Steven Monai
2023-May-18 03:31 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
Hello, I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use on two DCs (as separate VMs) in a new AD domain. "dc33" (IP: 10.150.10.33) is the first DC in the new domain ("ttwo.ad.example.org"), provisioned via 'samba-tool domain provision DC'. "dc34" (IP: 10.150.10.34) is the second DC, joined to the domain via 'samba-tool domain join DC'. The first oddity I encounter is I find that I have to manually run 'samba_dnsupdate' to create the new DC's NS and SRV records in the DNS. This seems new, as the DNS records were automatically created when I previously did an identical setup using Debian 11 ("Bullseye", Samba v.4.13.13). Regardless, the second, and more surprising issue, is that the 'samba_dnsupdate' script, when run in its default mode, fails rather spectacularly. The script calls 'nsupdate' to add the new DNS records one-by-one, and EVERY call to 'nsupdate' results in a hard crash ("assertion failure") of the 'named' service on the first DC. I am able to work around the issue by running 'samba_dnsupdate --use-samba-tool', which does not use 'nsupdate'. Is this a known issue? Or is it more likely that I misconfigured something? Anyway, here is a snippet of the output from the client side, when I run 'samba_dnsupdate': ------------------------------------------------------------------------ dc34:~# samba_dnsupdate --verbose ... 24 DNS updates and 0 DNS deletes needed Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as DC34$ update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add) Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as DC34$ Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: ttwo.ad.example.org. 900 IN NS dc34.ttwo.ad.example.org. ; Communication with 10.150.10.33#53 failed: end of file Failed nsupdate: 2 ... (repeat failure 23 more times) ... ------------------------------------------------------------------------ And here is a snippet of the resulting log on the server side: ------------------------------------------------------------------------ dc33:~# journalctl -u named.service ... May 17 11:50:53 dc33 named[920]: samba_dlz: allowing update of signer=DC34\$\@TTWO.AD.EXAMPLE.ORG name=ttwo.ad.example.org tcpaddr=10.150.10.34 type=NS key=389657593.sig-dc33.ttwo.ad.example.org/159/0 May 17 11:50:53 dc33 named[920]: samba_dlz: starting transaction on zone ttwo.ad.example.org May 17 11:50:53 dc33 named[920]: client @0x7ff9731fb568 10.150.10.34#35837/key DC34\$\@TTWO.AD.EXAMPLE.ORG: updating zone 'ttwo.ad.example.org/NONE': adding an RR at 'ttwo.ad.example.org' NS dc34.ttwo.ad.example.org. May 17 11:50:53 dc33 named[920]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace May 17 11:50:53 dc33 named[920]: /usr/sbin/named(+0x235e4) [0x557c33cec5e4] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc_assertion_failed+0xa) [0x7ff978239a5a] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(dns_name_equal+0x179) [0x7ff977e999d9] May 17 11:50:53 dc33 named[920]: /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so(dlz_addrdataset+0x1c4) [0x7ff976a72b54] May 17 11:50:53 dc33 named[920]: /usr/sbin/named(+0x212e4) [0x557c33cea2e4] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(+0x12e4c4) [0x7ff977f2e4c4] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(+0x4ec17) [0x7ff977e4ec17] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libns-9.18.12-1-Debian.so(+0x31dca) [0x7ff9787d8dca] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libns-9.18.12-1-Debian.so(+0x35466) [0x7ff9787dc466] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc_task_run+0x113) [0x7ff978258a43] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x26cb2) [0x7ff978226cb2] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27337) [0x7ff978227337] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27e73) [0x7ff978227e73] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libuv.so.1(+0xf09d) [0x7ff97814e09d] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libuv.so.1(+0x22e3c) [0x7ff978161e3c] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libuv.so.1(uv_run+0xc4) [0x7ff97814e9e4] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27654) [0x7ff978227654] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc__trampoline_run+0x15) [0x7ff978261575] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libc.so.6(+0x88fd4) [0x7ff9774fbfd4] May 17 11:50:53 dc33 named[920]: /lib/x86_64-linux-gnu/libc.so.6(+0x1095bc) [0x7ff97757c5bc] May 17 11:50:53 dc33 named[920]: exiting (due to assertion failure) May 17 11:50:53 dc33 systemd[1]: named.service: Main process exited, code=dumped, status=6/ABRT May 17 11:50:53 dc33 systemd[1]: named.service: Failed with result 'core-dump'. May 17 11:50:53 dc33 systemd[1]: named.service: Scheduled restart job, restart counter is at 10. ... (systemd restarts named, named crashes again soon after, etc., etc.) ... ------------------------------------------------------------------------ Thanks for your time. Cheers, -S.M.
Rowland Penny
2023-May-18 07:29 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
On 18/05/2023 04:31, Steven Monai via samba wrote:> Hello, > > I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use on two > DCs (as separate VMs) in a new AD domain. > > "dc33" (IP: 10.150.10.33) is the first DC in the new domain > ("ttwo.ad.example.org"), provisioned via 'samba-tool domain provision DC'. > > "dc34" (IP: 10.150.10.34) is the second DC, joined to the domain via > 'samba-tool domain join DC'. > > The first oddity I encounter is I find that I have to manually run > 'samba_dnsupdate' to create the new DC's NS and SRV records in the DNS. > This seems new, as the DNS records were automatically created when I > previously did an identical setup using Debian 11 ("Bullseye", Samba > v.4.13.13).Most of the DNS records are created during a provision, but very few are when joining an additional DC. That is where samba_dnsupdate comes in, it runs at Samba startup and then every 10 minutes, to create any missing dns records.> > Regardless, the second, and more surprising issue, is that the > 'samba_dnsupdate' script, when run in its default mode, fails rather > spectacularly. The script calls 'nsupdate' to add the new DNS records > one-by-one, and EVERY call to 'nsupdate' results in a hard crash > ("assertion failure") of the 'named' service on the first DC.It definitely should not crash.> > I am able to work around the issue by running 'samba_dnsupdate > --use-samba-tool', which does not use 'nsupdate'. > > Is this a known issue?It has been known before, but without the crash.> Or is it more likely that I misconfigured > something?Possibly, you haven't told us just how you have configured the OS and Samba.> > Anyway, here is a snippet of the output from the client side, when I run > 'samba_dnsupdate': > ------------------------------------------------------------------------ > dc34:~# samba_dnsupdate --verbose > ... > 24 DNS updates and 0 DNS deletes needed > Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as > DC34$ > update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org > Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add) > Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as > DC34$That's one misconfiguration you probably have there, it looks like your second DC isn't using itself as its nameserver, it appears to be still using the first DC. Rowland
Possibly Parallel Threads
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
- On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz