Jiří Černý
2018-Aug-21 14:30 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
> So you never read this: > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > Which means that you probably never ran the aptly named > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, Rowland. At least I can read:DIf I've seen that Bind doesn't work, I had to change backend to internal DNS.I carefully read and made everything from wiki: https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Existing_Active_Directory https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#TroubleshootingAnd tried everything possible. Writing mail to lists is the last instance for me...On every of our DCs: samba_dnsupdate --verbose IPs: ['192.168.45.1'] Looking for DNS entry A dc03x.samdom.svmetal.cz 192.168.45.1 as dc03x.samdom.svmetal.cz. Looking for DNS entry NS samdom.svmetal.cz dc03x.samdom.svmetal.cz as samdom.svmetal.cz. Looking for DNS entry NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz as _msdcs.samdom.svmetal.cz. Looking for DNS entry A samdom.svmetal.cz 192.168.45.1 as samdom.svmetal.cz. Looking for DNS entry SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.dc._msdcs.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.samdom.svmetal.cz. Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Looking for DNS entry SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._udp.samdom.svmetal.cz. Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Looking for DNS entry SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.dc._msdcs.samdom.svmetal.cz. Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Looking for DNS entry SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 as _kpasswd._tcp.samdom.svmetal.cz. Checking 0 100 464 dc01.samdom.svmetal.cz. against SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Checking 0 100 464 dc02x.samdom.svmetal.cz. against SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Checking 0 100 464 dc03x.samdom.svmetal.cz. against SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Looking for DNS entry SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 as _kpasswd._udp.samdom.svmetal.cz. Checking 0 100 464 dc01.samdom.svmetal.cz. against SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Checking 0 100 464 dc02x.samdom.svmetal.cz. against SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Checking 0 100 464 dc03x.samdom.svmetal.cz. against SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Looking for DNS entry CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz as a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz. Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Looking for DNS entry SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Looking for DNS entry A gc._msdcs.samdom.svmetal.cz 192.168.45.1 as gc._msdcs.samdom.svmetal.cz. Looking for DNS entry SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _gc._tcp.samdom.svmetal.cz. Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Checking 0 100 3268 dc02x.samdom.svmetal.cz. against SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Looking for DNS entry SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _ldap._tcp.gc._msdcs.samdom.svmetal.cz. Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Checking 0 100 3268 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Looking for DNS entry SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz. Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Looking for DNS entry A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 as DomainDnsZones.samdom.svmetal.cz. Looking for DNS entry SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.DomainDnsZones.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 as ForestDnsZones.samdom.svmetal.cz. Looking for DNS entry SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.ForestDnsZones.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Looking for DNS entry SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz. Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 No DNS updates needed But samba_dnsupdate --verbose --all-names IPs: ['192.168.45.1'] force update: A dc03x.samdom.svmetal.cz 192.168.45.1 force update: NS samdom.svmetal.cz dc03x.samdom.svmetal.cz force update: NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz force update: A samdom.svmetal.cz 192.168.45.1 force update: SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 force update: SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 force update: CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz force update: SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 force update: A gc._msdcs.samdom.svmetal.cz 192.168.45.1 force update: SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 force update: A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 force update: SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 force update: SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 force update: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 28 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ update(nsupdate): A dc03x.samdom.svmetal.cz 192.168.45.1 Calling nsupdate for A dc03x.samdom.svmetal.cz 192.168.45.1 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: dc03x.samdom.svmetal.cz. 900 IN A 192.168.45.1 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): NS samdom.svmetal.cz dc03x.samdom.svmetal.cz Calling nsupdate for NS samdom.svmetal.cz dc03x.samdom.svmetal.cz (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: samdom.svmetal.cz. 900 IN NS dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz Calling nsupdate for NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _msdcs.samdom.svmetal.cz. 900 IN NS dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A samdom.svmetal.cz 192.168.45.1 Calling nsupdate for A samdom.svmetal.cz 192.168.45.1 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: samdom.svmetal.cz. 900 IN A 192.168.45.1 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling nsupdate for SRV _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling nsupdate for SRV _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._udp.