samba - Aug 2018 - Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates

Hello everyone.

In our company we use Samba 4 for about 3 years (classic upgraded from
Samba 3.5 + LDAP to Sernet Samba 4.2). We used CentOS 6 for domain
controllers and with Bind bundled in this distro was impossible to use
dynamic DNS updates. And because I don't like using compiled SW on
production servers, we used Samba internal DNS, which worked well
(dynamic updates).
With one non default setting - allow dns updates = nonsecure.

Because there is something wrong with our computers, because some of
them can secure update their A record, but some of them not.
If I try rejoin affected computer to domain (unjoin, delete computer
account, join again), secure update works. It's also strange, because
affected computers are Windows 7 and also Windows 10, only few months
old. They were joined to domain in one IP subnet and than sent to
another company unit with own IP subnet.

I have no abilities to rejoin all affected computers, so I set smb.conf
"allow dns updates = nonsecure" - testparm shows "allow dns
updates nonsecure and secure".
It works well a and some insecurity isn't problem in our environment.

Now we upgraded to Sernet Samba 4.8.4 on CentOS 7.5, which has Bind
built with capabilities to drive dynamic DNS updates. So after yearch on
internal DNS I tried to switch to Bind.
But it looks like "allow dns updates = nonsecure" doesn't work
with
BIND_DLZ (which is logical, because Samba is no more acting as DNS
server).
And what I have described above, because Bind looks like accepting only
secure updates, many of our computers can't update their records.

Also very interesting behavior:
Notebook with Windows 10 connect to wifi (different IP subnet than
subnets where are domain controllers), and dynamic DNS update work. But
if that notebook connect VPN (with another one IP subnet), dynamic DNS
update fail.


So is there possibility to force Bind to accept nonsecure updates?


Yours sincerely
 
Jiří Černý
System administrator

+420 775 860 300
cerny at svmetal.cz
helpdesk at svmetal.cz

SV metal spol. s r.o.
Divec 99
500 03 Hradec Králové
Czech republic

www.svmetal.cz

On Tue, 21 Aug 2018 09:30:25 +0200
Jiří Černý via samba <samba at lists.samba.org> wrote:
> 
> So is there possibility to force Bind to accept nonsecure updates?
> 
It should work ;-)

Can you post your smb.conf and /etc/named.conf files

Rowland