samba - Nov 2021 - Device ends up with multiple dns records and IP addresses

On Wed, 2021-11-10 at 15:06 +0000, Sebastian Arcus via samba
wrote:
> On 09/11/2021 14:29, Rowland Penny via samba wrote:
> > On Tue, 2021-11-09 at 13:08 +0000, Sebastian Arcus via samba wrote:
> > > I have just checked this server today, and the printer has two IP
> > > addresses again:
> > > 
> > > 
> > > # host SEC001599AB9439
> > > SEC001599AB9439.ihs-uk.lan has address 192.168.51.235
> > > SEC001599AB9439.ihs-uk.lan has address 192.168.51.229
> > > 
> > > 
> > > There are some other hosts with multiple IP's - an iPhone has
5
> > > IP
> > > addresses.
> > > 
> > > I then went to test manually adding a record with two IP
> > > addresses
> > > to
> > > the dns server using the dhcp-dyndns.sh script:
> > > 
> > > 
> > > 
> > > /etc/dhcpd.d# ./dhcp-ddns.sh add 192.168.51.200 abcdef test1
> > 
> > What OS is this running on ?
> > I do not recognise '/etc/dhcpd.d'
> > 
> > > However, by inserting debug statements, I discovered that the
> > > line
> > > above
> > 
> > Can you supply the script line that crashes for you.
> 
> Ok - I might have a bit more useful information. I've added lots of 
> debug lines in the script and the source of the error messages seems
> to 
> be two fold: if there is already an A record in the dns back-end
> with 
> multiple IPs, and/or a PTR record with multiple hostnames, both the 
> corresponding "samba-tool dns delete ..." statements fail with
those
> errors. Then everything snowballs down the hill, as every time the 
> device gets a new IP address, the script keeps on adding more
> multiple 
> records to the database, with no chance of recovering from there.
> 
> I still don't know for sure how did the multiple records happen in
> the 
> first place. I do know however why I was still getting the error
> after 
> deleting all the IPs in the dns back-end for this printer - it's
> because 
> I didn't realise that there was also a PTR record with multiple 
> hostnames, as well as the A record with multiple IPs.
> 
> Does the above help a bit? I don't know if the script should be
> changed 
> to recognise multiple IP's / hostnames being returned when querying
> the 
> dns back-end - and cope with that scenario? Or maybe that should
> just 
> never ever happen in the first place?
OK, try upgrading the script, the latest version has this:

    add)
        _KERBEROS
        count=0
        # does host have an existing 'A' record ?
        A_REC=$(samba-tool dns query ${Server} ${domain} ${name} A -k
yes 2>/dev/null | grep 'A:' | awk '{print $2}')
        if [[ -z $A_REC ]]; then
            # no A record to delete
            result1=0
            samba-tool dns add ${Server} ${domain} "${name}" A ${ip}
-k
yes
            result2="$?"
        elif [ "$A_REC" = "${ip}" ]; then
              # Correct A record exists, do nothing
              logger "Correct 'A' record exists, not
updating."
              result1=0
              result2=0
              count=$((count+1))
        elif [ "$A_REC" != "${ip}" ]; then
              # Wrong A record exists
              logger "'A' record changed, updating record."
              samba-tool dns delete ${Server} ${domain} "${name}" A
${A_REC} -k yes
              result1="$?"
              samba-tool dns add ${Server} ${domain} "${name}" A ${ip}
-k yes
              result2="$?"
        fi

The script now checks if the record exists and then does one of three
things:

It adds the record if one doesn't exist

If the record exists and it matches the supplied data, it does nothing

If the record exists and it doesn't match the supplied data, the record
is deleted and a new record added

The 0.9.0 version of the script did not do this.

Rowland

Hi Rowland,

I tried the actual script just now and it quits in syslog with exit 
status 256.

