samba - Jul 2020 - samab-4.10 nsupdate

Thank you for your patience.





On Tue, June 30, 2020 16:48, Rowland penny wrote:
>
>  From 'man smb.conf':
>
> nsupdate command (G)
>
>         This option sets the path to the nsupdate command which is used for
> GSS-TSIG dynamic DNS updates.
>
>         Default: nsupdate command = /usr/bin/nsupdate -g
>
> dns update command (G)
>
>         This option sets the command that is called when there are DNS
> updates. It should update the local machines DNS names using TSIG-GSS.
>
>         Default: dns update command = ${prefix}/sbin/samba_dnsupdate
>
>         Example: dns update command = /usr/local/sbin/dnsupdate
>
> You probably need both.
>
> Rowland
If I use the -g option to nsupdate then I see this:

update(nsupdate): A ForestDnsZones.brockley.harte-lyne.ca 192.168.18.161
Calling nsupdate for A ForestDnsZones.brockley.harte-lyne.ca 192.168.18.161
(add)
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
/usr/local/bin/nsupdate: cannot specify -g or -o, program not linked with GSS
API Library
Failed nsupdate: 1


When I remove the -g option then I get this:


[root at smb4-1 ~ (master)]# grep nsupdate /usr/local/etc/smb4.conf

  dns update command = /usr/local/bin/nsupdate
  nsupdate command = /usr/local/bin/nsupdate

And the error changes to this:

update failed: REFUSED
Failed nsupdate: 2
update(nsupdate): SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca
SMB4-1.brockley.harte-lyne.ca 389 (add)
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as
SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca.
900 IN	SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 29 entries

I have checked that resolv.conf is properly set for this host:

[root at smb4-1 ~ (master)]# cat /etc/resolv.conf
search brockley.harte-lyne.ca hamilton.harte-lyne.ca harte-lyne.ca
nameserver 192.168.18.161
nameserver 216.185.71.33
nameserver 216.185.71.34
options edns0 timeout:5 attempts:3

and that /etc/hosts is likewise set up to use the jail's assigned lo0
address:

[root at smb4-1 ~ (master)]#  grep 'local\|smb4' /etc/hosts
127.0.161.1		localhost localhost.brockley.harte-lyne.ca
192.168.18.161          smb4-1.brockley.harte-lyne.ca smb4-1
192.168.18.162          smb4-2.brockley.harte-lyne.ca smb4-2

We are getting closer to the answer I think.



-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

On 02/07/2020 15:30, James B. Byrne wrote:
> Thank you for your patience.
No problem ;-
> If I use the -g option to nsupdate then I see this:
>
> update(nsupdate): A ForestDnsZones.brockley.harte-lyne.ca 192.168.18.161
> Calling nsupdate for A ForestDnsZones.brockley.harte-lyne.ca 192.168.18.161
(add)
> Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca
as
> SMB4-1$
> /usr/local/bin/nsupdate: cannot specify -g or -o, program not linked with
GSS
> API Library
> Failed nsupdate: 1
Looks like you need to recompile nsupdate, you need GSSAPI.

Failing that, try adding:

dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool

To your DC's smb.conf

Rowland


Rowland