LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 08-03-2014, 11:09 AM   #1
chillkroetle
LQ Newbie
 
Registered: Aug 2014
Posts: 3

Rep: Reputation: Disabled
samba 4.1.9 with bind 9.9.4 and ddns update denied messages


Hi everybody,

i've successfully installed an samba4 AD with Version 4.1.9 and bind 9.9.4. On the client side i've a windows7 sp1 machine. The only trouble i have is an ddns update denied message in /var/log/messages. But after the denied message the forward and reverse lookup zone will be aktualized successfully.
Could it be that windows 7 first try to do an unsecure ddns update and if this is not possible it would try a secure update? A Win 8.1 client seems to update only on the system start...

above my current configuration from my test-configuration:

/etc/named.conf

Code:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
	listen-on port 53 { 127.0.0.1;192.168.178.130; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query     { localhost; 192.168.178.0/24; };
	forwarders	{ 192.168.178.254; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/usr/local/samba/private/named.conf";
/usr/local/samba/private/named.conf

Code:
# This file should be included in your main BIND configuration file
#
# For example with
# include "/usr/local/samba/private/named.conf";

zone "winnet.local." IN {
	type master;
	file "/usr/local/samba/private/dns/winnet.local.zone";
	/*
	 * the list of principals and what they can change is created
	 * dynamically by Samba, based on the membership of the domain controllers
	 * group. The provision just creates this file as an empty file.
	 */
	include "/usr/local/samba/private/named.conf.update";

	/* we need to use check-names ignore so _msdcs A records can be created */
	check-names ignore;
};

# The reverse zone configuration is optional.  The following example assumes a
# subnet of 192.168.123.0/24:


zone "178.168.192.in-addr.arpa" in {
	type master;
	file "/usr/local/samba/private/dns/192.168.178.rev";
	update-policy {
		grant *.LOCAL wildcard *.178.168.192.in-addr.arpa. PTR;
	};
};


# Note that the reverse zone file is not created during the provision process.

# The most recent BIND versions (9.8 or later) support secure GSS-TSIG
# updates.  If you are running an earlier version of BIND, or if you do not wish
# to use secure GSS-TSIG updates, you may remove the update-policy sections in
# both examples above.
/usr/local/samba/private/named.conf.update

Code:
/* this file is auto-generated - do not edit */
update-policy {
	grant WINNET.LOCAL ms-self * A AAAA;
	grant Administrator@WINNET.LOCAL wildcard * A AAAA SRV CNAME;
	grant SERVER1$@winnet.local wildcard * A AAAA SRV CNAME;
};
winnet.local.zone

Code:
$ORIGIN .
$TTL 604800	; 1 week
winnet.local		IN SOA	Server1.winnet.local. hostmaster.winnet.local. (
				2014080222 ; serial
				172800     ; refresh (2 days)
				14400      ; retry (4 hours)
				3628800    ; expire (6 weeks)
				604800     ; minimum (1 week)
				)
			NS	Server1.winnet.local.
			A	192.168.178.130
$ORIGIN winnet.local.
_kerberos		TXT	"WINNET.LOCAL"
$ORIGIN _msdcs.winnet.local.
d0ceae4f-5e5a-4970-a16e-0fec149712ea CNAME Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.dc._msdcs.winnet.local.
_kerberos		SRV	0 100 88 Server1.winnet.local.
_ldap			SRV	0 100 389 Server1.winnet.local.
$ORIGIN _tcp.dc._msdcs.winnet.local.
_kerberos		SRV	0 100 88 Server1.winnet.local.
_ldap			SRV	0 100 389 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.e8d61e3f-b9d2-4516-9cde-c96ca1059b11.domains	SRV 0 100 389 Server1.winnet.local.
gc			A	192.168.178.130
$ORIGIN gc._msdcs.winnet.local.
_ldap._tcp.Default-First-Site-Name._sites SRV 0 100 3268 Server1.winnet.local.
_ldap._tcp		SRV	0 100 3268 Server1.winnet.local.
$ORIGIN _msdcs.winnet.local.
_ldap._tcp.pdc		SRV	0 100 389 Server1.winnet.local.
$ORIGIN _tcp.Default-First-Site-Name._sites.winnet.local.
_gc			SRV	0 100 3268 Server1.winnet.local.
_kerberos		SRV	0 100 88 Server1.winnet.local.
_ldap			SRV	0 100 389 Server1.winnet.local.
$ORIGIN _tcp.winnet.local.
_gc			SRV	0 100 3268 Server1.winnet.local.
_kerberos		SRV	0 100 88 Server1.winnet.local.
_kerberos-master	SRV	0 100 88 Server1.winnet.local.
_kpasswd		SRV	0 100 464 Server1.winnet.local.
_ldap			SRV	0 100 389 Server1.winnet.local.
$ORIGIN _udp.winnet.local.
_kerberos		SRV	0 100 88 Server1.winnet.local.
_kerberos-master	SRV	0 100 88 Server1.winnet.local.
_kpasswd		SRV	0 100 464 Server1.winnet.local.
$ORIGIN winnet.local.
$TTL 1200	; 20 minutes
client1			A	192.168.178.200
client2			A	192.168.178.203
$TTL 604800	; 1 week
Server1			A	192.168.178.130
192.168.178.rev

Code:
$ORIGIN .
$TTL 38400	; 10 hours 40 minutes
178.168.192.in-addr.arpa IN SOA	Server1.winnet.local. hostmaster.178.168.192.in-addr.arpa. (
				1406996332 ; serial
				10800      ; refresh (3 hours)
				3600       ; retry (1 hour)
				604800     ; expire (1 week)
				38400      ; minimum (10 hours 40 minutes)
				)
			NS	Server1.winnet.local.
$ORIGIN 178.168.192.in-addr.arpa.
130			PTR	Server1.winnet.local.
$TTL 1200	; 20 minutes
200			PTR	client1.winnet.local.
201			PTR	client2.winnet.local.
202			PTR	client2.winnet.local.
203			PTR	client2.winnet.local.
 
Old 08-04-2014, 05:49 PM   #2
chillkroetle
LQ Newbie
 
Registered: Aug 2014
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi everybody,

I've found a bug report from samba4 where they analysed the ddns problem. Sorry for the german link, but i only found this one http://forge.univention.org/bugzilla...g.cgi?id=23161

On this site a person gets exact the same message. First a client denied and then a correct ddns update. So could it be that i've no problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
DHCP/BIND and ddns to update two subnets gudlyf Linux - Software 3 05-25-2012 03:33 PM
Bind - view external update denied noir911 Linux - Server 1 09-04-2008 01:28 AM
bind and DHCP - DDNS kudos Linux - Networking 7 06-15-2008 05:12 AM
DDNS with BIND pcmilhouse Linux - Networking 5 09-20-2007 12:03 AM
Bind/DDNS problem locutus233 Linux - Networking 12 04-26-2004 11:06 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:39 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration