samba - Jun 2018 - samba 4.8.3 samba_dnsupdate odd long timeouts

Hello,
I'll try to be as brief as possible.
I'm testing samba 4.8.3 on centos 7.5.
Fresh installation joined to existing AD domain that was ran with samba
4.7.6.

I did add 2 DC's with 4.8.3, then removed all 4.7.6 DC's. Everything
seemed
to work fine, except for adding DNS entries on one of the machines.

Samba by itself was unable to add them throwing error in log that dnsupdate
failed.
When running it with "samba_dnsupdate --verbose -d 10" it does
eventually
complete, but it takes FOREVER, roughly 300 seconds to complete each update.

DNS backend is BIND, it's not my first adventure with samba 4 AD, so I t h
i n k I covered most of the basics, that is:
- proper ownership of files for "named"
- trying with and without SELinux
- veryfing /etc/krb5.conf /usr/local/samba/etc/smb.conf and /etc/named.conf
for oddities, but I'm at a loss.

Both 4.8.3 machines were created from same template, just different host
names and IP addresses.

One machine works perfectly fine (upgradedns finishes in ~2 seconds or
less), other one needs 5 minutes per entry (times 20+... yeah, forever).

What I already checked:
obviously connection between both  boxes exists (replication works fine for
example)
both machines are VM's running inside same hypervisor,

Right now both DC's use each other as DNS (so DC1 -> DC2 and DC2 ->
DC1). I
tried changing it in whatever way, but resulstts were the same, DC2 works
prefectly, DC1 is unable to complete this job in reasonable time.

My smb.conf is pretty basic (standard what was created during join) + added
secure dns updates.

On the machine with slow dns update kerberos ticket is obtained without
issues, but for whatever reason it just takes time, as if machine was
timing out on something.

Also, there are no errors, and each timeout is roughly 250-300 seconds..

Regards,
Kacper

To follow up on my own question:

I still have no idea what caused this behaviour with dnsupdate, but 
removing DC with:

- first demote

- then remove-other-dead-server (I noticed it clears in much better way 
all entries

- removing whole samba dir and reinstalling it

- and simply re-joining this DC solved this issue, samba_dnsupdate 
--all-names completed in seconds with success.

Weird, at least for me, whatsoever, but if fixed "itself", I won't
complain.

Regards,

Kacper


W dniu 28.06.2018 o 18:20, Kacper Wirski via samba
pisze:
> Hello,
> I'll try to be as brief as possible.
> I'm testing samba 4.8.3 on centos 7.5.
> Fresh installation joined to existing AD domain that was ran with samba
> 4.7.6.
>
> I did add 2 DC's with 4.8.3, then removed all 4.7.6 DC's.
Everything seemed
> to work fine, except for adding DNS entries on one of the machines.
>
> Samba by itself was unable to add them throwing error in log that dnsupdate
> failed.
> When running it with "samba_dnsupdate --verbose -d 10" it does
eventually
> complete, but it takes FOREVER, roughly 300 seconds to complete each
update.
>
> DNS backend is BIND, it's not my first adventure with samba 4 AD, so I
t h
> i n k I covered most of the basics, that is:
> - proper ownership of files for "named"
> - trying with and without SELinux
> - veryfing /etc/krb5.conf /usr/local/samba/etc/smb.conf and /etc/named.conf
> for oddities, but I'm at a loss.
>
> Both 4.8.3 machines were created from same template, just different host
> names and IP addresses.
>
> One machine works perfectly fine (upgradedns finishes in ~2 seconds or
> less), other one needs 5 minutes per entry (times 20+... yeah, forever).
>
> What I already checked:
> obviously connection between both  boxes exists (replication works fine for
> example)
> both machines are VM's running inside same hypervisor,
>
> Right now both DC's use each other as DNS (so DC1 -> DC2 and DC2
-> DC1). I
> tried changing it in whatever way, but resulstts were the same, DC2 works
> prefectly, DC1 is unable to complete this job in reasonable time.
>
> My smb.conf is pretty basic (standard what was created during join) + added
> secure dns updates.
>
> On the machine with slow dns update kerberos ticket is obtained without
> issues, but for whatever reason it just takes time, as if machine was
> timing out on something.
>
> Also, there are no errors, and each timeout is roughly 250-300 seconds..
>
> Regards,
> Kacper