Hi guys, I'm facing a problems with samba4 + bind9_dlz that consuming my time for several days. Everything is working fine until samba4 need to update dns when I'm work with more than one DC server. When samba (or bind) need to reload all zones, the module bind9_dlz is shutting down and then all my environment stops and I need to restart the bind to up again. See my log: ... Jan 10 22:32:41 movd-gcp-002 named[9728]: Loading 'lovato.intranet' using driver dlopen Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: starting configure Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate zone 'lovato.intranet' from 'DC=@,DC=lovato.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=lovato,DC=intranet' Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate zone '_msdcs.lovato.intranet' from 'DC=@,DC=_msdcs.lovato.intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=lovato,DC=intranet' Jan 10 22:32:41 movd-gcp-002 named[9728]: isc_log_open 'named.run' failed: permission denied Jan 10 22:32:41 movd-gcp-002 named[9728]: zone lovato.intranet/NONE: (other) removed Jan 10 22:32:41 movd-gcp-002 named[9728]: zone _msdcs.lovato.intranet/NONE: (other) removed Jan 10 22:32:41 movd-gcp-002 named[9728]: reloading configuration succeeded Jan 10 22:32:41 movd-gcp-002 named[9728]: reloading zones succeeded Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: shutting down Jan 10 22:32:41 movd-gcp-002 named[9728]: all zones loaded Jan 10 22:32:41 movd-gcp-002 named[9728]: running server reload successful Bind standing up, but all dynamic zones stops and samba cannot update dns names anymore. This is curious is because this happens only when rndc is reloaded. I think that happens because the SAMBA dynamic zones are not cleaned and that causes shutting down. Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate zone '_msdcs.lovato.intranet' from 'DC=@,DC=_msdcs.lovato.intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=lovato,DC=intranet' If I restart bind, I think all zones, including dynamic zones, are cleaned and bind starts normally. See log: ... Jan 10 22:38:10 movd-gcp-002 named[10014]: Loading 'lovato.intranet' using driver dlopen Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'gssapi_spnego' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'gssapi_krb5' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'spnego' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'schannel' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'naclrpc_as_system' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'ntlmssp' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'http_basic' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'http_ntlm' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'krb5' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: started for DN DC=lovato,DC=intranet Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: starting configure Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: configured writeable zone 'lovato.intranet' Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: configured writeable zone '_msdcs.lovato.intranet' Jan 10 22:38:11 movd-gcp-002 named[10014]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jan 10 22:38:11 movd-gcp-002 named[10014]: command channel listening on 127.0.0.1#953 Jan 10 22:38:11 movd-gcp-002 named[10014]: command channel listening on ::1#953 Jan 10 22:38:11 movd-gcp-002 named[10014]: isc_log_open 'named.run' failed: permission denied Jan 10 22:38:11 movd-gcp-002 named[10014]: managed-keys-zone: loaded serial 3 Jan 10 22:38:11 movd-gcp-002 named[10014]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101 Jan 10 22:38:11 movd-gcp-002 named[10014]: zone localhost/IN: loaded serial 2013050101 Jan 10 22:38:11 movd-gcp-002 named[10014]: all zones loaded Jan 10 22:38:11 movd-gcp-002 named[10014]: running I've seen many other people with the same problem, but nobody posted any solution. Can someone help me? Regards.
mathias dufresne
2017-Jan-12 10:58 UTC
[Samba] Problems with bind9_dlz when rndc is reloaded
Hi Roger, I'm using Samba as AD DC in version 4.5.0 on Centos 7 with Bind9_DLZ DNS backend, Bind is 9.9.4 and I don't have that issue. I tried reload my bind using systemctl at first and no issue, then I tried "rdnc reload" to be sure rndc was used, still no issue. By no issue I don't mean log are clean, I mean the DNS service is working well (tested using dig commands). In my logs I have the very same complaints about "duplicate zone" which are ignored. In my logs I don't have complaints about permissions on named.run. Perhaps you should have a look on that. Cheers, mathias 2017-01-10 23:39 GMT+01:00 Roger Lovato via samba <samba at lists.samba.org>:> Hi guys, > > > I'm facing a problems with samba4 + bind9_dlz that consuming my time for > several days. > > > Everything is working fine until samba4 need to update dns when I'm work > with more than one DC server. When samba (or bind) need to reload all > zones, the module bind9_dlz is shutting down and then all my environment > stops and I need to restart the bind to up again. > > > See my log: > > > ... > > Jan 10 22:32:41 movd-gcp-002 named[9728]: Loading 'lovato.intranet' using > driver dlopen > Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: starting configure > Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate > zone 'lovato.intranet' from 'DC=@,DC=lovato.intranet,CN=MicrosoftDNS,DC> DomainDnsZones,DC=lovato,DC=intranet' > Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate > zone '_msdcs.lovato.intranet' from 'DC=@,DC=_msdcs.lovato. > intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=lovato,DC=intranet' > Jan 10 22:32:41 movd-gcp-002 named[9728]: isc_log_open 'named.run' failed: > permission denied > Jan 10 22:32:41 movd-gcp-002 named[9728]: zone lovato.intranet/NONE: > (other) removed > Jan 10 22:32:41 movd-gcp-002 named[9728]: zone > _msdcs.lovato.intranet/NONE: (other) removed > Jan 10 22:32:41 movd-gcp-002 named[9728]: reloading configuration succeeded > Jan 10 22:32:41 movd-gcp-002 named[9728]: reloading zones succeeded > Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: shutting down > Jan 10 22:32:41 movd-gcp-002 named[9728]: all zones loaded > Jan 10 22:32:41 movd-gcp-002 named[9728]: running > server reload successful > > > Bind standing up, but all dynamic zones stops and samba cannot update dns > names anymore. > > > This is curious is because this happens only when rndc is reloaded. I > think that happens because the SAMBA dynamic zones are not cleaned and that > causes shutting down. > > > Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate > zone '_msdcs.lovato.intranet' from 'DC=@,DC=_msdcs.lovato. > intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=lovato,DC=intranet' > > > If I restart bind, I think all zones, including dynamic zones, are cleaned > and bind starts normally. > > > See log: > > > ... > > Jan 10 22:38:10 movd-gcp-002 named[10014]: Loading 'lovato.intranet' using > driver dlopen > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'gssapi_spnego' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'gssapi_krb5' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'gssapi_krb5_sasl' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'spnego' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'schannel' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'naclrpc_as_system' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'sasl-EXTERNAL' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'ntlmssp' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'ntlmssp_resume_ccache' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'http_basic' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'http_ntlm' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'krb5' registered > Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend > 'fake_gssapi_krb5' registered > Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: started for DN > DC=lovato,DC=intranet > Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: starting configure > Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: configured writeable > zone 'lovato.intranet' > Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: configured writeable > zone '_msdcs.lovato.intranet' > Jan 10 22:38:11 movd-gcp-002 named[10014]: set up managed keys zone for > view _default, file '/var/named/dynamic/managed-keys.bind' > Jan 10 22:38:11 movd-gcp-002 named[10014]: command channel listening on > 127.0.0.1#953 > Jan 10 22:38:11 movd-gcp-002 named[10014]: command channel listening on > ::1#953 > Jan 10 22:38:11 movd-gcp-002 named[10014]: isc_log_open 'named.run' > failed: permission denied > Jan 10 22:38:11 movd-gcp-002 named[10014]: managed-keys-zone: loaded > serial 3 > Jan 10 22:38:11 movd-gcp-002 named[10014]: zone 0.0.127.in-addr.arpa/IN: > loaded serial 2013050101 > Jan 10 22:38:11 movd-gcp-002 named[10014]: zone localhost/IN: loaded > serial 2013050101 > Jan 10 22:38:11 movd-gcp-002 named[10014]: all zones loaded > Jan 10 22:38:11 movd-gcp-002 named[10014]: running > > > I've seen many other people with the same problem, but nobody posted any > solution. > > > Can someone help me? > > > Regards. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Mathias, Thanks for your reply. Please, try to start your bind with some debug level and run commando "rndc reload" and see the end of the log. I saw samba source code and found the destroy dns function in dlz_bind9.c and called by turture blz_bind9.c. When dlz_bind9.c is shutting down, I get this error when I try to update dns. update failed: NOTAUTH Failed nsupdate: 2 update(nsupdate): SRV _ldap._tcp.ForestDnsZones.intranet.dominio movd-gcp-003.intranet.dominio 389 Calling nsupdate for SRV _ldap._tcp.ForestDnsZones.intranet.dominio movd-gcp-003.intranet.dominio 389 (add) Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _ldap._tcp.ForestDnsZones.intranet.dominio. 900 IN SRV 0 100 389 movd-gcp-003.intranet.dominio. Many other people also told me this does not happen until they test or put a second DC server on the network and find out the problem. tks ________________________________ De: mathias dufresne <infractory at gmail.com> Enviado: quinta-feira, 12 de janeiro de 2017 08:58:27 Para: Roger Lovato Cc: samba at lists.samba.org Assunto: Re: [Samba] Problems with bind9_dlz when rndc is reloaded Hi Roger, I'm using Samba as AD DC in version 4.5.0 on Centos 7 with Bind9_DLZ DNS backend, Bind is 9.9.4 and I don't have that issue. I tried reload my bind using systemctl at first and no issue, then I tried "rdnc reload" to be sure rndc was used, still no issue. By no issue I don't mean log are clean, I mean the DNS service is working well (tested using dig commands). In my logs I have the very same complaints about "duplicate zone" which are ignored. In my logs I don't have complaints about permissions on named.run. Perhaps you should have a look on that. Cheers, mathias 2017-01-10 23:39 GMT+01:00 Roger Lovato via samba <samba at lists.samba.org<mailto:samba at lists.samba.org>>: Hi guys, I'm facing a problems with samba4 + bind9_dlz that consuming my time for several days. Everything is working fine until samba4 need to update dns when I'm work with more than one DC server. When samba (or bind) need to reload all zones, the module bind9_dlz is shutting down and then all my environment stops and I need to restart the bind to up again. See my log: ... Jan 10 22:32:41 movd-gcp-002 named[9728]: Loading 'lovato.intranet' using driver dlopen Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: starting configure Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate zone 'lovato.intranet' from 'DC=@,DC=lovato.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=lovato,DC=intranet' Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate zone '_msdcs.lovato.intranet' from 'DC=@,DC=_msdcs.lovato.intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=lovato,DC=intranet' Jan 10 22:32:41 movd-gcp-002 named[9728]: isc_log_open 'named.run' failed: permission denied Jan 10 22:32:41 movd-gcp-002 named[9728]: zone lovato.intranet/NONE: (other) removed Jan 10 22:32:41 movd-gcp-002 named[9728]: zone _msdcs.lovato.intranet/NONE: (other) removed Jan 10 22:32:41 movd-gcp-002 named[9728]: reloading configuration succeeded Jan 10 22:32:41 movd-gcp-002 named[9728]: reloading zones succeeded Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: shutting down Jan 10 22:32:41 movd-gcp-002 named[9728]: all zones loaded Jan 10 22:32:41 movd-gcp-002 named[9728]: running server reload successful Bind standing up, but all dynamic zones stops and samba cannot update dns names anymore. This is curious is because this happens only when rndc is reloaded. I think that happens because the SAMBA dynamic zones are not cleaned and that causes shutting down. Jan 10 22:32:41 movd-gcp-002 named[9728]: samba_dlz: Ignoring duplicate zone '_msdcs.lovato.intranet' from 'DC=@,DC=_msdcs.lovato.intranet,CN=MicrosoftDNS,DC=ForestDnsZones,DC=lovato,DC=intranet' If I restart bind, I think all zones, including dynamic zones, are cleaned and bind starts normally. See log: ... Jan 10 22:38:10 movd-gcp-002 named[10014]: Loading 'lovato.intranet' using driver dlopen Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'gssapi_spnego' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'gssapi_krb5' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'gssapi_krb5_sasl' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'spnego' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'schannel' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'naclrpc_as_system' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'sasl-EXTERNAL' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'ntlmssp' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'ntlmssp_resume_ccache' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'http_basic' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'http_ntlm' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'krb5' registered Jan 10 22:38:10 movd-gcp-002 named[10014]: samba_dlz: GENSEC backend 'fake_gssapi_krb5' registered Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: started for DN DC=lovato,DC=intranet Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: starting configure Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: configured writeable zone 'lovato.intranet' Jan 10 22:38:11 movd-gcp-002 named[10014]: samba_dlz: configured writeable zone '_msdcs.lovato.intranet' Jan 10 22:38:11 movd-gcp-002 named[10014]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind' Jan 10 22:38:11 movd-gcp-002 named[10014]: command channel listening on 127.0.0.1#953 Jan 10 22:38:11 movd-gcp-002 named[10014]: command channel listening on ::1#953 Jan 10 22:38:11 movd-gcp-002 named[10014]: isc_log_open 'named.run' failed: permission denied Jan 10 22:38:11 movd-gcp-002 named[10014]: managed-keys-zone: loaded serial 3 Jan 10 22:38:11 movd-gcp-002 named[10014]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2013050101 Jan 10 22:38:11 movd-gcp-002 named[10014]: zone localhost/IN: loaded serial 2013050101 Jan 10 22:38:11 movd-gcp-002 named[10014]: all zones loaded Jan 10 22:38:11 movd-gcp-002 named[10014]: running I've seen many other people with the same problem, but nobody posted any solution. Can someone help me? Regards. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Tue, Jan 10, 2017 at 2:39 PM, Roger Lovato via samba < samba at lists.samba.org> wrote:> I'm facing a problems with samba4 + bind9_dlz that consuming my time for > several days. > > > Everything is working fine until samba4 need to update dns when I'm work > with more than one DC server. When samba (or bind) need to reload all > zones, the module bind9_dlz is shutting down and then all my environment > stops and I need to restart the bind to up again. >Here is a related issue (I think) that might shed some light. I am using CentOS 7.3 and samba 4.4.5. Dynamic registration of workstation addresses would work for a while and then stop working. I finally realized it stopped working after log rotation. The CentOS logrotate for named runs the following command after rotating the log file. systemctl reload named.service I disabled the rotation for named and now my dynamic updates don't break. So I think you are right that the "reload" breaks something. "Restart" works fine.