Samba411 auto-update DNS zone

[Reken]

Tell me please
I have: FreeBSD 11.3 , Samba411 , bind911
I started the domain, it works. How to do auto-update DNS zone?

SO:
1) Add a line to /usr/local/etc/namedb/named.conf

Code:

tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";

2) Do I need a samba-nsupdate program? Or not?

 

[mark_j]

If you're using bind911 why would you need samba's own internal dns?

 

[Zirias]

[USER=55125]mark_j[/USER] it is needed because samba provides a dynamically loaded zone plugin for bind.

As for the question, never got it working properly either.

 

[Reken]

I do not understand ...
Should i install samba-nsupdate?

Or is bind911 enough for dynamic updates?
My zone does not update automatically ...
I am using bind911 + string

Code:

tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";

 

[Reken]

/usr/local/sbin/samba_dnsupdate --verbose --all-names

Code:

Failed nsupdate: 1
update(nsupdate): A gc._msdcs.domenfo.local 192.168.10.10
Calling nsupdate for A gc._msdcs.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

Failed nsupdate: 1
update(nsupdate): A DomainDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A DomainDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

Failed nsupdate: 1
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

Failed nsupdate: 1
Failed update of 34 entries

My configuration:

added to smb4.conf
nsupdate command = /usr/local/sbin/samba_dnsupdate

added to named.conf
tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";
include "/var/db/samba4/bind-dns/named.conf";

What could be the problem?

 

[mark_j]

Can you post what's in /var/db/samba4/private/dns_update_list ?

 

[Reken]

Code:

# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A                      ${HOSTNAME}                                           $IP
AAAA                   ${HOSTNAME}                                           $IP
${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                       ${H
OSTNAME}
${IF_RWDNS_DOMAIN}NS   ${DNSDOMAIN}                                          ${H
OSTNAME}
${IF_RWDNS_FOREST}NS   ${DNSFOREST}                                          ${H
OSTNAME}
${IF_RWDNS_FOREST}NS   _msdcs.${DNSFOREST}                                   ${H
OSTNAME}

# Stub entries in the parent zone
${IF_RWDNS_DOMAIN}RPC ${DNSFOREST}   NS ${DNSDOMAIN}                         ${H
OSTNAME}
${IF_RWDNS_FOREST}RPC ${DNSFOREST}   NS _msdcs.${DNSFOREST}                  ${H
OSTNAME}

# RW domain controller
${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
${IF_RWDC}AAAA         ${DNSDOMAIN}                                          $IP
${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                               ${H
OSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                     ${H
OSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${H
OSTNAME} 389
${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                           ${H
OSTNAME} 88
${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                           ${H
OSTNAME} 88
${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                 ${H
OSTNAME} 88
${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${H
OSTNAME} 464
${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${H
OSTNAME} 464
# RW and RO domain controller
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${H
OSTNAME} 389
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${H
OSTNAME} 389
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${H
OSTNAME} 88
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}  ${H
OSTNAME} 88

# The PDC emulator
${IF_PDC}SRV           _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    ${H
OSTNAME} 389

# RW GC servers
${IF_RWGC}A            gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}AAAA         gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}SRV          _gc._tcp.${DNSFOREST}                                 ${H
OSTNAME} 3268
${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                     ${H
OSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV            _gc._tcp.${SITE}._sites.${DNSFOREST}                  ${H
OSTNAME} 3268
${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}      ${H
OSTNAME} 3268
# RW DNS servers
${IF_RWDNS_DOMAIN}A    DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}                ${H
OSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${H
OSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A    ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}                ${H
OSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV    _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${H
OSTNAME} 389

 

[mark_j]

That looks fine.

I'm sorry I am real rusty with this stuff. Haven't used this for quite a while.

Where it seems to be failing is the DNS query itself, but the message of "Usage: samba_dnsupdate [options]" looks like a bug or a bug induced by bad configuration.

If I was you I would blow up what you've done and start over. Then again, I don't know what level of knowledge you have of AD?

Have you gone through this?:

Setting up Samba as an Active Directory Domain Controller - SambaWiki

wiki.samba.org

 

[Reken]

I did everything from the beginning
I use the article you have indicated

I see a new problem ...

Code:

root@DC1:~ # service named start
/var/db/samba4/bind-dns/named.conf:11: unknown option 'dlz'
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
root@DC1:~ #

Why could this be?

 

[mark_j]

I did everything from the beginning
I use the article you have indicated

Well, it probably would have been a nice idea to state this from the beginning. I for one cannot read minds.

I see a new problem ...

Code:

root@DC1:~ # service named start
/var/db/samba4/bind-dns/named.conf:11: unknown option 'dlz'
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
root@DC1:~ #

Why could this be?

I don't have access to these files, how would I know?

Look in /var/db/samba4/bind-dns/named.conf at line 11 and see why dlz is an unknown option.

It is mostly impossible to discern what your problem is as I can only speculate without all the information and you're just trickle-feeding problems.

As I said, the only way to solve this is for you go from the beginning of the article and check you've got the same result.
That is, what's in your host file is similar to that under "Preparing the Installation". Likewise, have you removed all samba databases, if you had samba installed before? And so on until you reach the end of the document. If at that stage it is still a problem then we can look at all the configuration files and see what when wrong.

You could continue this forum thread or start a new one, either way it doesn't matter to me, BUT, you've got to detail all that you have done so far, step by step. Posting random errors is not helpful.

It could even be made into a tutorial for others to follow.

 

[byrnejb]

My journey down this convoluted path has led me to the following discoveries:

1. Dynamic updates via DNS requires GSSAPI. The nsupdate in bind-tools is not linked to any GSSAPI library, so it cannot be used with samba (I cannot see it working with bind either). The GSSAPI that samba-nsupdate is linked to is the one in the BASE system. If another package replaces the BASE system OpenSSL then the packaged samba-nsupdate will not find the GSSAPI library. If samba-nsupdate cannot find the GSSAPI library then errors similar to:

Code:

/usr/local/bin/samba-nsupdate: cannot specify -g or -o, program not linked with GSSAPI Library

will result.

2. The /usr/local/etc/smb4.conf file created when samba-tool is used to provision a DC on FreeBSD must be configured to find /usr/local/bin/samba-nsupdate as the default location that samba-dnsupdate looks for is /usr/bin/nsupdate:

Code:

  dns update command = /usr/local/bin/samba-nsupdate
  nsupdate command = /usr/local/bin/samba-nsupdate -g

Note that the -g option to samba-nsupdate is required to invoke GSSAPI.

3. With all that out of the way then when samba-nsupdate is run the error changes to:

Code:

update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN    SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2

This is the point I have reached. There is some evidence that this particular error is spurious; being an artifact of the samba internal nameserver implementation. However, I am not certain of this and am trying to verify if this is the case.