Failed nsupdate: 1
update(nsupdate): A gc._msdcs.domenfo.local 192.168.10.10
Calling nsupdate for A gc._msdcs.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]
Failed nsupdate: 1
update(nsupdate): A DomainDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A DomainDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]
Failed nsupdate: 1
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]
Failed nsupdate: 1
Failed update of 34 entries
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A ${HOSTNAME} $IP
AAAA ${HOSTNAME} $IP
${IF_DC}CNAME ${NTDSGUID}._msdcs.${DNSFOREST} ${H
OSTNAME}
${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${H
OSTNAME}
${IF_RWDNS_FOREST}NS ${DNSFOREST} ${H
OSTNAME}
${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${H
OSTNAME}
# Stub entries in the parent zone
${IF_RWDNS_DOMAIN}RPC ${DNSFOREST} NS ${DNSDOMAIN} ${H
OSTNAME}
${IF_RWDNS_FOREST}RPC ${DNSFOREST} NS _msdcs.${DNSFOREST} ${H
OSTNAME}
# RW domain controller
${IF_RWDC}A ${DNSDOMAIN} $IP
${IF_RWDC}AAAA ${DNSDOMAIN} $IP
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${H
OSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${H
OSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${H
OSTNAME} 389
${IF_RWDC}SRV _kerberos._tcp.${DNSDOMAIN} ${H
OSTNAME} 88
${IF_RWDC}SRV _kerberos._udp.${DNSDOMAIN} ${H
OSTNAME} 88
${IF_RWDC}SRV _kerberos._tcp.dc._msdcs.${DNSDOMAIN} ${H
OSTNAME} 88
${IF_RWDC}SRV _kpasswd._tcp.${DNSDOMAIN} ${H
OSTNAME} 464
${IF_RWDC}SRV _kpasswd._udp.${DNSDOMAIN} ${H
OSTNAME} 464
# RW and RO domain controller
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${H
OSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${H
OSTNAME} 389
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.${DNSDOMAIN} ${H
OSTNAME} 88
${IF_DC}SRV _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${H
OSTNAME} 88
# The PDC emulator
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${H
OSTNAME} 389
# RW GC servers
${IF_RWGC}A gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}AAAA gc._msdcs.${DNSFOREST} $IP
${IF_RWGC}SRV _gc._tcp.${DNSFOREST} ${H
OSTNAME} 3268
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${H
OSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV _gc._tcp.${SITE}._sites.${DNSFOREST} ${H
OSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${H
OSTNAME} 3268
# RW DNS servers
${IF_RWDNS_DOMAIN}A DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN} $IP
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${H
OSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${H
OSTNAME} 389
# RW DNS servers
${IF_RWDNS_FOREST}A ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST} $IP
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${H
OSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${H
OSTNAME} 389
root@DC1:~ # service named start
/var/db/samba4/bind-dns/named.conf:11: unknown option 'dlz'
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
root@DC1:~ #
I did everything from the beginning
I use the article you have indicated
I don't have access to these files, how would I know?I see a new problem ...
Code:root@DC1:~ # service named start /var/db/samba4/bind-dns/named.conf:11: unknown option 'dlz' /usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed root@DC1:~ #
Why could this be?
nsupdate
in bind-tools
is not linked to any GSSAPI
library, so it cannot be used with samba (I cannot see it working with bind either). The GSSAPI that samba-nsupdate
is linked to is the one in the BASE system. If another package replaces the BASE system OpenSSL then the packaged samba-nsupdate
will not find the GSSAPI
library. If samba-nsupdate
cannot find the GSSAPI
library then errors similar to:/usr/local/bin/samba-nsupdate: cannot specify -g or -o, program not linked with GSSAPI Library
/usr/local/etc/smb4.conf
file created when samba-tool is used to provision a DC on FreeBSD must be configured to find /usr/local/bin/samba-nsupdate
as the default location that samba-dnsupdate
looks for is /usr/bin/nsupdate
: dns update command = /usr/local/bin/samba-nsupdate
nsupdate command = /usr/local/bin/samba-nsupdate -g
-g
option to samba-nsupdate
is required to invoke GSSAPI.update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2