Jiří Černý
2018-Aug-22 14:26 UTC
[Samba] Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
I just tested samba_dnsupdate --verbose --all-names on our test domain. Samba 4.8.2 from Tranquil IT on CentOS 7 and its Bind 9.9.4. And it just work. But with Internal DNS it threw ; TSIG error with server: tsig verify failure and Failed nsupdate: 2, same as in production domain. So you are right, Rowland, it's problem with Bind - Samba communication. But I don't know, why in test environment it's ok. But it's practically empty domain, 2 DC's, 3 client machines. So many differences.>>> Jiří Černý 22.8.2018 15:47 >>> > Yes, it is a failure, but a failure of the script, it shouldn'tprint> all those Python errors, it should print something like 'No update > required' for each attempted update and then 'No updates required'Yes, I understand. samba_dnsupdate --verbose --all-names --use-samba-tool gave reasonable output. But samba_dnsupdate --verbose --all-names only just throws ; TSIG error with server: tsig verify failure Failed nsupdate: 2 which look more serious.> What it does show is that it isn't a Samba problem, but something todo> with the interaction of Bind9 and Samba AD.Same errors I get with Samba internal DNS, so I don't think it is Bind related. Or maybe I can't understand you, sorry.> It is your decision, but I wouldn't allow anything to > change /etc/resolv.conf on a DC. > > I can only speak about my experience with the order of > nameservers in /etc/resolv.conf. All my DC's have their ipaddress as > the first nameserver, followed by the other DC's. I never add any > nameservers outside the domain, this is what 'forwarders' is for. I > also never add a 'domain' line. >With a DC based on the above, I have never experienced 'islanding'All DC have static IP configuration, but it's done by nmtui. I never had problem with this on many CentOS 7 server I manage. I changed all DCs to point to itself first, than to others. And I also deleted domain search line, as you recommend. Jiri
Maybe Matching Threads
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates
- Samba 4.8.4 + BIND 9.9.4 - possibility of nonsecure DNS updates