N
N
nordz0r2020-10-01 12:09:22
Domain Name System
nordz0r, 2020-10-01 12:09:22

How to fix Bind9_DLZ update in SAMBA4?

Good afternoon. DNS update via BIND9_DLZ (Samba4) failed

On the client:

The system failed to register host resource records (RR) (A or AAAA) for network adapter
with parameters:

Adapter name : {53D000F3-7654-495D-A877-184C1B874972}
Host name : WS05 Primary
domain suffix: office.domain.ru
DNS list -servers :
10.10.31.200, 192.168.100.100
Sending update to server: <?>
IP address(es):
10.10.23.154

The system was unable to register these resource records during an update request due to a system problem. You can manually redo the DNS registration of the network adapter and its settings by typing "ipconfig /registerdns" at the command prompt. If problems persist, contact the system administrator of the DNS server or network. Details The specific error code is contained in the data displayed below.

On server:
Oct 1 09:13:56 beluga named[21440]: samba_dlz: starting transaction on zone office.domain.ru
Oct 1 09:13:56 beluga named[21440]: client @0x7f34741ae9e0 10.10.23.154#59675: update 'office. domain.ru/IN' denied
Oct 1 09:13:56 beluga named[21440]: samba_dlz: cancelling transaction on zone office.domain.ru

It works on DNS_Internal Mode. But reverse zones don't work there
dns_tkey_gssnegotiate error: TKEY is unacceptable - https://wiki.samba.org/index.php/Dns_tkey_negotiat... doesn't help

Answer the question

In order to leave comments, you need to log in

1 answer(s)
N
nordz0r, 2020-10-27
@nordz0r

On samba_internal
samba_dnsupdate --verbose -d8

1 DNS updates and 0 DNS deletes needed
ldb_wrap open of secrets.ldb
Received smb_krb5 packet of length 314
Received smb_krb5 packet of length 177
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm'registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Starting GENSEC mechanism gssapi_krb5_sasl
Ticket in credentials cache for [email protected] will expire in 36000 secs
Successfully obtained Kerberos ticket to DNS/Beluga.domain.ru as BELUGA$
update(nsupdate ): SRV _ldap._tcp.dc._msdcs.domain.ru Beluga.domain.ru 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.domain.ru Beluga.domain.ru 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for [email protected] will expire in 36000 secs
Successfully obtained Kerberos ticket to DNS/Beluga.domain.ru as BELUGA$ Outgoing
update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.dc._msdcs.domain.ru. 900 IN SRV 0 100 389 Beluga.domain.ru.
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
Failed update of 1 entries

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question