posted. If I get
>> > the logs directly from syslog, it usually appears with the date at
>> > startup.
>> >
>> > Jul  3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800
>> > 172.16.4.252#51989: update 'campus.company.intra/IN'
denied
>> > Jul  3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800
>> > 10.10.4.119#63432: update 'campus.company.intra/IN' denied
>> > Jul  3 10:07:45 dc3 named[31128]: client @0x7fd9a0059800
>> > 172.16.4.252#62280: update 'campus.company.intra/IN'
denied
>> > Jul  3 10:07:52 dc3 named[31128]: client @0x7fd9a4070a90
>> > 10.10.4.50#58891: update
>>
>> Is the above block in syslog as posted, or is it another 'grep'
block.
>> If the lines are not together, please post all the lines around them.
>>
>> >
>> > The lines show that various clients are being denied updating a
>> > record,
>> > > this may be perfectly okay, they may not own the record. Do
you have
>> > > anything else updating the records, DHCP for instance. If so,
the
>> > > problem does not lie on the DC, it lies on the clients and
they
>> > > need to be told to stop trying to update their own records.
>> >
>> >
>> > Our dchp is a pfsense and the settings are basic.
>>
>> If your pfsense thing is just providing dhcp info to clients and they
>> are supposed to update their own records, then it isn't a dhcp
problem.
>>
>> Rowland
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
>
> --
> Elias Pereira
>

-- 
Elias Pereira

On Tue, 3 Jul 2018 21:53:35 -0300
Elias Pereira <empbilly at gmail.com> wrote:
> @Rowland Penny <rpenny at samba.org>
> 
> The link below indicates that the error message may come from windows
> 
> "In the default configuration a Windows client will try to register
> its name with A record in the DNS domain it thinks it belongs to."
> https://docs.menandmice.com/pages/viewpage.action?pageId=6360958
> 
> Tomorrow I'll create a GPO to disable this option. Do you think it is
> safe to disable this option in windows?
>
https://dougrathbone.com/blog/2010/02/23/stopping-windows-from-updating-dynamic-dns
> 
Which is sort of what I have been trying to tell you, but I wasn't 100%
certain, mainly because of the way you posted 'snippets' of logs. I
think if you examine the logs correctly, you we see that the records
are being updated by something and then being denied (because they have
already been updated) from the clients (or it could be the opposite way
round), I don't know because I haven't seen all your logs.

Rowland