James Johnston
2016-May-16 02:38 UTC
[Samba] Possible / probable bug: "net ads dns register" does not remove stale IPv6 AAAA records
Hi, I'm experimenting with setting up winbind and so forth on a simple system joined to an existing AD domain and I've seem to run into some rather broken behavior with DNS updates. As everyone knows, Active Directory is heavily dependent on DNS and it's good to make sure that the DNS records for each system joined to the domain stay up-to-date. So I'm testing to make sure that DNS records get properly updated when IP addresses change. It seems this is broken for IPv6. Here is how I test: 1. Join SAMBA system to domain. DNS records are successfully populated. 2. In DNS Manager on the domain controller, modify an IP address to some bogus value, to simulate an IP address change on the joined client. 3. Run "net ads dns register -P" on the SAMBA system. Check DNS Manager and verify that the bogus DNS entry has been replaced with a correct one. The above procedure works if I tweak an IPv4 address. But if I tweak an IPv6 address: 1. net ads dns register will still add the new address in a new AAAA record. 2. But it fails to delete the bogus address. So anybody resolving the name might get a bad IP address. My configuration is simple; it is just a testing domain: * Single domain controller & DNS server: Windows Server 2012 R2 * DHCP provided by dnsmasq on OpenWrt router. (dnsmasq also provides DNS but it is set up to delegate a subdomain to the AD DNS server.) * Joined system: Ubuntu 16.04 and SAMBA 4.3.9-Ubuntu I think the guilty code might be here: https://github.com/samba-team/samba/blob/82801f9ec895deb9536a2b0a4e0ce4b3d5853220/lib/addns/dnsrecord.c#L433 /* * Delete any existing A records */ err = dns_create_delete_record(req, hostname, QTYPE_A, DNS_CLASS_ANY, &rec); But I don't see any similar code for cleaning AAAA records. My guess is it's as simple as adding another function call with QTYPE_AAAA but I'm not a SAMBA programmer and this is my first time ever looking at SAMBA code... I also just sent an e-mail regarding the proposed "net ads dns unregister" command but now upon further examination of the above code and the proposed patch, I suspect the "dns unregister" command would also fail to unregister IPv6 addresses until this is fixed. (But have not checked for myself.) Best regards, James Johnston