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Calling nsupdate for SRV _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 464 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 Calling nsupdate for SRV _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.samdom.svmetal.cz. 900 IN SRV 0 100 464 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz Calling nsupdate for CNAME a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz. 900 IN CNAME dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 Calling nsupdate for SRV _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A gc._msdcs.samdom.svmetal.cz 192.168.45.1 Calling nsupdate for A gc._msdcs.samdom.svmetal.cz 192.168.45.1 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.samdom.svmetal.cz. 900 IN A 192.168.45.1 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling nsupdate for SRV _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling nsupdate for SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.gc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling nsupdate for SRV _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 Calling nsupdate for A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: DomainDnsZones.samdom.svmetal.cz. 900 IN A 192.168.45.1 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.DomainDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 Calling nsupdate for A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ForestDnsZones.samdom.svmetal.cz. 900 IN A 192.168.45.1 ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add) Successfully obtained Kerberos ticket to DNS/dc01.samdom.svmetal.cz as DC03X$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 28 entries But it's nothing new, that errors I've seen from 4.2 until now.> It shouldn't have been 'painful' to upgrade, you could have done an in > place dist-upgrade. If this is not possible, you should have demoted > the old one and then joined a new DC with the same IP but a new name. > There is another flaw in your thinking, all DC's running a dns > nameserver are SOA masters.No, you cannot upgrade CentOS 6 to 7 inplace.And I'm sorry for misunderstanding with SOA. Only one DC should be primary server in SOA (the very first provisioned DC), but that DC and all another DCs are NS for domain zones. But if you demote that first DC (primary in SOA), the record for that DC will remain in SOA. I tested it in lab environment and Bind threw errors because of that. Moreover samba-tool domain demote remain many things in DNS and you have to run samba-tool domain demote --remove-other-dead-server= also. And manually delete rest for sure. Thats pain. And I don't know how others, but I tested FSMO transfer on 4.7 (both DCs) and also 4.8 (both DCs) at it also didn't performed well. I hit some kind of timeouts during transfer and I had to run it 7 times to transfer all roles.It was really painfull in our environment. But it's quite old (from Samba 4.2) a classiupgraded, so quite different than default provisioned.Actually, I'm really glad our domain works at least with nonsecure internal DNS;)> That is where I expected them to be ;-) > The only thing that can change the dns records is whatever owns them, > it looks like whatever is trying to change the records is being refused > because it doesn't own them.Ok. But is there some insecure workaround? How do that internal server with "nonsecure" options? As I wrote in the first mail, I have no problem with forcing Bind to do thing insecure.Jiri
L.P.H. van Belle
2018-Aug-21 14:50 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
; TSIG error with server: tsig verify failure Mayabe update/setup your TSIG key. https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key Im also wondering why RH is using : '--disable-isc-spnego' Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Ji??í ??erný via samba > Verzonden: dinsdag 21 augustus 2018 16:31 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Samba 4.8.4 + BIND 9.9.4 - possibility > of nonsecure DNS updates > > > So you never read this: > > > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_ > a_Samba_AD_DC > > Which means that you probably never ran the aptly named > > 'samba_upgradedns'Of course I ran this. Many times. I'm not > stupid, Rowland. At least I can read:D > If I've seen that Bind doesn't work, I had to change backend > to internal DNS.I carefully read and made everything from wiki: > https://wiki.samba.org/index.php/Joining_a_Samba_DC_to_an_Exis > ting_Active_Directory > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End > https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates > https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End#TroubleshootingAnd tried everything possible. Writing mail to lists is > the last instance for me...On every of our DCs:> samba_dnsupdate --verbose > IPs: ['192.168.45.1'] > Looking for DNS entry A dc03x.samdom.svmetal.cz 192.168.45.1 > as dc03x.samdom.svmetal.cz. > Looking for DNS entry NS samdom.svmetal.cz > dc03x.samdom.svmetal.cz as samdom.svmetal.cz. > Looking for DNS entry NS _msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz as _msdcs.samdom.svmetal.cz. > Looking for DNS entry A samdom.svmetal.cz 192.168.45.1 as > samdom.svmetal.cz. > Looking for DNS entry SRV _ldap._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 as _ldap._tcp.samdom.svmetal.cz. > Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV > _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 > Looking for DNS entry SRV > _ldap._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 as _ldap._tcp.dc._msdcs.samdom.svmetal.cz. > Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV > _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 > Looking for DNS entry SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap.> _tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdo m.svmetal.cz.> Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Looking for DNS entry SRV _kerberos._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.samdom.svmetal.cz. > Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV > _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV > _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV > _kerberos._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Looking for DNS entry SRV _kerberos._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 as _kerberos._udp.samdom.svmetal.cz. > Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV > _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV > _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV > _kerberos._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Looking for DNS entry SRV > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 as > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz. > Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc02x.samdom.svmetal.cz. against SRV > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Looking for DNS entry SRV _kpasswd._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 as _kpasswd._tcp.samdom.svmetal.cz. > Checking 0 100 464 dc01.samdom.svmetal.cz. against SRV > _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 > Checking 0 100 464 dc02x.samdom.svmetal.cz. against SRV > _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 > Checking 0 100 464 dc03x.samdom.svmetal.cz. against SRV > _kpasswd._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 > Looking for DNS entry SRV _kpasswd._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 as _kpasswd._udp.samdom.svmetal.cz. > Checking 0 100 464 dc01.samdom.svmetal.cz. against SRV > _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 > Checking 0 100 464 dc02x.samdom.svmetal.cz. against SRV > _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 > Checking 0 100 464 dc03x.samdom.svmetal.cz. against SRV > _kpasswd._udp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 464 > Looking for DNS entry CNAME > a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz as > a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz. > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 as > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. > Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-First-> Site-Name._sites.dc._msdcs.samdom.svmetal.cz.> Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Looking for DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z dc03x.samdom.svmetal.cz 88 as > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. > Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z dc03x.samdom.svmetal.cz 88 > Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z dc03x.samdom.svmetal.cz 88 > Looking for DNS entry SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 as _kerberos._tcp.Default-> First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz.> Checking 0 100 88 dc01.samdom.svmetal.cz. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88> Checking 0 100 88 dc03x.samdom.svmetal.cz. against SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88> Looking for DNS entry A gc._msdcs.samdom.svmetal.cz > 192.168.45.1 as gc._msdcs.samdom.svmetal.cz. > Looking for DNS entry SRV _gc._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 as _gc._tcp.samdom.svmetal.cz. > Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV > _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 > Checking 0 100 3268 dc02x.samdom.svmetal.cz. against SRV > _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 > Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV > _gc._tcp.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 > Looking for DNS entry SRV > _ldap._tcp.gc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 as > _ldap._tcp.gc._msdcs.samdom.svmetal.cz. > Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 > Checking 0 100 3268 dc02x.samdom.svmetal.cz. against SRV > _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 > Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 > Looking for DNS entry SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 as > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. > Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 as _ldap._tcp.Default-First-> Site-Name._sites.gc._msdcs.samdom.svmetal.cz.> Checking 0 100 3268 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268> Checking 0 100 3268 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268> Looking for DNS entry A DomainDnsZones.samdom.svmetal.cz > 192.168.45.1 as DomainDnsZones.samdom.svmetal.cz. > Looking for DNS entry SRV > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 as > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz. > Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-> First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz.> Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Looking for DNS entry A ForestDnsZones.samdom.svmetal.cz > 192.168.45.1 as ForestDnsZones.samdom.svmetal.cz. > Looking for DNS entry SRV > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 as > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz. > Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc02x.samdom.svmetal.cz. against SRV > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Looking for DNS entry SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 as _ldap._tcp.Default-> First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz.> Checking 0 100 389 dc01.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Checking 0 100 389 dc03x.samdom.svmetal.cz. against SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> No DNS updates needed > > But samba_dnsupdate --verbose --all-names > IPs: ['192.168.45.1'] > force update: A dc03x.samdom.svmetal.cz 192.168.45.1 > force update: NS samdom.svmetal.cz dc03x.samdom.svmetal.cz > force update: NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz > force update: A samdom.svmetal.cz 192.168.45.1 > force update: SRV _ldap._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > force update: SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > force update: SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> force update: SRV _kerberos._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 > force update: SRV _kerberos._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 > force update: SRV _kerberos._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 > force update: SRV _kpasswd._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 > force update: SRV _kpasswd._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 > force update: CNAME > a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> force update: SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z dc03x.samdom.svmetal.cz 88 > force update: SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88> force update: A gc._msdcs.samdom.svmetal.cz 192.168.45.1 > force update: SRV _gc._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > force update: SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > force update: SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268> force update: A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 > force update: SRV _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> force update: A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 > force update: SRV _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > force update: SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> 28 DNS updates and 0 DNS deletes needed > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > update(nsupdate): A dc03x.samdom.svmetal.cz 192.168.45.1 > Calling nsupdate for A dc03x.samdom.svmetal.cz 192.168.45.1 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > dc03x.samdom.svmetal.cz. 900 IN A 192.168.45.1 > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): NS samdom.svmetal.cz dc03x.samdom.svmetal.cz > Calling nsupdate for NS samdom.svmetal.cz > dc03x.samdom.svmetal.cz (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > samdom.svmetal.cz. 900 IN NS dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): NS _msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz > Calling nsupdate for NS _msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _msdcs.samdom.svmetal.cz. 900 IN NS dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): A samdom.svmetal.cz 192.168.45.1 > Calling nsupdate for A samdom.svmetal.cz 192.168.45.1 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > samdom.svmetal.cz. 900 IN A 192.168.45.1 > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _ldap._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Calling nsupdate for SRV _ldap._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 389 > dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _ldap._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Calling nsupdate for SRV > _ldap._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 > 389 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Calling nsupdate for SRV > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)> Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.991e4476-399a-4712-a64f-a2019ed40e7b.domains._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.> > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _kerberos._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 > Calling nsupdate for SRV _kerberos._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 88 > dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _kerberos._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 > Calling nsupdate for SRV _kerberos._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._udp.samdom.svmetal.cz. 900 IN SRV 0 100 88 > dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 > Calling nsupdate for SRV > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 88 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 > 100 88 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _kpasswd._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 > Calling nsupdate for SRV _kpasswd._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kpasswd._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 464 > dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _kpasswd._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 > Calling nsupdate for SRV _kpasswd._udp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 464 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kpasswd._udp.samdom.svmetal.cz. 900 IN SRV 0 100 464 > dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): CNAME > a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz > Calling nsupdate for CNAME > a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > a0fcd1d9-a5e2-428c-a271-ab17103bb4d0._msdcs.samdom.svmetal.cz. > 900 IN CNAME dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. > 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)> Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.> > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z dc03x.samdom.svmetal.cz 88 > Calling nsupdate for SRV > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z dc03x.samdom.svmetal.cz 88 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.Default-First-Site-Name._sites.samdom.svmetal.c > z. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88> Calling nsupdate for SRV > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 88 (add)> Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 88 dc03x.samdom.svmetal.cz.> > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): A gc._msdcs.samdom.svmetal.cz 192.168.45.1 > Calling nsupdate for A gc._msdcs.samdom.svmetal.cz 192.168.45.1 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > gc._msdcs.samdom.svmetal.cz. 900 IN A 192.168.45.1 > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _gc._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > Calling nsupdate for SRV _gc._tcp.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _gc._tcp.samdom.svmetal.cz. 900 IN SRV 0 100 3268 > dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV _ldap._tcp.gc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > Calling nsupdate for SRV > _ldap._tcp.gc._msdcs.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.gc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 > 3268 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 > Calling nsupdate for SRV > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 3268 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _gc._tcp.Default-First-Site-Name._sites.samdom.svmetal.cz. > 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268> Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz dc03x.samdom.svmetal.cz 3268 (add)> Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.samdom.svmetal.cz. 900 IN SRV 0 100 3268 dc03x.samdom.svmetal.cz.> > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): A DomainDnsZones.samdom.svmetal.cz 192.168.45.1 > Calling nsupdate for A DomainDnsZones.samdom.svmetal.cz > 192.168.45.1 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > DomainDnsZones.samdom.svmetal.cz. 900 IN A 192.168.45.1 > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Calling nsupdate for SRV > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.DomainDnsZones.samdom.svmetal.cz. 900 IN SRV 0 > 100 389 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)> Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.> > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): A ForestDnsZones.samdom.svmetal.cz 192.168.45.1 > Calling nsupdate for A ForestDnsZones.samdom.svmetal.cz > 192.168.45.1 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > ForestDnsZones.samdom.svmetal.cz. 900 IN A 192.168.45.1 > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 > Calling nsupdate for SRV > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz > dc03x.samdom.svmetal.cz 389 (add) > Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.ForestDnsZones.samdom.svmetal.cz. 900 IN SRV 0 > 100 389 dc03x.samdom.svmetal.cz. > > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389> Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz dc03x.samdom.svmetal.cz 389 (add)> Successfully obtained Kerberos ticket to > DNS/dc01.samdom.svmetal.cz as DC03X$ > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.svmetal.cz. 900 IN SRV 0 100 389 dc03x.samdom.svmetal.cz.> > ; TSIG error with server: tsig verify failure > Failed nsupdate: 2 > Failed update of 28 entries > > But it's nothing new, that errors I've seen from 4.2 until now. > > > It shouldn't have been 'painful' to upgrade, you could have > done an in > > place dist-upgrade. If this is not possible, you should have demoted > > the old one and then joined a new DC with the same IP but a > new name. > > There is another flaw in your thinking, all DC's running a dns > > nameserver are SOA masters.No, you cannot upgrade CentOS 6 > to 7 inplace. > And I'm sorry for misunderstanding with SOA. Only one DC > should be primary server in SOA (the very first provisioned > DC), but that DC and all another DCs are NS for domain zones. > But if you demote that first DC (primary in SOA), the record > for that DC will remain in SOA. I tested it in lab > environment and Bind threw errors because of that. > Moreover samba-tool domain demote remain many things in DNS > and you have to run samba-tool domain demote > --remove-other-dead-server= also. And manually delete rest > for sure. Thats pain. > And I don't know how others, but I tested FSMO transfer on > 4.7 (both DCs) and also 4.8 (both DCs) at it also didn't > performed well. I hit some kind of timeouts during transfer > and I had to run it 7 times to transfer all roles.It was > really painfull in our environment. But it's quite old (from > Samba 4.2) a classiupgraded, so quite different than default > provisioned.Actually, I'm really glad our domain works at > least with nonsecure internal DNS;) > > That is where I expected them to be ;-) > > The only thing that can change the dns records is whatever > owns them, > > it looks like whatever is trying to change the records is > being refused > > because it doesn't own them.Ok. But is there some insecure > workaround? How do that internal server with "nonsecure" > options? As I wrote in the first mail, I have no problem with > forcing Bind to do thing insecure.Jiri > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Rowland Penny
2018-Aug-21 14:57 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Tue, 21 Aug 2018 16:30:42 +0200 Jiří Černý via samba <samba at lists.samba.org> wrote:> > So you never read this: > > https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC > > Which means that you probably never ran the aptly named > > 'samba_upgradedns'Of course I ran this. Many times. I'm not stupid, > > Rowland. At least I can read:DI never said you were stupid, but I asked how you upgraded to Bind9 and you never mentioned 'samba_upgradedns'> If I've seen that Bind doesn't work,Where ?? It has worked faithfully for me for the last 5 1/2 years.> > But it's nothing new, that errors I've seen from 4.2 until now.OK, try this: samba_dnsupdate --verbose --all-names --use-samba-tool> > > It shouldn't have been 'painful' to upgrade, you could have done an > > in place dist-upgrade. If this is not possible, you should have > > demoted the old one and then joined a new DC with the same IP but a > > new name. There is another flaw in your thinking, all DC's running > > a dns nameserver are SOA masters.No, you cannot upgrade CentOS 6 to > > 7 inplace. > And I'm sorry for misunderstanding with SOA. Only one DC should be > primary server in SOA (the very first provisioned DC), but that DC > and all another DCs are NS for domain zones. But if you demote that > first DC (primary in SOA), the record for that DC will remain in SOA. > I tested it in lab environment and Bind threw errors because of that.Yes that is a pain, you need to manually remove it with samba-tool. Not sure, but I think the latest Samba removes it when a DC is demoted.> Moreover samba-tool domain demote remain many things in DNS and you > have to run samba-tool domain demote --remove-other-dead-server> also. And manually delete rest for sure. Thats pain. And I don't know > how others, but I tested FSMO transfer on 4.7 (both DCs) and also 4.8 > (both DCs) at it also didn't performed well. I hit some kind of > timeouts during transfer and I had to run it 7 times to transfer all > roles.It was really painfull in our environment. But it's quite old > (from Samba 4.2) a classiupgraded, so quite different than default > provisioned.Actually, I'm really glad our domain works at least with > nonsecure internal DNS;)As I said, a lot of the above has been fixed in the latest Samba versions.> > That is where I expected them to be ;-) > > The only thing that can change the dns records is whatever owns > > them, it looks like whatever is trying to change the records is > > being refused because it doesn't own them.Ok. But is there some > > insecure workaround? How do that internal server with "nonsecure" > > options? As I wrote in the first mail, I have no problem with > > forcing Bind to do thing insecure.Jiri >Not sure about that, do your DC's point to themselves as their first nameserver or another DC ? Rowland
Rowland Penny
2018-Aug-21 15:05 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
On Tue, 21 Aug 2018 16:50:19 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > ; TSIG error with server: tsig verify failure > > Mayabe update/setup your TSIG key. > https://access.redhat.com/documentation/en-us/openshift_enterprise/2/html/puppet_deployment_guide/generating_a_bind_tsig_key > > Im also wondering why RH is using : '--disable-isc-spnego' >Good catch Louis, that rang a bell and the answer is because you cannot run a Samba AD DC on red-hat with distro packages, so they stop updates (Don't ask why, I don't know) see here: https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates So in answer to the OP, sorry, but I missed/forgot this and the answer to your problem is, you will have to rebuild the Bind9 rpm. Rowland
Apparently Analagous Threads
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Bind9 doesn't updated - TSIG error with server: tsig verify failure
- Problem DNS samba_dnsupdate
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates