samba - Dec 2017 - DHCP-DNS problems

Hello there.
So, I have a Samba AD setup, with DHCP and samba_dlz  setup as described in
the wiki.

However, I find that after a while, dynamic DHCPD updates stop working.
The fix is for me to restart the named server.

When in this state, I get log messages like:

 DHCPREQUEST for 192.168.52.232 (192.168.60.2) from 8c:be:be:0d:cf:3c
(RedmiNote4-Gj?gur) via 192.168.52.253
Dec 18 15:39:44 dc02 dhcpd: DHCPACK on 192.168.52.232 to 8c:be:be:0d:cf:3c
(RedmiNote4-Gj?gur) via 192.168.52.253
Dec 18 15:39:46 dc02 dhcpd: domain is rvx.is
Dec 18 15:39:46 dc02 dhcpd: doing add
Dec 18 15:39:46 dc02 dhcpd: update failed: NOTAUTH
Dec 18 15:39:47 dc02 dhcpd: update failed: NOTAUTH
Dec 18 15:39:47 dc02 logger: DHCP-DNS Update failed: 22


In this state, clearing the /tmp/dhcpd-dyndns.cc and/or regeneraing the
/etc/dhcpduser.keytab will not fix things.
Only restarting the "named"  server does, after which I get stuff lke:
Dec 18 15:41:38 dc02 dhcpd: domain is rvx.is
Dec 18 15:41:38 dc02 dhcpd: doing add
Dec 18 15:41:39 dc02 named[17215]: samba_dlz: starting transaction on zone
rvx.is
Dec 18 15:41:39 dc02 named[17215]: samba_dlz: allowing update of
signer=dhcpduser\@RVX.IS name=RedmiNote4-Gj?gur.rvx.is tcpaddr=127.0.0.1
type=A key=17359283
17.sig-dc02.rvx.is/160/0
etc...

I am running centos 7, bind 9.9.4,
Samba 4.7.3 compiled from sources.

>From what I can gather, /usr/local/bin/dhcpd-dyndns.sh is talking to the
local samba daemon.  Samba AD maintains the actual DNS entries.  Why does
the AD need confirmation with the bind daemon to update its internal
database?  Shouldn't the bind dameon, using samba_dlz, just contain the
local DC when serving queries?

Does anybody else have this problem?

Cheers!


-- 
Kv,
Kristján Valur Jónsson, RVX

On Mon, 18 Dec 2017 15:55:10 +0000
Kristján Valur Jónsson via samba <samba at lists.samba.org> wrote:
> Hello there.
> So, I have a Samba AD setup, with DHCP and samba_dlz  setup as
> described in the wiki.
> 
> However, I find that after a while, dynamic DHCPD updates stop
> working. The fix is for me to restart the named server.
> 
> When in this state, I get log messages like:
> 
>  DHCPREQUEST for 192.168.52.232 (192.168.60.2) from 8c:be:be:0d:cf:3c
> (RedmiNote4-Gj?gur) via 192.168.52.253
> Dec 18 15:39:44 dc02 dhcpd: DHCPACK on 192.168.52.232 to
> 8c:be:be:0d:cf:3c (RedmiNote4-Gj?gur) via 192.168.52.253
> Dec 18 15:39:46 dc02 dhcpd: domain is rvx.is
> Dec 18 15:39:46 dc02 dhcpd: doing add
> Dec 18 15:39:46 dc02 dhcpd: update failed: NOTAUTH
> Dec 18 15:39:47 dc02 dhcpd: update failed: NOTAUTH
> Dec 18 15:39:47 dc02 logger: DHCP-DNS Update failed: 22
> 
> 
> In this state, clearing the /tmp/dhcpd-dyndns.cc and/or regeneraing
> the /etc/dhcpduser.keytab will not fix things.
> Only restarting the "named"  server does, after which I get stuff
lke:
> Dec 18 15:41:38 dc02 dhcpd: domain is rvx.is
> Dec 18 15:41:38 dc02 dhcpd: doing add
> Dec 18 15:41:39 dc02 named[17215]: samba_dlz: starting transaction on
> zone rvx.is
Even this looks wrong, I would expect something like this:

Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from cc:4e:ec:e9:c8:d3
via eth0
Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3 via
eth0
Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID: 1:ec:8:6b:c:cb:c2
Name: devstation
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] =
/usr/local/bin/dhcp-dyndns.sh
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2
Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation
Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on
zone samdom.example.com

You don't seem to have the lines that contain the required info.
> Dec 18 15:41:39 dc02 named[17215]: samba_dlz: allowing update of
> signer=dhcpduser\@RVX.IS name=RedmiNote4-Gj?gur.rvx.is
> tcpaddr=127.0.0.1 type=A key=17359283
> 17.sig-dc02.rvx.is/160/0
> etc...
> 
> I am running centos 7, bind 9.9.4,
> Samba 4.7.3 compiled from sources.
> 
> 
> From what I can gather, /usr/local/bin/dhcpd-dyndns.sh is talking to
> the local samba daemon.
No, the script uses nsupdate to update the records in AD.
>  Samba AD maintains the actual DNS entries.
> Why does the AD need confirmation with the bind daemon to update its
> internal database?  Shouldn't the bind dameon, using samba_dlz, just
> contain the local DC when serving queries?
> 
> Does anybody else have this problem?
>
Not that I am aware.

Can you post (or send them to me direct), the script you are using
(yes, I know it is the on wiki, but I want to check yours), your
dhcpd.conf file and your named.conf file(s)
 
Rowland

On 18 December 2017 at 16:20, Rowland Penny via samba <samba at
lists.samba.org
> wrote:
>
>
> Even this looks wrong, I would expect something like this:
>
> Dec 18 07:43:59 dc3 dhcpd: DHCPREQUEST for 192.168.0.111 from
> cc:4e:ec:e9:c8:d3 via eth0
> Dec 18 07:43:59 dc3 dhcpd: DHCPACK on 192.168.0.111 to cc:4e:ec:e9:c8:d3
> via eth0
> Dec 18 07:47:33 dc3 dhcpd: Commit: IP: 192.168.0.88 DHCID:
> 1:ec:8:6b:c:cb:c2 Name: devstation
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[0] >
/usr/local/bin/dhcp-dyndns.sh
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[1] = add
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[2] = 192.168.0.88
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[3] = 1:ec:8:6b:c:cb:c2
> Dec 18 07:47:33 dc3 dhcpd: execute_statement argv[4] = devstation
> Dec 18 07:47:33 dc3 named[22890]: samba_dlz: starting transaction on
> zone samdom.example.com
>
> You don't seem to have the lines that contain the required info.
>
Yes, funny it doesn't show up in /var/log/messages, but journalctl shows
it.  Here is an equivalent output:
Dec 18 14:45:20 dc02.rv

Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID:
1:a0:ce:c8:e:35:7c Name: Dadis-MBP
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[0]
/usr/local/bin/dhcp-dyndns.sh
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[2] 192.168.62.107
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
1:a0:ce:c8:e:35:7c
Dec 18 14:45:28 dc02.rvx.is dhcpd[318]: execute_statement argv[4] Dadis-MBP
Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: domain is rvx.is
Dec 18 14:45:29 dc02.rvx.is dhcpd[318]: doing add
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:45:30 dc02.rvx.is logger[15729]: DHCP-DNS Update failed: 22
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 5632
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPREQUEST for 192.168.62.107 from
a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
Dec 18 14:45:30 dc02.rvx.is dhcpd[318]: DHCPACK on 192.168.62.107 to
a0:ce:c8:0e:35:7c (Dadis-MBP) via 192.168.62.254
Dec 18 14:45:48 dc02.rvx.is named[332]: validating @0x6dbff148:
paypal.adtag.where.com A: no valid signature found
Dec 18 14:46:46 dc02.rvx.is named[332]: validating @0x6dc25158:
crl.pki.goog A: no valid signature found
Dec 18 14:47:54 dc02.rvx.is samba[449]: [2017/12/18 14:47:54.504700,  0]
../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
Dec 18 14:47:54 dc02.rvx.is samba[449]:
 ../source4/dsdb/dns/dns_update.c:290: Failed DNS update - with error code
110
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: Commit: IP: 192.168.62.107 DHCID:
1:a0:ce:c8:e:35:7c Name: Dadis-MBP
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[0]
/usr/local/bin/dhcp-dyndns.sh
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[1] = add
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[2] 192.168.62.107
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[3]
1:a0:ce:c8:e:35:7c
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: execute_statement argv[4] Dadis-MBP
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: domain is rvx.is
Dec 18 14:49:01 dc02.rvx.is dhcpd[318]: doing add
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6e5e4528:
www.perforce.com A: no valid signature found
Dec 18 14:49:02 dc02.rvx.is named[332]: validating @0x6dc28378: perforce.com
A: no valid signature found
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: update failed: NOTAUTH
Dec 18 14:49:02 dc02.rvx.is logger[15810]: DHCP-DNS Update failed: 22
Dec 18 14:49:02 dc02.rvx.is dhcpd[318]: execute:
/usr/local/bin/dhcp-dyndns.sh exit status 5632


>
> No, the script uses nsupdate to update the records in AD.
>
Aha, ok, then it makes sense that restarting named will fix it. It would
appear that named goes into some sort of huff.

>
> Can you post (or send them to me direct), the script you are using
> (yes, I know it is the on wiki, but I want to check yours), your
> dhcpd.conf file and your named.conf file(s)
>
Sure.  This is a two-weeks-old setup, and like I said, it works initially,
then gets into trouble..  I'll send you the config.


-- 
Kv,
Kristján Valur Jónsson, RVX