Hi,
I recently noticed that when doing "samba_dns --all-names --verbose"
against Bind-9.12, I can't update dns records. I'm getting these error
messages for each record to update:
.
.
.
update failed: REFUSED
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com
alpine.samdom.com 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com
alpine.samdom.com 389 (add)
Successfully obtained Kerberos ticket to DNS/alpine.samdom.com as ALPINE$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.samdom.com. 900 IN SRV
0 100 389 alpine.samdom.com.
update failed: REFUSED
Failed nsupdate: 2
Failed update of 34 entrier
-----
This is Bind-9.12 log during operation:
daemon.err [6942]: samba_dlz: spnego update failed
daemon.info [6942]: client @0x562790c4cc40 127.0.0.1#53705/key
ALPINE\$\@samdom.com: updating zone 'samdom.com/NONE': update failed:
rejected by secure update (REFUSED)
daemon.info [6942]: samba_dlz: cancelling transaction on zone samdom.com
daemon.info [6942]: samba_dlz: starting transaction on zone samdom.com
daemon.err [6942]: samba_dlz: spnego update failed
daemon.info [6942]: client @0x562790c45d20 127.0.0.1#43211/key
ALPINE\$\@samdom.com: updating zone 'samdom.com/NONE': update failed:
rejected by secure update (REFUSED)
daemon.info [6942]: samba_dlz: cancelling transaction on zone samdom.com
-----
Same setup works on Bind-9.11. I didn't encounter this problem
earlier because "samba_dnsupdate" runs fine but since it doesn't
force
an update, its behaviour has misled me. When bind service first launch,
dlz module is loading fine:
daemon.info named[7317]: Loading 'AD DNS Zone' using driver dlopen
daemon.info [7317]: samba_dlz: started for DN DC=samdom,DC=som
daemon.info [7317]: samba_dlz: starting configure
daemon.info [7317]: samba_dlz: configured writeable zone 'samdom.com'
daemon.info [7317]: samba_dlz: configured writeable
zone'_msdcs.samdom.com'
daemon.info [7317]: none:103: 'max-cache-size 90%' - setting to 7185MB
(out of 7984MB) alpine
daemon.info [7317]: set up managed keys zone for view _default, file
'managed-keys.bind'
-----
I'm trying to find the cause of the problem. Maybe related to this:
"Previously, update-policy local; accepted updates from any source so
long as they were signed by the locally-generated session key. This has
been further restricted; updates are now only accepted from locally
configured addresses. [RT #45492]"
https://kb.isc.org/article/AA-01554/0/BIND-9.12.0-Release-Notes.html
---
Taner Tas