Dear list, one more problem. I've setup my host running a samba addc controller. Samba version is samba-4.11.6-r2. I've joined two win10 clients to my domain. One client has a static ip, the other one was configured to ask my dhcpd-daemon for an ip. Following the book from stefan kania, I modified my dhcpd.conf to execute some scripts I've found on ArchWiki to add my win10-dynip-client to the internal dns server (A,PTR,...) of my samba-addc. It took quite a while but it works. My win10-static-client-name is resolved by the internal dns server, verified with nslookup SOMENAME. Unfortunately the win10-static-client did not add an entry to the reverse lookup zone, when I added it to the domain. Is there a reason why ? I guess it should not be like this. I've followed https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates for testing and samba_dnsupdate --verbose --all-names gives: ############################################# ; TSIG error with server: tsig verify failure Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls. 900 IN SRV 0 100 389 plfa1.lfa.ls. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): A ForestDnsZones.lfa.ls 10.20.30.1 Calling nsupdate for A ForestDnsZones.lfa.ls 10.20.30.1 (add) Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 (add) Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 (add) Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ Failed nsupdate: 2 Failed update of 29 entries ########################################################## The wiki (https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End) says that the internal dns of samba does not support shared-key transaction signature (TSIG) To be honest, I don't know if TSIG is related to my problem. Would be really happy about an answer .... and .... many thanks, blubberbaer
On 16/02/2020 18:25, kaffeesurrogat via samba wrote:> Dear list, > > one more problem. > > > I've setup my host running a samba addc controller. Samba version is > samba-4.11.6-r2. I've joined two win10 clients to my domain. One client > has a static ip, the other one was configured to ask my dhcpd-daemon for > an ip. Following the book from stefan kania, I modified my dhcpd.conf to > execute some scripts I've found on ArchWiki to add my win10-dynip-client > to the internal dns server (A,PTR,...) of my samba-addc. It took quite a > while but it works. > > My win10-static-client-name is resolved by the internal dns server, > verified with nslookup SOMENAME. Unfortunately the win10-static-client > did not add an entry to the reverse lookup zone, when I added it to the > domain. > > Is there a reason why ? I guess it should not be like this. > > > I've followed > > https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates > > for testing and > > samba_dnsupdate --verbose --all-names > > gives: > > ############################################# > ; TSIG error with server: tsig verify failure > Outgoing update query: > ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 > ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 > ;; UPDATE SECTION: > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls. 900 IN > SRV 0 100 389 plfa1.lfa.ls. > > ; TSIG error with server: tsig verify failure > > Failed nsupdate: 2 > update(nsupdate): A ForestDnsZones.lfa.ls 10.20.30.1 > Calling nsupdate for A ForestDnsZones.lfa.ls 10.20.30.1 (add) > Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ > Failed nsupdate: 2 > update(nsupdate): SRV _ldap._tcp.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 > Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.lfa.ls plfa1.lfa.ls > 389 (add) > Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ > Failed nsupdate: 2 > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls > plfa1.lfa.ls 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls > plfa1.lfa.ls 389 (add) > Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ > Failed nsupdate: 2 > Failed update of 29 entries > ########################################################## > > The wiki (https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End) > says that the internal dns of samba does not support shared-key > transaction signature (TSIG) > > To be honest, I don't know if TSIG is related to my problem. > > > Would be really happy about an answer .... and .... > > many thanks, > > blubberbaer >Have you tried reading our documentation ? https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9 You will also need to read this: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End Rowland
On 17/02/2020 08:42, kaffeesurrogat wrote:> Dear Rowland, > > Yes, I did. I'm reading a lot. Docs, books, ... Updates of the > dns-server via DHCP is up and running, both for the reverse lookup zone > and the forward lookup mechanism. I've set the lease time to a very low > value to make shure the dhcp-script has something to do and I can see > entries changing. > I've tested the entries with nslookup HOSTNAME and nslookup IP. This is > working for IPse managed by dhcp. If i give a static ip to my client, > nslookup HOSTNAMESTATIC is working. nslookup IPSTATIC does not. > > That is the thing which is a bit confusing. I'm not using BIND9, i'm > using the internal dns of samba. > > Have fun, > > blubberbaerSorry, concentrated on the dhcp and missed 'static' :-( Yes, this is how it is supposed to be, you are supposed to create the static dns records in AD yourself. Also, if you are using dhcp to update records, you need to stop your Windows trying to update their own records. Rowland
On 17/02/2020 10:24, Rowland penny via samba wrote:> On 17/02/2020 08:42, kaffeesurrogat wrote: >> Dear Rowland, >> >> Yes, I did. I'm reading a lot. Docs, books, ... Updates of the >> dns-server via DHCP is up and running, both for the reverse lookup zone >> and the forward lookup mechanism. I've set the lease time to a very low >> value to make shure the dhcp-script has something to do and I can see >> entries changing. >> I've tested the entries with nslookup HOSTNAME and nslookup IP. This is >> working for IPse managed by dhcp. If i give a static ip to my client, >> nslookup HOSTNAMESTATIC is working. nslookup IPSTATIC does not. >> >> That is the thing which is a bit confusing. I'm not using BIND9, i'm >> using the internal dns of samba. >> >> Have fun, >> >> blubberbaer > > Sorry, concentrated on the dhcp and missed 'static' :-( > > Yes, this is how it is supposed to be, you are supposed to create the > static dns records in AD yourself. Also, if you are using dhcp to update > records, you need to stop your Windows trying to update their own records. > > Rowland > >Many thanks Rowland, you know I'm quite a newbie to samba and i'm working hard on getting it up and running .... ;-) Can I savely ignore that samba_dnsupdate --verbose --all-names fails with ; TSIG error with server: tsig verify failure Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls plfa1.lfa.ls 389 (add) Successfully obtained Kerberos ticket to DNS/plfa1.lfa.ls as PLFA1$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.lfa.ls. 900 IN SRV 0 100 389 plfa1.lfa.ls. ; TSIG error with server: tsig verify failure Failed nsupdate: 2 Failed update of 29 entries ???? It looks strange for me, since I'm using INTERNAL SAMBA DNS. Why are there errors about TSIG ? TSIG is not supported, thus I believed samba_dnsupdate would not use it in the first place . Using samba_upgradedns -s /smbaddc/etc/smb.conf --verbose --dns-backend=SAMBA_INTERNAL to fix the error doesn't help. It answers with: lpcfg_load: refreshing parameters from /smbaddc/etc/smb.conf Reading domain information lpcfg_load: refreshing parameters from /smbaddc/etc/smb.conf DNS accounts already exist No zone file /smbaddc/bind-dns/dns/LFA.LS.zone DNS records will be automatically created DNS partitions already exist Could not remove /smbaddc/bind-dns/dns.keytab: No such file or directory Could not remove /smbaddc/bind-dns/named.conf: No such file or directory Could not remove /smbaddc/bind-dns/named.txt: No such file or directory Could not delete dir /smbaddc/bind-dns/dns: No such file or directory Finished upgrading DNS Because it still looking for bind-dns, I believe the command silently ignores --dns-backend=SAMBA_INTERNAL. I guess, this is not the way it supposed to be ..... Awfully sorry for all this questions. Have fun, blubberbaer
Possibly Parallel Threads
- Internal DNS, update of reverse zone fails
- Internal DNS, update of reverse zone fails
- Default Group Policies and Default Domain Controller Policy are empty
- Default Group Policies and Default Domain Controller Policy are empty
- AD DC and file server on a virtual machine