On Mon, 2023-11-06 at 10:02 -0800, Aaron C. de Bruyn via samba wrote:> DNS is suddenly not working properly for some machines. > > > > We had a bunch of machines that were joined to the domain, but the > computer > > name was wrong. > > > > To fix this, we unjoined the machines and deleted the computer > accounts out > > of Samba (because renames while joined will leave LDAP attributes > with the > > previous machine name and there will be connectivity problems for > some > > reason), and we deleted them out of DNS (dnsmgmt.msc) so there were > no > > mismatched SIDs. > > > > Then we renamed and restarted the machines (All Windows 11 Pro), then > we > > joined them back to the domain.The unsigned packet is a red herring, all first DNS updates are unsigned, then a signed one comes after the DC disallows it. The issues is that you deleted accounts, but did not clean out DNS, so the old name is still owned by the old account (now gone), so the update fails due to simple permissions (DNS is secured on a first-to-claim basis). Clean out your DNS records and it should work. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Aaron C. de Bruyn
2023-Nov-06 19:35 UTC
[Samba] DNS: Update not allowed for unsigned packet
Thanks Andrew, but we checked for that. Firing up dnsmgmt.msc shows no entries with those computer names. -A On Mon, Nov 6, 2023 at 11:34?AM Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2023-11-06 at 10:02 -0800, Aaron C. de Bruyn via samba wrote: > > DNS is suddenly not working properly for some machines. > > > > > > > > We had a bunch of machines that were joined to the domain, but the > > computer > > > > name was wrong. > > > > > > > > To fix this, we unjoined the machines and deleted the computer > > accounts out > > > > of Samba (because renames while joined will leave LDAP attributes > > with the > > > > previous machine name and there will be connectivity problems for > > some > > > > reason), and we deleted them out of DNS (dnsmgmt.msc) so there were > > no > > > > mismatched SIDs. > > > > > > > > Then we renamed and restarted the machines (All Windows 11 Pro), then > > we > > > > joined them back to the domain. > > The unsigned packet is a red herring, all first DNS updates are > unsigned, then a signed one comes after the DC disallows it. > > The issues is that you deleted accounts, but did not clean out DNS, so > the old name is still owned by the old account (now gone), so the update > fails due to simple permissions (DNS is secured on a first-to-claim basis). > > Clean out your DNS records and it should work. > > Andrew Bartlett > > > -- > Andrew Bartlett (he/him) https://samba.org/~abartlet/ > Samba Team Member (since 2001) https://samba.org > Samba Team Lead https://catalyst.net.nz/services/samba > Catalyst.Net <https://catalyst.net.nz/services/sambaCatalyst.Net> Ltd > > Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group > company > > Samba Development and Support: https://catalyst.net.nz/services/samba > > Catalyst IT - Expert Open Source Solutions > >