# Samba411 auto-update DNS zone



## Reken (May 15, 2020)

Tell me please 
I have: FreeBSD 11.3 , Samba411 , bind911
I started the domain, it works. How to do auto-update DNS zone? 

SO:
1) Add a line to /usr/local/etc/namedb/named.conf

```
tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";
```

2) Do I need a samba-nsupdate program? Or not?


----------



## mark_j (May 15, 2020)

If you're using bind911 why would you need samba's own internal dns?


----------



## zirias@ (May 15, 2020)

mark_j it is needed because samba provides a dynamically loaded zone plugin for bind.

As for the question, never got it working properly either.


----------



## Reken (May 15, 2020)

I do not understand ...
Should i install samba-nsupdate?

Or is bind911 enough for dynamic updates?
My zone does not update automatically ...
I am using bind911 + string 

```
tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";
```


----------



## Reken (May 19, 2020)

/usr/local/sbin/samba_dnsupdate --verbose --all-names

```
Failed nsupdate: 1
update(nsupdate): A gc._msdcs.domenfo.local 192.168.10.10
Calling nsupdate for A gc._msdcs.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

Failed nsupdate: 1
update(nsupdate): A DomainDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A DomainDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

Failed nsupdate: 1
update(nsupdate): A ForestDnsZones.domenfo.local 192.168.10.10
Calling nsupdate for A ForestDnsZones.domenfo.local 192.168.10.10 (add)
Successfully obtained Kerberos ticket to DNS/dc1.domenfo.local as DC1$
Usage: samba_dnsupdate [options]

Failed nsupdate: 1
Failed update of 34 entries
```

My configuration:

added to smb4.conf
nsupdate command = /usr/local/sbin/samba_dnsupdate

added to named.conf
tkey-gssapi-keytab "/var/db/samba4/bind-dns/dns.keytab";
include "/var/db/samba4/bind-dns/named.conf";

What could be the problem?


----------



## mark_j (May 19, 2020)

Can you post what's in /var/db/samba4/private/dns_update_list ?


----------



## Reken (May 20, 2020)

```
# this is a list of DNS entries which will be put into DNS using
# dynamic DNS update. It is processed by the samba_dnsupdate script
A                      ${HOSTNAME}                                           $IP
AAAA                   ${HOSTNAME}                                           $IP
${IF_DC}CNAME          ${NTDSGUID}._msdcs.${DNSFOREST}                       ${H
OSTNAME}
${IF_RWDNS_DOMAIN}NS   ${DNSDOMAIN}                                          ${H
OSTNAME}
${IF_RWDNS_FOREST}NS   ${DNSFOREST}                                          ${H
OSTNAME}
${IF_RWDNS_FOREST}NS   _msdcs.${DNSFOREST}                                   ${H
OSTNAME}

# Stub entries in the parent zone
${IF_RWDNS_DOMAIN}RPC ${DNSFOREST}   NS ${DNSDOMAIN}                         ${H
OSTNAME}
${IF_RWDNS_FOREST}RPC ${DNSFOREST}   NS _msdcs.${DNSFOREST}                  ${H
OSTNAME}

# RW domain controller
${IF_RWDC}A            ${DNSDOMAIN}                                          $IP
${IF_RWDC}AAAA         ${DNSDOMAIN}                                          $IP
${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                               ${H
OSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                     ${H
OSTNAME} 389
${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}  ${H
OSTNAME} 389
${IF_RWDC}SRV          _kerberos._tcp.${DNSDOMAIN}                           ${H
OSTNAME} 88
${IF_RWDC}SRV          _kerberos._udp.${DNSDOMAIN}                           ${H
OSTNAME} 88
${IF_RWDC}SRV          _kerberos._tcp.dc._msdcs.${DNSDOMAIN}                 ${H
OSTNAME} 88
${IF_RWDC}SRV          _kpasswd._tcp.${DNSDOMAIN}                            ${H
OSTNAME} 464
${IF_RWDC}SRV          _kpasswd._udp.${DNSDOMAIN}                            ${H
OSTNAME} 464
# RW and RO domain controller
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}                ${H
OSTNAME} 389
${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}      ${H
OSTNAME} 389
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.${DNSDOMAIN}            ${H
OSTNAME} 88
${IF_DC}SRV            _kerberos._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}  ${H
OSTNAME} 88

# The PDC emulator
${IF_PDC}SRV           _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                    ${H
OSTNAME} 389

# RW GC servers
${IF_RWGC}A            gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}AAAA         gc._msdcs.${DNSFOREST}                                $IP
${IF_RWGC}SRV          _gc._tcp.${DNSFOREST}                                 ${H
OSTNAME} 3268
${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                     ${H
OSTNAME} 3268
# RW and RO GC servers
${IF_GC}SRV            _gc._tcp.${SITE}._sites.${DNSFOREST}                  ${H
OSTNAME} 3268
${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}      ${H
OSTNAME} 3268
# RW DNS servers
${IF_RWDNS_DOMAIN}A    DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}AAAA DomainDnsZones.${DNSDOMAIN}                           $IP
${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}                ${H
OSTNAME} 389
# RW and RO DNS servers
${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${H
OSTNAME} 389

# RW DNS servers
${IF_RWDNS_FOREST}A    ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}AAAA ForestDnsZones.${DNSFOREST}                           $IP
${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}                ${H
OSTNAME} 389
# RW and RO DNS servers
${IF_DNS_FOREST}SRV    _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${H
OSTNAME} 389
```


----------



## mark_j (May 20, 2020)

That looks fine.

I'm sorry I am real rusty with this stuff. Haven't used this for quite a while.

Where it seems to be failing is the DNS query itself, but the message of "Usage: samba_dnsupdate [options]" looks like a bug or a bug induced by bad configuration.

If I was you I would blow up what you've done and start over. Then again, I don't know what level of knowledge you have of AD?

Have you gone through this?:





						Setting up Samba as an Active Directory Domain Controller - SambaWiki
					






					wiki.samba.org


----------



## Reken (May 20, 2020)

I did everything from the beginning 
I use the article you have indicated 

I see a new problem ...

```
root@DC1:~ # service named start
/var/db/samba4/bind-dns/named.conf:11: unknown option 'dlz'
/usr/local/etc/rc.d/named: ERROR: named-checkconf for /usr/local/etc/namedb/named.conf failed
root@DC1:~ #
```

Why could this be?


----------



## mark_j (May 21, 2020)

Reken said:


> I did everything from the beginning
> I use the article you have indicated



Well, it probably would have been a nice idea to state this from the beginning. I for one cannot read minds. 



Reken said:


> I see a new problem ...
> 
> ```
> root@DC1:~ # service named start
> ...


I don't have access to these files, how would I know?

Look in /var/db/samba4/bind-dns/named.conf at line 11 and see why dlz is an unknown option.

It is mostly impossible to discern what your problem is as I can only speculate without all the information and you're just trickle-feeding problems. 

As I said, the only way to solve this is for you go from the beginning of the article and check you've got the same result.
That is, what's in your host file is similar to that under *"Preparing the Installation"*. Likewise, have you removed all samba databases, if you had samba installed before? And so on until you reach the end of the document. If at that stage it is still a problem then we can look at all the configuration files and see what when wrong.

You could continue this forum thread or start a new one, either way it doesn't matter to me, BUT, you've got to detail all that you have done so far, step by step. Posting random errors is not helpful.

It could even be made into a tutorial for others to follow.


----------



## byrnejb (Jul 2, 2020)

My journey down this convoluted path has led me to the following discoveries:

1. Dynamic updates via DNS requires GSSAPI.  The `nsupdate` in`bind-tools` is not linked to any `GSSAPI` library, so it cannot be used with samba (_I cannot see it working with bind either_).  The GSSAPI that `samba-nsupdate` is linked to is the one in the BASE system.  If another  package replaces the BASE system OpenSSL then the packaged`samba-nsupdate` will not find the `GSSAPI` library.  If `samba-nsupdate` cannot find the `GSSAPI` library then errors similar to:

```
/usr/local/bin/samba-nsupdate: cannot specify -g or -o, program not linked with GSSAPI Library
```
 will result.

2. The `/usr/local/etc/smb4.conf` file created when samba-tool is used to provision a DC on FreeBSD must be configured to find `/usr/local/bin/samba-nsupdate` as the default location that `samba-dnsupdate` looks for is`/usr/bin/nsupdate`:

```
dns update command = /usr/local/bin/samba-nsupdate
  nsupdate command = /usr/local/bin/samba-nsupdate -g
```
Note that the `-g` option to `samba-nsupdate` is required to invoke GSSAPI.

3. With all that out of the way then when samba-nsupdate is run the error changes to:

```
update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca SMB4-1.brockley.harte-lyne.ca 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for SMB4-1$@BROCKLEY.HARTE-LYNE.CA will expire in 35998 secs
Successfully obtained Kerberos ticket to DNS/SMB4-1.brockley.harte-lyne.ca as SMB4-1$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.brockley.harte-lyne.ca. 900 IN    SRV 0 100 389 SMB4-1.brockley.harte-lyne.ca.

; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
```
This is the point I have reached.  There is some evidence that this particular error is spurious; being an artifact of the samba internal nameserver implementation.  However, I am not certain of this and am trying to verify if this is the case.


----------

