samba - Apr 2016 - RNDC errors using SAMBA_INTERNAL_DNS

Hi all,

I've set up a simple domain using Samba 4.4.2 from source under Ubuntu 
16.04.

I accepted the usual defaults and basically followed wiki.samba.org to 
the letter.  The main thing is I'm using Samba's internal DNS and not 
Bind (Bind is not even installed on the system).

In the log.samba file on the first DC I kept getting this:

[2016/04/28 17:01:02.716292,  0] 
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
   /usr/sbin/rndc: Failed to exec child - No such file or directory
[2016/04/28 17:01:02.717094,  0] 
../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
   ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
NT_STATUS_UNSUCCESSFUL

I'm not sure why dns_update would want to use rndc (bind utils) but I 
installed rndc just to see what it would do and now I get this error:

[2016/04/28 17:09:03.095642,  0] 
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
   /usr/sbin/rndc: rndc: neither /etc/bind/rndc.conf nor 
/etc/bind/rndc.key was found
[2016/04/28 17:09:03.096090,  0] 
../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
   ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
NT_STATUS_ACCESS_DENIED

The error makes sense as Bind is not installed but I'm puzzled why it 
wants to do this even though it is set up as Samba Internal DNS.

On the second DC I get tsig verify failure messages but the Google 
consensus seems to be that these are safely ignored under Samba Internal 
DNS:

[2016/04/27 17:35:00.113802,  0] 
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig 
verify failure
[2016/04/27 17:35:00.296862,  0] 
../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: tsig 
verify failure
[2016/04/27 17:35:00.316968,  0] 
../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
   ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
NT_STATUS_UNSUCCESSFUL


Are either of these errors worth fixing or are they something to live 
with when using Samba Internal DNS?

Regards,

Wayne

On 28/04/16 17:21, Wayne Merricks wrote:
> Hi all,
>
> I've set up a simple domain using Samba 4.4.2 from source under Ubuntu 
> 16.04.
>
> I accepted the usual defaults and basically followed wiki.samba.org to 
> the letter.  The main thing is I'm using Samba's internal DNS and
not
> Bind (Bind is not even installed on the system).
>
> In the log.samba file on the first DC I kept getting this:
>
> [2016/04/28 17:01:02.716292,  0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>   /usr/sbin/rndc: Failed to exec child - No such file or directory
> [2016/04/28 17:01:02.717094,  0] 
> ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
>   ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
> NT_STATUS_UNSUCCESSFUL
>
> I'm not sure why dns_update would want to use rndc (bind utils) but I 
> installed rndc just to see what it would do and now I get this error:
>
> [2016/04/28 17:09:03.095642,  0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>   /usr/sbin/rndc: rndc: neither /etc/bind/rndc.conf nor 
> /etc/bind/rndc.key was found
> [2016/04/28 17:09:03.096090,  0] 
> ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
>   ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
> NT_STATUS_ACCESS_DENIED
>
> The error makes sense as Bind is not installed but I'm puzzled why it 
> wants to do this even though it is set up as Samba Internal DNS.
>
> On the second DC I get tsig verify failure messages but the Google 
> consensus seems to be that these are safely ignored under Samba 
> Internal DNS:
>
> [2016/04/27 17:35:00.113802,  0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: 
> tsig verify failure
> [2016/04/27 17:35:00.296862,  0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: 
> tsig verify failure
> [2016/04/27 17:35:00.316968,  0] 
> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>   ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
> NT_STATUS_UNSUCCESSFUL
>
>
> Are either of these errors worth fixing or are they something to live 
> with when using Samba Internal DNS?
>
> Regards,
>
> Wayne
>
Strange, I compiled 4.4.2 myself and I don't have /usr/bin/rndc but 
everything is working ok, mind you, I do use Bind9.

What packages did you install before compiling Samba and what where your 
./configure options ?

