Jonathan Hunter
2016-Sep-23 14:11 UTC
[Samba] dnsupdate_nameupdate_done - Failed DNS update
Thank you Rowland. I have a couple of reverse zones (different subnets across sites), yes, these are in Samba AD/DNS as well. Where are you looking in the logs - I'm missing seeing the bit that shows an update happening then failing? I tried tcpdump to find out what the query was that was failing, but I couldn't see any updates, just queries :( On 23 September 2016 at 14:56, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 23 Sep 2016 14:40:56 +0100 > Jonathan Hunter via samba <samba at lists.samba.org> wrote: > > > Hi, > > > > All 3 of my DCs regularly display an error in syslog almost exactly > > every 10 minutes. They have been doing this for quite some time, and > > I have so far ignored the message as everything else DNS-wise seemed > > to mostly be working - but I figured it was worth getting to the > > bottom of it if I can. So this isn't new at all but rather something > > that has been present for some time. > > > > I am using the internal Samba DNS server, currently with Samba 4.5.0. > > The message is as follows, every 10 minutes (I have pasted in from > > all 3 DCs here): > > > > Sep 23 13:03:54 dc1 samba[13117]: [2016/09/23 13:03:54.867360, 0] > > ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) > > Sep 23 13:03:54 dc1 > > samba[13117]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS > > update - with error code 5 > > > > Sep 23 13:00:11 dc2 samba[901]: [2016/09/23 13:00:11.584679, 0] > > ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) > > Sep 23 13:00:11 dc2 > > samba[901]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS update > > - with error code 10 > > > > Sep 23 13:05:28 dc3 samba[897]: [2016/09/23 13:05:28.800364, 0] > > ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done) > > Sep 23 13:05:28 dc3 > > samba[897]: ../source4/dsdb/dns/dns_update.c:290: Failed DNS update > > - with error code 1 > > > > The precise error codes vary (I have had 1, 6, 10, 110 recently) but > > I do get some sort of message every 10 minutes, and the error code > > usually stays the same on a particular DC. If it makes a difference, > > DC1 and DC2 are in site A, and DC3 is at site B, there is full > > connectivity between them all (or at least, there should be). > > > > I've tried tcpdump and wireshark to figure out what's going on, but I > > can't seem to spot any form of DNS request coming in that would be an > > update. The most I can see via tcpdump at any time I've looked are > > some queries that return NXDOMAIN - e.g. there are frequent ones from > > an VMWare ESXi server querying for > > _kerberos-master.udp.MYDOMAIN.ORG.UK as per > > https://communities.vmware.com/thread/491621 and getting NXDOMAIN - > > but I wouldn't have thought that these queries would constitute a > > "DNS update" that would fail? > > > > My debugging method so far has been to run tcpdump against port 53 - > > but either I am somehow managing to not see the failing DNS packet > > when I look at the results, or the DNS update arrives at the DC some > > other way. Looking at the code in dns_update.c it looks like there > > may be some form of regular DNS check, that is failing in my case? > > > > Does anybody know > > - if I can turn debugging on for just this DNS functionality? I > > expect the log file here to be massive as a DC is also a DNS server.. > > but hopefully that will give me more of a clue as to what "update" is > > failing? > > - if there is some other way I might be able to capture / check this > > traffic? > > - what else I should maybe be looking for in my packet dumps or > > elsewhere? > > > > Are the error codes regular UNIX values, in which case I believe > > 1 = EPERM (Operation not permitted) > > 6 = ENXIO (No such device or address) > > 10 = ECHILD (No child processes) > > 110 = ETIMEDOUT (Connection timed out) > > This would explain what the errors mean; but I don't know why they are > > occurring, and so regularly.. > > > > Thank you for any pointers! :) > > > > Jonathan > > > > Have you set up the reverse zone ? > The logs appear to show an update happening followed by one failing, > forward zone being allowed, reverse zone failing ?? > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On Fri, 23 Sep 2016 15:11:21 +0100 Jonathan Hunter <jmhunter1 at gmail.com> wrote:> Thank you Rowland. > > I have a couple of reverse zones (different subnets across sites), > yes, these are in Samba AD/DNS as well. > > Where are you looking in the logs - I'm missing seeing the bit that > shows an update happening then failing? > > I tried tcpdump to find out what the query was that was failing, but I > couldn't see any updates, just queries :( > >OOPS, should have read the code first, you are correct, what I thought was a success was just a portion of the code being run. Try adding 'allow dns updates = nonsecure' to smb.conf Rowland
Jonathan Hunter
2016-Sep-23 15:31 UTC
[Samba] dnsupdate_nameupdate_done - Failed DNS update
Thanks Rowland, I tried that just now, but as soon as I restarted samba, the error occurred again a few seconds afterwards. The good news, I suppose, is that it's easy to reproduce - each time I restart samba I get the error :) But, it wasn't helped by adding "allow dns updates nonsecure" to smb.conf on one of my DCs. I wonder if there is some error being flagged by the internal DNS sync mechanism, instead of the port 53 listener - which would explain why it happens when I start up samba, and why I can't see any relevant traffic using tcpdump.. The comment above 'dnsupdate_nameupdate_done' says that it is "called when dns update script has finished". If I did not get the error, the code would instead continue to run, and log the message "Completed DNS update check OK". is there a way I can manually do whatever it is that a DNS update check does, to see where the problem lies? Lingpanda101 - I don't have a specific log level set, so I'm just using whatever the default log level is. But, in the code I can see that these messages are logged with debug level 0, so they would appear regardless of what my log level was. DEBUG(0,(__location__ ": Failed DNS update - with error code %d\n", sys_ errno)); On 23 September 2016 at 15:22, Rowland Penny via samba < samba at lists.samba.org> wrote:> On Fri, 23 Sep 2016 15:11:21 +0100 > Jonathan Hunter <jmhunter1 at gmail.com> wrote: > > > Thank you Rowland. > > > > I have a couple of reverse zones (different subnets across sites), > > yes, these are in Samba AD/DNS as well. > > > > Where are you looking in the logs - I'm missing seeing the bit that > > shows an update happening then failing? > > > > I tried tcpdump to find out what the query was that was failing, but I > > couldn't see any updates, just queries :( > > > > > > OOPS, should have read the code first, you are correct, what I thought > was a success was just a portion of the code being run. > > Try adding 'allow dns updates = nonsecure' to smb.conf > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein