Samba AD DC/BIND9_DLZ - не работает динамическое обновление DNS

devBAA

New member
Сообщения
1
#1
Добрый день!
Подскажите пожалуйста по проблеме.
На ОС Astra Linux (Orel 2.12.45) развернут Samba AD DC с бэкэндом BIND9_DLZ
При попытке выполнить динамическое обновление:
samba_dnsupdate --verbose --all-names


update(nsupdate): SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.test.local ADDC.test.local 389
Calling nsupdate for SRV _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.test.local ADDC.test.local 389 (add)
Starting GENSEC mechanism gssapi_krb5_sasl
GSSAPI credentials for ADDC$@TEST.LOCAL will expire in 35997 secs
gensec_update_send: gssapi_krb5_sasl[0x62c57a603300]: subreq: 0x62c57a8e0750
gensec_update_done: gssapi_krb5_sasl[0x62c57a603300]: NT_STATUS_MORE_PROCESSING_REQUIRED tevent_req[0x62c57a8e0750/../source4/auth/gensec/gensec_gssapi.c:1054]: state[2] error[0 (0x0)] state[struct gensec_gssapi_update_state (0x62c57a8e0900)] timer[(nil)] finish[../source4/auth/gensec/gensec_gssapi.c:1064]
Successfully obtained Kerberos ticket to DNS/addc.test.local as ADDC$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.test.local. 900 IN SRV 0 100 389 ADDC.test.local.

update failed: REFUSED
Failed nsupdate: 2
Failed update of 29 entries




Конфиг smb.conf
# Global parameters
[global]
<------>netbios name = ADDC
<------>realm = TEST.LOCAL
<------>server role = active directory domain controller
<------>server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
<------>server services = -dns
<------>workgroup = TEST
<------>idmap_ldb:use rfc2307 = yes
<------>template shell = /bin/bash
<------>winbind use default domain = true
<------>winbind offline logon = false
<------>winbind nss info = rfc2307
<------>winbind enum users = yes
<------>winbind enum groups = yes
<------>log file = /var/log/samba/%m.log
<------>log level = 10
<------>ldap server require strong auth = no
<------>allow dns updates = nonsecure and secure
<------>allow dcerpc auth level connect = yes

[netlogon]
<------>path = /var/lib/samba/sysvol/test.local/scripts
<------>read only = No

[sysvol]
<------>path = /var/lib/samba/sysvol
<------>read only = No


Конфиг named.conf.options
options {
<------>directory "/var/cache/bind";
<------>allow-update { any; };
<------>allow-query { any; };
<------>allow-query-cache { any; };
<------>dnssec-validation no;

<------>auth-nxdomain no; # conform to RFC1035
<------>listen-on { 10.0.2.4;
<------><------> 127.0.0.1; };
<------>listen-on-v6 { none; };
<------>tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
<------>minimal-responses yes;
};