Шаги
====

1. Развернуть Samba DC с BIND9_DLZ DNS (ALT Server 11.0 x86_64 minimal) и (необязательно) реплику к нему.

/etc/bind/options.conf:

> options {
>   forward first;
>   forwarders { <upstream-dns-ipv4>; };
> 	version "unknown";
> 	directory "/etc/bind/zone";
> 	pid-file "none";
> 	dump-file "/var/run/named_dump.db";
> 	statistics-file "/var/run/named.stats";
> 	recursing-file "/var/run/recursing";
> 	tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
>   minimal-responses yes;
> 	listen-on { any; };
> 	allow-query { localnets; <client-dc-ipv4-subnet>; };
> 	allow-recursion { localnets; <client-dc-ipv4-subnet>; };
> # include "/etc/bind/resolvconf-options.conf";
> 	max-cache-ttl 86400;
> };
> logging {
>         category lame-servers {null;};
> };

2. Ввести клиентов с помощью команды вида:

# system-auth write ad "SAMBA.TESTDOMAIN" "client" "SAMBA" "Administrator" "Pa##word" --winbind

3. # winbind-dnsupdate --allow-ipv4-ptr-update
4. # winbind-dnsupdate --allow-ipv6-ptr-update

Фактический результат
=====================

3. IPv4:

> [INFO]: Hostname: client.samba.testdomain.
> [INFO]: Check winbind status.
> [INFO]: Winbind is running. Continue.
> [INFO]: Trying to get the site name.
> [INFO]: Site: Default-First-Site-Name.
> [INFO]: Get host credentials.
> [INFO]: Retrieving host credentials successfully.
> [INFO]: Trying to get a list of domain controllers in site.
> [INFO]: Success.
> [INFO]: Trying to find an available DNS server.
> [INFO]: Checking the availability of DNS server on dc2.samba.testdomain..
> [ERROR]: DNS server on dc2.samba.testdomain. not responding.
> [INFO]: Checking the availability of DNS server on dc.samba.testdomain..
> [INFO]: DNS server on dc.samba.testdomain. available.
> [INFO]: Update IPv4.
> [INFO]: Trying to get IPv4 address of a domain controller.
> [INFO]: Successful. DC info:
> [INFO]: Domain controller name: dc.samba.testdomain.
> [INFO]: Domain controller IPv4: <dc-ipv4>.
> [INFO]: Trying parse connection interface name.
> [INFO]: Successful. Interface name: ens19.
> [INFO]: Checking the existence of A record.
> [INFO]: IPv4 record exists.
> [INFO]: Checking the existence of a PTR record.
> [INFO]: PTR record not exists.
> [INFO]: Checking whether the IPv4 records needs to be updated.
> [INFO]: Current IPv4 address: <client-ipv4>.
> [INFO]: IPv4 address in DNS server: <client-ipv4>.
> [INFO]: The IPv4 address of interface ens19 has not been changed.
> [INFO]: The update IPv4 was skipped.
> [INFO]: The PTR record does not exist but IPv4 not changed and PTR record update enable.
> [INFO]: Start IPv4 PTR record registration.
> [ERROR]: Nsupdate error.
> [ERROR]: update failed: NOTAUTH
> [ERROR]: IPv4 PTR record update failed.

> dc.samba.testdomain named[1086]: client @0x7fe3eec2d498 <client-ipv6>#37789/key CLIENT\$\@SAMBA.TESTDOMAIN: update failed: <reverse-ipv4(3-octets)>.in-addr.arpa: not authoritative for update zone (NOTAUTH)

4. IPv6:

> [INFO]: Hostname: client.samba.testdomain.
> [INFO]: Check winbind status.
> [INFO]: Winbind is running. Continue.
> [INFO]: Trying to get the site name.
> [INFO]: Site: Default-First-Site-Name.
> [INFO]: Get host credentials.
> [INFO]: Retrieving host credentials successfully.
> [INFO]: Trying to get a list of domain controllers in site.
> [INFO]: Success.
> [INFO]: Trying to find an available DNS server.
> [INFO]: Checking the availability of DNS server on dc2.samba.testdomain..
> [ERROR]: DNS server on dc2.samba.testdomain. not responding.
> [INFO]: Checking the availability of DNS server on dc.samba.testdomain..
> [INFO]: DNS server on dc.samba.testdomain. available.
> [INFO]: Update IPv4.
> [INFO]: Trying to get IPv4 address of a domain controller.
> [INFO]: Successful. DC info:
> [INFO]: Domain controller name: dc.samba.testdomain.
> [INFO]: Domain controller IPv4: <dc-ipv4>.
> [INFO]: Trying parse connection interface name.
> [INFO]: Successful. Interface name: ens19.
> [INFO]: Checking the existence of A record.
> [INFO]: IPv4 record exists.
> [INFO]: Checking whether the IPv4 records needs to be updated.
> [INFO]: Current IPv4 address: <client-ipv4>.
> [INFO]: IPv4 address in DNS server: <client-ipv4>.
> [INFO]: The IPv4 address of interface ens19 has not been changed.
> [INFO]: The update IPv4 was skipped.
> [INFO]: IPv4 update was successful.
> [INFO]: Update IPv6.
> [INFO]: Trying to get IPv6 address of a domain controller.
> [INFO]: Successful. DC info:
> [INFO]: Domain controller name: dc.samba.testdomain.
> [INFO]: Domain controller IPv6: <dc-ipv6>.
> [INFO]: Trying parse connection interface name.
> [INFO]: Successful. Interface name: ens19.
> [INFO]: Checking the existence of AAAA record.
> [INFO]: IPv6 record exists.
> [INFO]: Checking the existence of a PTR record.
> [INFO]: PTR record not exists.
> [INFO]: Checking whether the IPv6 records needs to be updated.
> [INFO]: Current IPv6 address: <client-ipv6>:9207.
> [INFO]: IPv6 address in DNS server: <client-ipv6>:9207.
> [INFO]: The IPv6 address of interface ens19 has not been changed.
> [INFO]: The update IPv6 was skipped.
> [INFO]: The PTR record does not exist but IPv6 not changed and PTR record update enable.
> [INFO]: Start IPv6 PTR record registration.
> [ERROR]: Nsupdate error.
> [ERROR]: update failed: NOTAUTH
> [ERROR]: IPv6 PTR record update failed.

На DC в journalctl:

> dc.samba.testdomain named[1230]: client @0x7fa04ee7a898 <client-ipv6>:9207#33731/key S-W-EDU-XFCE\$\@SAMBA.TESTDOMAIN: update failed: <reverse-ipv6-zone(32-bytes-16-nibbles)>.ip6.arpa: not authoritative for update zone (NOTAUTH)


Ожидаемый результат
===================

Успешное обновление PTR-записей.


Дополнительно
=============

Воспроизводится только с BIND9_DLZ. С Internal DNS данная ошибка не воспроизводится.

Обновление A- и AAAA- записей при этом также проходит без данной ошибки.


Воспроизводимость
=================

Воспроизводится на виртуальных машинах:

[sisyphus]
alterator-auth-0.48-alt1.x86_64
samba-4.21.7-alt4.x86_64

[p11+387440.10]
alterator-auth-0.48-alt1.x86_64
samba-4.21.7-alt4.x86_64

[p11]
alterator-auth-0.45-alt1.x86_64
samba-4.20.8-alt2.x86_64