Добрый день! Настраиваю связку DNS+DHCP+Samba4 по инструкции
http://blog.michael.kuron-germany.de/2011/02/isc-dhcpd-dynam.../
Автоматически не обновляется обратная зона DNS по DHCP при смене IPНа выходе получаю
################
messages begin;
################
Nov 7 11:28:53 domain chronyd[891]: NTP packet received from unauthorised host 192.168.6.248 port 123
Nov 7 11:28:53 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: client 192.168.6.248#65022: update 'example.lan/IN' denied
Nov 7 11:28:53 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: samba_dlz: disallowing update of signer=IE11WIN7\$\@example.LAN name=IE11Win7.example.lan type=AAAA error=insufficient access rights
Nov 7 11:28:53 domain named[1768]: client 192.168.6.248#64764/key IE11WIN7\$\@example.LAN: updating zone 'example.lan/NONE': update failed: rejected by secure update (REFUSED)
Nov 7 11:28:53 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: client 192.168.6.248#52054: update 'example.lan/IN' denied
Nov 7 11:28:53 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:53 domain named[1768]: samba_dlz: disallowing update of signer=IE11WIN7\$\@example.LAN name=IE11Win7.example.lan type=AAAA error=insufficient access rights
Nov 7 11:28:53 domain named[1768]: client 192.168.6.248#52574/key IE11WIN7\$\@example.LAN: updating zone 'example.lan/NONE': update failed: rejected by secure update (REFUSED)
Nov 7 11:28:53 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:54 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:54 domain named[1768]: samba_dlz: allowing update of signer=dhcp\@example.LAN name=IE11Win7.example.lan tcpaddr=192.168.6.241 type=A key=1008916717.sig-domain.example.lan/160/0
Nov 7 11:28:54 domain named[1768]: samba_dlz: allowing update of signer=dhcp\@example.LAN name=IE11Win7.example.lan tcpaddr=192.168.6.241 type=A key=1008916717.sig-domain.example.lan/160/0
Nov 7 11:28:54 domain named[1768]: client 192.168.6.241#56940/key dhcp\@example.LAN: updating zone 'example.lan/NONE': deleting rrset at 'IE11Win7.example.lan' A
Nov 7 11:28:54 domain named[1768]: samba_dlz: subtracted rdataset IE11Win7.example.lan 'IE11Win7.example.lan. 3600 IN A 192.168.6.248'
Nov 7 11:28:54 domain named[1768]: client 192.168.6.241#56940/key dhcp\@example.LAN: updating zone 'example.lan/NONE': adding an RR at 'IE11Win7.example.lan' A
Nov 7 11:28:54 domain named[1768]: samba_dlz: added rdataset IE11Win7.example.lan 'IE11Win7.example.lan. 3600 IN A 192.168.6.248'
Nov 7 11:28:54 domain named[1768]: samba_dlz: committed transaction on zone example.lan
Nov 7 11:28:54 domain named[1768]: samba_dlz: starting transaction on zone 6.168.192.in-addr.arpa
Nov 7 11:28:54 domain named[1768]: samba_dlz: allowing update of signer=dhcp\@example.LAN name=248.6.168.192.in-addr.arpa tcpaddr=192.168.6.241 type=PTR key=3509049471.sig-domain.example.lan/160/0
Nov 7 11:28:54 domain named[1768]: samba_dlz: allowing update of signer=dhcp\@example.LAN name=248.6.168.192.in-addr.arpa tcpaddr=192.168.6.241 type=PTR key=3509049471.sig-domain.example.lan/160/0
Nov 7 11:28:54 domain named[1768]: client 192.168.6.241#32995/key dhcp\@example.LAN: updating zone '6.168.192.in-addr.arpa/NONE': deleting rrset at '248.6.168.192.in-addr.arpa' PTR
Nov 7 11:28:54 domain named[1768]: samba_dlz: subtracted rdataset 248.6.168.192.in-addr.arpa '248.6.168.192.in-addr.arpa. 3600 IN PTR IE11Win7.example.lan.'
Nov 7 11:28:54 domain named[1768]: client 192.168.6.241#32995/key dhcp\@example.LAN: updating zone '6.168.192.in-addr.arpa/NONE': adding an RR at '248.6.168.192.in-addr.arpa' PTR
Nov 7 11:28:54 domain named[1768]: samba_dlz: added rdataset 248.6.168.192.in-addr.arpa '248.6.168.192.in-addr.arpa. 3600 IN PTR IE11Win7.example.lan.'
Nov 7 11:28:54 domain named[1768]: samba_dlz: committed transaction on zone 6.168.192.in-addr.arpa
Nov 7 11:28:54 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:54 domain named[1768]: client 127.0.0.1#41858/key rndc-key: updating zone 'example.lan/NONE': update unsuccessful: IE11Win7.example.lan: 'name not in use' prerequisite not satisfied (YXDOMAIN)
Nov 7 11:28:54 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:54 domain dhcpd: DHCPREQUEST for 192.168.6.248 from 00:0c:29:c8:ac:0a (IE11Win7) via eno16777736
Nov 7 11:28:54 domain dhcpd: DHCPACK on 192.168.6.248 to 00:0c:29:c8:ac:0a (IE11Win7) via eno16777736
Nov 7 11:28:54 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:54 domain named[1768]: client 127.0.0.1#41858/key rndc-key: updating zone 'example.lan/NONE': update unsuccessful: IE11Win7.example.lan/TXT: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET)
Nov 7 11:28:54 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:54 domain dhcpd: Forward map from IE11Win7.example.lan to 192.168.6.248 FAILED: Has an address record but no DHCID, not mine.
