15942 – dynamic dns upgrade not working during join

Bug 15942 - dynamic dns upgrade not working during join

Summary: dynamic dns upgrade not working during join

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS plugin (BIND DLZ) (show other bugs)
Version:	4.22.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Amitay Isaacs
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-11-04 08:45 UTC by Stefan Kania
Modified:	2025-11-04 08:45 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Kania 2025-11-04 08:45:00 UTC

I just set up a new domain for testing Samba 4.22 with debian trixi. All packages are direct from the distribution repository no backport no nothing special.

I have two DCs who replicate everyting that is working fine. Then I try to join a linux client, also with trixi and packages from the debian trixi repository. Here is my smb.conf of the client:
---------
[global]
workgroup = example
realm = EXAMPLE.NET
security = ADS
winbind refresh tickets = Yes
winbind use default domain = yes
template shell = /bin/bash
idmap config * : range = 10000 - 19999
idmap config EXAMPLE : backend = rid
idmap config EXAMPLE : range =  1000000 - 1999999
interfaces = 192.168.56.33
bind interfaces only = yes
---------

Both DCs are as "nameserver" added to resolv.conf. The krb5.conf is
---------
[libdefaults]
        default_realm = EXAMPLE.NET
        dns_lookup_realm = false
        dns_lookup_kdc = true

[realms]
EXAMPLE.NET = {
        default_domain = example.net
---------

I can get a ticket with "kinit administrator" a "host -t srv _kerberos._tcp.example.net" gives me the two DCs

then I join:
----------
root@client01:~# net ads join -U administrator
Password for [EXAMPLE\administrator]:
Using short domain name -- EXAMPLE
Joined 'CLIENT01' to dns domain 'example.net'
gse_get_client_auth_token: gss_init_sec_context failed with [A parameter was malformed Miscellaneous failure (see text): Success]
DNS Update for client01.example.net failed: ERROR_DNS_INVALID_MESSAGE
DNS update failed: NT_STATUS_UNSUCCESSFUL
----------

As you can see, the join is working, the acount will be created:
-----------
root@dc01:~# samba-tool computer list
DC02$
DC01$
CLIENT01$
-----------
The object is replicated to the other DC
On the DC I see:
------------
Nov 03 20:13:59 dc01 named[821]: samba_dlz: starting transaction on zone example.net
Nov 03 20:13:59 dc01 named[821]: client @0x7f3e52b31000 192.168.56.33#38638: updating zone 'example.net/NONE': update unsuccessful: client01.example.net/A: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Nov 03 20:13:59 dc01 named[821]: samba_dlz: cancelling transaction on zone example.net
Nov 03 20:13:59 dc01 named[821]: samba_dlz: spnego update failed
Nov 03 20:13:59 dc01 named[821]: client @0x7f3e52b31000 192.168.56.33#38638: updating zone 'example.net/NONE': update failed: rejected by secure update (REFUSED)
------------

If I try a "net ads dns register -U administrator" the same result.

Then I found the note for version 4.21 and put "dns hostname = client01.example.net into smb.conf. The same result, no DNS update.

Then I usesed nsupdate:
----------
root@dc01:~# kinit administrator
administrator@EXAMPLE.NET's Password:

root@dc01:~# nsupdate -g
> server dc01.example.net
> update add client01.example.net 86400 A 192.168.56.33
> send
> quit 
----- 
Then I got the DNS-entry for my client. If I rejoin the client with "net ads join" again, now errormessage.

I also see the same problem with Windows clients. The join worked but no DNS-update. I have to do it with "ipconfig /registerdns"