I then started the script manual with the variables used and I get this 
output:

WARNING: The option -k|--kerberos is deprecated!
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
1094,
in run
 ??? raise e
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
1088,
in run
 ??? 0, server, zone, name, add_rec_buf, None)

I double checked it I all have done as written in the Wiki article and 
found no error.

Regards
Ingo
https://github.com/WAdama

Rowland Penny via samba schrieb am 10.11.2021 um 16:59:
> On Wed, 2021-11-10 at 15:06 +0000, Sebastian Arcus via samba wrote:
>> On 09/11/2021 14:29, Rowland Penny via samba wrote:
>>> On Tue, 2021-11-09 at 13:08 +0000, Sebastian Arcus via samba wrote:
>>>> I have just checked this server today, and the printer has two
IP
>>>> addresses again:
>>>>
>>>>
>>>> # host SEC001599AB9439
>>>> SEC001599AB9439.ihs-uk.lan has address 192.168.51.235
>>>> SEC001599AB9439.ihs-uk.lan has address 192.168.51.229
>>>>
>>>>
>>>> There are some other hosts with multiple IP's - an iPhone
has 5
>>>> IP
>>>> addresses.
>>>>
>>>> I then went to test manually adding a record with two IP
>>>> addresses
>>>> to
>>>> the dns server using the dhcp-dyndns.sh script:
>>>>
>>>>
>>>>
>>>> /etc/dhcpd.d# ./dhcp-ddns.sh add 192.168.51.200 abcdef test1
>>> What OS is this running on ?
>>> I do not recognise '/etc/dhcpd.d'
>>>
>>>> However, by inserting debug statements, I discovered that the
>>>> line
>>>> above
>>> Can you supply the script line that crashes for you.
>> Ok - I might have a bit more useful information. I've added lots of
>> debug lines in the script and the source of the error messages seems
>> to
>> be two fold: if there is already an A record in the dns back-end
>> with
>> multiple IPs, and/or a PTR record with multiple hostnames, both the
>> corresponding "samba-tool dns delete ..." statements fail
with those
>> errors. Then everything snowballs down the hill, as every time the
>> device gets a new IP address, the script keeps on adding more
>> multiple
>> records to the database, with no chance of recovering from there.
>>
>> I still don't know for sure how did the multiple records happen in
>> the
>> first place. I do know however why I was still getting the error
>> after
>> deleting all the IPs in the dns back-end for this printer - it's
>> because
>> I didn't realise that there was also a PTR record with multiple
>> hostnames, as well as the A record with multiple IPs.
>>
>> Does the above help a bit? I don't know if the script should be
>> changed
>> to recognise multiple IP's / hostnames being returned when querying
>> the
>> dns back-end - and cope with that scenario? Or maybe that should
>> just
>> never ever happen in the first place?
> OK, try upgrading the script, the latest version has this:
>
>      add)
>          _KERBEROS
>          count=0
>          # does host have an existing 'A' record ?
>          A_REC=$(samba-tool dns query ${Server} ${domain} ${name} A -k
> yes 2>/dev/null | grep 'A:' | awk '{print $2}')
>          if [[ -z $A_REC ]]; then
>              # no A record to delete
>              result1=0
>              samba-tool dns add ${Server} ${domain} "${name}" A
${ip} -k
> yes
>              result2="$?"
>          elif [ "$A_REC" = "${ip}" ]; then
>                # Correct A record exists, do nothing
>                logger "Correct 'A' record exists, not
updating."
>                result1=0
>                result2=0
>                count=$((count+1))
>          elif [ "$A_REC" != "${ip}" ]; then
>                # Wrong A record exists
>                logger "'A' record changed, updating
record."
>                samba-tool dns delete ${Server} ${domain}
"${name}" A
> ${A_REC} -k yes
>                result1="$?"
>                samba-tool dns add ${Server} ${domain} "${name}" A
${ip}
> -k yes
>                result2="$?"
>          fi
>
> The script now checks if the record exists and then does one of three
> things:
>
> It adds the record if one doesn't exist
>
> If the record exists and it matches the supplied data, it does nothing
>
> If the record exists and it doesn't match the supplied data, the record
> is deleted and a new record added
>
> The 0.9.0 version of the script did not do this.
>
> Rowland
>
>
>

