Samba4.00a15 Server 2003/2003_R2 machines cannot update to Bind9 when using samba configuration with GSS-TKEY when joined to the domain. The 2003 machines can access internet before joining, and for the the first logon after, but break as soon as group policy is implemented with the error: The system failed to register host (A) resource records (RRs) for network adapter with settings: Adapter Name : {********-****-****-****-************} Host Name : 2003SVR-01 Primary Domain Suffix : example.com DNS server list : 192.168.1.45, 192.168.1.46, 192.168.1.50 Sent update to server : <?> IP Address(es): 192.168.1.23 The reason the system could not register these RRs was because either (a) the DNS server does not support the DNS dynamic update protocol, or (b) the authoritative zone for the specified DNS domain name does not accept dynamic updates.
Exactly which version of BIND is in use here, and exactly what configuration is in use. Does Samba4's internal SPN update (samba_spnupdate) succeed? What keytabs files are you using, what are the permissions, does selinux or apparmor show any failures? In short, this is well known to be very difficult to configure, and we are working with the BIND developers to improve the situation.
Im using BIND 9.7.1-P2 on ubuntu lucid, and using the standard keytabs that samba generates with the permissions correctly configured: chgrp bind /usr/local/samba/private/dns.keytab chmod g+r /usr/local/samba/private/dns.keytab I have currently disabled APPArmor and havent yet installed SELinux. Before i reinstalled my entire OS due to extreme amounts of broken packages i was getting samba_spnupdate errors for interface 127.0.1.1 (Not configured to use that interface for dns) and one of my LAN IP's (2 of my interfaces were fine). Ive also found a pretty big issue which ive filed another bug on, but thats a TLS issue.
http://wiki.samba.org/index.php/Samba4/HOWTO#Step_10_Configure_kerberos_DNS_dynamic_updates clearly states that 9.7.2 is the minimum.