Bug 7962 - Server 2003 cannot Query or Update to Bind9 DNS server with GSS-TKEY
Summary: Server 2003 cannot Query or Update to Bind9 DNS server with GSS-TKEY
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: x64 Windows 2003
: P3 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
Depends on:
Reported: 2011-02-18 11:56 UTC by Jacob Oliver (mail address dead)
Modified: 2011-02-21 15:49 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Jacob Oliver (mail address dead) 2011-02-18 11:56:13 UTC
Server 2003/2003_R2 machines cannot update to Bind9 when using samba configuration with GSS-TKEY when joined to the domain. The 2003 machines can access internet before joining, and for the the first logon after, but break as soon as group policy is implemented with the error:
The system failed to register host (A) resource records (RRs) for
network adapter
with settings:

 Adapter Name : {********-****-****-****-************}
 Host Name : 2003SVR-01
 Primary Domain Suffix : example.com
 DNS server list :,,
 Sent update to server : <?>
 IP Address(es):

  The reason the system could not register these RRs was because
either (a) the DNS server does not support the DNS dynamic update
protocol, or (b) the authoritative zone for the specified DNS domain
name does not accept dynamic updates.
Comment 1 Andrew Bartlett 2011-02-18 15:59:02 UTC
Exactly which version of BIND is in use here, and exactly what configuration is in use.  Does Samba4's internal SPN update (samba_spnupdate) succeed?

What keytabs files are you using, what are the permissions, does selinux or apparmor show any failures?

In short, this is well known to be very difficult to configure, and we are working with the BIND developers to improve the situation.
Comment 2 Jacob Oliver (mail address dead) 2011-02-21 10:52:26 UTC
Im using BIND 9.7.1-P2 on ubuntu lucid, and using the standard keytabs that samba generates with the permissions correctly configured:
chgrp bind /usr/local/samba/private/dns.keytab
chmod g+r /usr/local/samba/private/dns.keytab
I have currently disabled APPArmor and havent yet installed SELinux. Before i reinstalled my entire OS due to extreme amounts of broken packages i was getting samba_spnupdate errors for interface (Not configured to use that interface for dns) and one of my LAN IP's (2 of my interfaces were fine). Ive also found a pretty big issue which ive filed another bug on, but thats a TLS issue.
Comment 3 Andrew Bartlett 2011-02-21 15:49:35 UTC
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates clearly states that 9.7.2 is the minimum.