Rowland

On 4/28/2016 1:05 PM, Rowland penny wrote:
> On 28/04/16 17:21, Wayne Merricks wrote:
>> Hi all,
>>
>> I've set up a simple domain using Samba 4.4.2 from source under 
>> Ubuntu 16.04.
>>
>> I accepted the usual defaults and basically followed wiki.samba.org 
>> to the letter.  The main thing is I'm using Samba's internal
DNS and
>> not Bind (Bind is not even installed on the system).
>>
>> In the log.samba file on the first DC I kept getting this:
>>
>> [2016/04/28 17:01:02.716292,  0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>   /usr/sbin/rndc: Failed to exec child - No such file or directory
>> [2016/04/28 17:01:02.717094,  0] 
>> ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
>>   ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
>> NT_STATUS_UNSUCCESSFUL
>>
>> I'm not sure why dns_update would want to use rndc (bind utils) but
I
>> installed rndc just to see what it would do and now I get this error:
>>
>> [2016/04/28 17:09:03.095642,  0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>   /usr/sbin/rndc: rndc: neither /etc/bind/rndc.conf nor 
>> /etc/bind/rndc.key was found
>> [2016/04/28 17:09:03.096090,  0] 
>> ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
>>   ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
>> NT_STATUS_ACCESS_DENIED
>>
>> The error makes sense as Bind is not installed but I'm puzzled why
it
>> wants to do this even though it is set up as Samba Internal DNS.
>>
>> On the second DC I get tsig verify failure messages but the Google 
>> consensus seems to be that these are safely ignored under Samba 
>> Internal DNS:
>>
>> [2016/04/27 17:35:00.113802,  0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: 
>> tsig verify failure
>> [2016/04/27 17:35:00.296862,  0] 
>> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>>   /usr/local/samba/sbin/samba_dnsupdate: ; TSIG error with server: 
>> tsig verify failure
>> [2016/04/27 17:35:00.316968,  0] 
>> ../source4/dsdb/dns/dns_update.c:295(dnsupdate_nameupdate_done)
>>   ../source4/dsdb/dns/dns_update.c:295: Failed DNS update - 
>> NT_STATUS_UNSUCCESSFUL
>>
>>
>> Are either of these errors worth fixing or are they something to live 
>> with when using Samba Internal DNS?
>>
>> Regards,
>>
>> Wayne
>>
>
> Strange, I compiled 4.4.2 myself and I don't have /usr/bin/rndc but 
> everything is working ok, mind you, I do use Bind9.
>
> What packages did you install before compiling Samba and what where 
> your ./configure options ?
>
> Rowland
>
>
I use Ubuntu 12.04 with Samba 4.4.2 and do not have this issue. It's as 
if Samba thinks you are using Bind. What is the output of

samba-tool testparm -v | grep |"server services ="

Is bind installed and or running on this system inadvertently? I'm 
curious if switching to bind and back to the internal DNS would solve this?

'samba_upgradedns --dns-backend=BIND9_DLZ'

then

'samba_upgradedns --dns-backend=SAMBA_INTERNAL'

Shutdown Samba first.

The tsig error you can safely ignore. Secure updates last I checked 
still don't work.

-- 
-James

On Thu, 2016-04-28 at 17:21 +0100, Wayne Merricks wrote:
> Hi all,
> 
> I've set up a simple domain using Samba 4.4.2 from source under
> Ubuntu 
> 16.04.
> 
> I accepted the usual defaults and basically followed wiki.samba.org
> to 
> the letter.  The main thing is I'm using Samba's internal DNS and
not
> Bind (Bind is not even installed on the system).
> 
> In the log.samba file on the first DC I kept getting this:
> 
> [2016/04/28 17:01:02.716292,  0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>    /usr/sbin/rndc: Failed to exec child - No such file or directory
> [2016/04/28 17:01:02.717094,  0] 
> ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
>    ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
> NT_STATUS_UNSUCCESSFUL
> 
> I'm not sure why dns_update would want to use rndc (bind utils) but I
> installed rndc just to see what it would do and now I get this error:
> 
> [2016/04/28 17:09:03.095642,  0] 
> ../lib/util/util_runcmd.c:328(samba_runcmd_io_handler)
>    /usr/sbin/rndc: rndc: neither /etc/bind/rndc.conf nor 
> /etc/bind/rndc.key was found
> [2016/04/28 17:09:03.096090,  0] 
> ../source4/dsdb/dns/dns_update.c:91(dnsupdate_rndc_done)
>    ../source4/dsdb/dns/dns_update.c:91: Failed rndc update - 
> NT_STATUS_ACCESS_DENIED
> 
> The error makes sense as Bind is not installed but I'm puzzled why it
> wants to do this even though it is set up as Samba Internal DNS.
This is a leftover from a time before the internal DNS server, and even
before the BIND9_DLZ module.  It is harmless, but of course should be
removed.  It is of some small value to those using the BIND_FLATFILE
backend, that is when we write out a static zone at provision time and
update a list of DCs into a file (with rights to change anything), and
call rndc to reload it.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba