I have a dc configured to use the samba internal dns service. The version of
samba I am using is 4.10.15 packaged for FreeBSD. Its build options state
this:
BIND911 : off
BIND916 : off
, , ,
GSSAPI_BUILTIN : on
GSSAPI_MIT : off
LDAP : on
. . .
NSUPDATE : off
My smb4.conf file contains this:
[global]
bind interfaces only = Yes
dns forwarder = 192.168.18.161 216.185.71.33
interfaces = lo0 localhost smb4-1
netbios name = SMB4-1
realm = BROCKLEY.HARTE-LYNE.CA
server role = active directory domain controller
workgroup = BROCKLEY
idmap_ldb:use rfc2307 = yes
vfs objects = dfs_samba4 zfsacl
server services = -nbt
rndc command = /usr/bin/true
log level = 1
log file = /var/log/samba4/smbd.log
max log size = 10000
debug timestamp = yes
# Disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
When I run samba_dnsupdate I see this:
samba_dnsupdate --verbose -d4 --all-names
. . .
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 (add)
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
Failed nsupdate: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 : [Errno 2] No such file or directory:
'/usr/bin/nsupdate': '/usr/bin/nsupdate'
Failed update of 29 entries
Why is nsupdate required to update the internal dns service of samba?
If I install bind-tools (which provides the nsupdate program) and add 'dns
update command = /usr/local/sbin/nsupdate' to smb4.conf then when I run
samba_dnsupdate I get this:
samba_dnsupdate --verbose -d4 --all-names
. . .
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 (add)
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
Failed nsupdate: SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 : [Errno 2] No such file or directory:
'/usr/bin/nsupdate': '/usr/bin/nsupdate'
Failed update of 29 entries
What am I doing wrong?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
On 30/06/2020 16:46, James B. Byrne via samba wrote:> I have a dc configured to use the samba internal dns service. The version of > samba I am using is 4.10.15 packaged for FreeBSD. Its build options state > this: > > BIND911 : off > BIND916 : off > , , , > GSSAPI_BUILTIN : on > GSSAPI_MIT : off > LDAP : on > . . . > NSUPDATE : off > > My smb4.conf file contains this: > > [global] > bind interfaces only = Yes > dns forwarder = 192.168.18.161 216.185.71.33 > interfaces = lo0 localhost smb4-1 > netbios name = SMB4-1 > realm = BROCKLEY.HARTE-LYNE.CA > server role = active directory domain controller > workgroup = BROCKLEY > idmap_ldb:use rfc2307 = yes > vfs objects = dfs_samba4 zfsacl > server services = -nbt > rndc command = /usr/bin/true > log level = 1 > log file = /var/log/samba4/smbd.log > max log size = 10000 > debug timestamp = yes > > # Disable printing > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > When I run samba_dnsupdate I see this: > > samba_dnsupdate --verbose -d4 --all-names > . . . > update(nsupdate): SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca > SMB4-1.brockley.harte-lyne.ca 389 > Calling nsupdate for SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca > SMB4-1.brockley.harte-lyne.ca 389 (add) > Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as > SMB4-1$ > Failed nsupdate: SRV > _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca > SMB4-1.brockley.harte-lyne.ca 389 : [Errno 2] No such file or directory: > '/usr/bin/nsupdate': '/usr/bin/nsupdate' > Failed update of 29 entries > > Why is nsupdate required to update the internal dns service of samba?I wasn't privy to that decision, but it just is ;-)> > If I install bind-tools (which provides the nsupdate program) and add 'dns > update command = /usr/local/sbin/nsupdate' to smb4.conf then when I run > samba_dnsupdate I get this: > > samba_dnsupdate --verbose -d4 --all-names > . . .Could be because you added the wrong line to your smb4.conf (why does freebsd call it smb4.conf ?), try: nsupdate command = /usr/local/sbin/nsupdate -g Rowland
> Could be because you added the wrong line to your smb4.conf (why does > freebsd call it smb4.conf ?),Why does freebsd put these things in /usr/local/etc/? Some questions have answers that are not worth the effort to know.> try: > nsupdate command = /usr/local/sbin/nsupdate -gI did catch that error earlier. But it makes no difference. samba_dnsupdate does not give any evidence of using any value set by 'dns update command = '. It always reports that it cannot find '/usr/bin/nsupdate'. [root at smb4-1 ~ (master)]# which nsupdate /usr/local/bin/nsupdate [root at smb4-1 ~ (master)]# grep nsupdate /usr/local/etc/smb4.conf dns update command = /usr/local/bin/nsupdate -g samba_dnsupdate --verbose -d4 --all-names . . . update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add) Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$ Failed nsupdate: SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 : [Errno 2] No such file or directory: '/usr/bin/nsupdate': '/usr/bin/nsupdate' Failed update of 29 entries I experienced this on samba 4.4.3 and the work-around was to create a logical link /usr/bin/nsupdate pointing at /usr/local/bin/nsupdate. However, nsupdate on FreeBSD does not handle the option -g very well. [root at smb4-1 ~ (master)]# samba_dnsupdate --verbose -d4 --all-names . . . update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add) Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$ /usr/bin/nsupdate: cannot specify -g or -o, program not linked with GSS API Library Failed nsupdate: 1 Failed update of 29 entries Without the -g option in smb4.conf samba_dnsupdate gives the same result. I presume because that -g -o are both part of the default call to nsupdate that it uses. There does not appear to be any way to unset this. [root at smb4-1 ~ (master)]# grep nsupdate /usr/local/etc/smb4.conf dns update command = /usr/local/bin/nsupdate . . . update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add) Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$ /usr/bin/nsupdate: cannot specify -g or -o, program not linked with GSS API Library Failed nsupdate: 1 Failed update of 29 entries Where do I go from here? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On 30/06/2020 21:15, James B. Byrne via samba wrote:>> Could be because you added the wrong line to your smb4.conf (why does >> freebsd call it smb4.conf ?), > Why does freebsd put these things in /usr/local/etc/? Some questions have > answers that are not worth the effort to know. > >> try: >> nsupdate command = /usr/local/sbin/nsupdate -g > I did catch that error earlier. But it makes no difference. samba_dnsupdate > does not give any evidence of using any value set by 'dns update command = '. > It always reports that it cannot find '/usr/bin/nsupdate'. > > [root at smb4-1 ~ (master)]# which nsupdate > /usr/local/bin/nsupdate > > [root at smb4-1 ~ (master)]# grep nsupdate /usr/local/etc/smb4.conf > dns update command = /usr/local/bin/nsupdate -gFrom 'man smb.conf': nsupdate command (G) ??? This option sets the path to the nsupdate command which is used for GSS-TSIG dynamic DNS updates. ??? Default: nsupdate command = /usr/bin/nsupdate -g dns update command (G) ??? This option sets the command that is called when there are DNS updates. It should update the local machines DNS names using TSIG-GSS. ??? Default: dns update command = ${prefix}/sbin/samba_dnsupdate ??? Example: dns update command = /usr/local/sbin/dnsupdate You probably need both. Rowland