Nov 7 11:28:55 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: client 192.168.6.248#52919: update 'example.lan/IN' denied
Nov 7 11:28:55 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: samba_dlz: disallowing update of signer=IE11WIN7\$\@example.LAN name=IE11Win7.example.lan type=AAAA error=insufficient access rights
Nov 7 11:28:55 domain named[1768]: client 192.168.6.248#58025/key IE11WIN7\$\@example.LAN: updating zone 'example.lan/NONE': update failed: rejected by secure update (REFUSED)
Nov 7 11:28:55 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: client 192.168.6.248#50884: update 'example.lan/IN' denied
Nov 7 11:28:55 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: samba_dlz: starting transaction on zone example.lan
Nov 7 11:28:55 domain named[1768]: samba_dlz: disallowing update of signer=IE11WIN7\$\@example.LAN name=IE11Win7.example.lan type=AAAA error=insufficient access rights
Nov 7 11:28:55 domain named[1768]: client 192.168.6.248#55006/key IE11WIN7\$\@example.LAN: updating zone 'example.lan/NONE': update failed: rejected by secure update (REFUSED)
Nov 7 11:28:55 domain named[1768]: samba_dlz: cancelling transaction on zone example.lan
#######################
messages end;
#######################
#######################
DHCP.conf begin;
#######################
authoritative;
server-identifier domain.example.lan;
ddns-update-style interim;
ddns-updates on;
ddns-domainname "example.lan";
ddns-rev-domainname "in-addr.arpa";
update-static-leases true;
ignore client-updates;
include "/etc/rndc.key";
zone example.lan. { # Forward zone to be updated
primary 127.0.0.1;
key rndc-key;
}
zone 6.168.192.in-addr.arpa. { # Backward zone to be updated
primary 127.0.0.1;
}
subnet 192.168.6.0 netmask 255.255.255.0 {
#####################
on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
set ClientName = pick-first-value(option host-name, host-decl-name, config-option host-name, noname);
log(concat("Commit: IP: ", ClientIP, " Mac: ", ClientMac, " Name: ", ClientName));
execute("/usr/local/sbin/dhcp-dyndns.sh", "add", ClientIP, ClientName, ClientMac);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientMac = binary-to-ascii(16, 8, ":", substring(hardware, 1, 6));
log(concat("Release: IP: ", ClientIP, " Mac: ", ClientMac));
# cannot get a ClientName here, for some reason that always fails
execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, "", ClientMac);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/usr/local/sbin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}
# --- default gateway
#option options-135 "example.lan"
#option domain-list "example.lan";
option routers 192.168.6.2;
option subnet-mask 255.255.255.0;
option nis-domain "example.lan";
option domain-name "example.lan";
option domain-search "example.lan";
option domain-name-servers 192.168.6.241;
option time-offset 10800; # FET
option ntp-servers 192.168.6.241;
option netbios-name-servers 192.168.6.241;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
option netbios-node-type 2;
range 192.168.6.242 192.168.6.250;
default-lease-time 1728000;
max-lease-time 1728000;
allow booting;
allow bootp;
next-server 192.168.6.241;
filename "/pxelinux.0";
# we want the nameserver to appear at a fixed address
host win.example.lan {
hardware ethernet 00:01:02:03:04:05;
fixed-address 192.168.6.250;
}
}
#######################
DHCP.conf end;
#######################
#######################
named.conf begin;
#######################
options {
listen-on port 53 {192.168.6.241; 127.0.0.1; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
# allow-query { localhost; };
########MY SETTINGS########
forwarders {8.8.8.8; };
notify no;
allow-query { 192.168.6.0/24; 127.0.0.0/8; };
allow-recursion { 192.168.6.0/24; 127.0.0.0/8; };
allow-update { 192.168.6.0/24; 127.0.0.0/8; };
version none;
hostname none;
server-id none;
tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab"; #
tkey-domain "example.lan";
########MY SETTINGS########
# recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "MC0/UsgrLQF1RdZTiUBwAA==";
};
include "/etc/named.root.key";
#include "/etc/named.rfc1912.zones";
include "/usr/local/samba/private/named.conf";
######################
named.conf end;
######################
#######################
dhcp-dyndns.conf begin;
#######################
#!/bin/sh
action=$1
ip=$2
host=$(echo $3 | awk -F '.' '{print $1}')
mac=$4
. /usr/local/etc/dhcp-dyndns.conf
ptr=$(echo $ip | awk -F '.' '{print $4"."$3"."$2"."$1".in-addr.arpa"}')
/usr/bin/kinit -k -t $keytab $kname@$realm
case "$action" in
add)
echo "server $server
update delete $host.$domain $time A
update add $host.$domain $time A $ip
send"|nsupdate -g
echo "server $server
update delete $ptr $time PTR
update add $ptr $time PTR $host.$domain
send"|nsupdate -g
;;
delete)
echo "server $server
update delete $host.$domain $time A
send"|nsupdate -g
echo "server $server
update delete $ptr $time PTR
send"|nsupdate -g
;;
esac
########################
dhcp-dyndns.conf end;
########################
В чем может быть проблема