On 10/11/2021 15:59, Rowland Penny via samba wrote:
> On Wed, 2021-11-10 at 15:06 +0000, Sebastian Arcus via samba wrote:
>> On 09/11/2021 14:29, Rowland Penny via samba wrote:
>>> On Tue, 2021-11-09 at 13:08 +0000, Sebastian Arcus via samba wrote:
>>>> I have just checked this server today, and the printer has two
IP
>>>> addresses again:
>>>>
>>>>
>>>> # host SEC001599AB9439
>>>> SEC001599AB9439.ihs-uk.lan has address 192.168.51.235
>>>> SEC001599AB9439.ihs-uk.lan has address 192.168.51.229
>>>>
>>>>
>>>> There are some other hosts with multiple IP's - an iPhone
has 5
>>>> IP
>>>> addresses.
>>>>
>>>> I then went to test manually adding a record with two IP
>>>> addresses
>>>> to
>>>> the dns server using the dhcp-dyndns.sh script:
>>>>
>>>>
>>>>
>>>> /etc/dhcpd.d# ./dhcp-ddns.sh add 192.168.51.200 abcdef test1
>>>
>>> What OS is this running on ?
>>> I do not recognise '/etc/dhcpd.d'
>>>
>>>> However, by inserting debug statements, I discovered that the
>>>> line
>>>> above
>>>
>>> Can you supply the script line that crashes for you.
>>
>> Ok - I might have a bit more useful information. I've added lots of
>> debug lines in the script and the source of the error messages seems
>> to
>> be two fold: if there is already an A record in the dns back-end
>> with
>> multiple IPs, and/or a PTR record with multiple hostnames, both the
>> corresponding "samba-tool dns delete ..." statements fail
with those
>> errors. Then everything snowballs down the hill, as every time the
>> device gets a new IP address, the script keeps on adding more
>> multiple
>> records to the database, with no chance of recovering from there.
>>
>> I still don't know for sure how did the multiple records happen in
>> the
>> first place. I do know however why I was still getting the error
>> after
>> deleting all the IPs in the dns back-end for this printer - it's
>> because
>> I didn't realise that there was also a PTR record with multiple
>> hostnames, as well as the A record with multiple IPs.
>>
>> Does the above help a bit? I don't know if the script should be
>> changed
>> to recognise multiple IP's / hostnames being returned when querying
>> the
>> dns back-end - and cope with that scenario? Or maybe that should
>> just
>> never ever happen in the first place?
> 
> OK, try upgrading the script, the latest version has this:
> 
>      add)
>          _KERBEROS
>          count=0
>          # does host have an existing 'A' record ?
>          A_REC=$(samba-tool dns query ${Server} ${domain} ${name} A -k
> yes 2>/dev/null | grep 'A:' | awk '{print $2}')
>          if [[ -z $A_REC ]]; then
>              # no A record to delete
>              result1=0
>              samba-tool dns add ${Server} ${domain} "${name}" A
${ip} -k
> yes
>              result2="$?"
>          elif [ "$A_REC" = "${ip}" ]; then
>                # Correct A record exists, do nothing
>                logger "Correct 'A' record exists, not
updating."
>                result1=0
>                result2=0
>                count=$((count+1))
>          elif [ "$A_REC" != "${ip}" ]; then
>                # Wrong A record exists
>                logger "'A' record changed, updating
record."
>                samba-tool dns delete ${Server} ${domain}
"${name}" A
> ${A_REC} -k yes
>                result1="$?"
>                samba-tool dns add ${Server} ${domain} "${name}" A
${ip}
> -k yes
>                result2="$?"
>          fi
> 
> The script now checks if the record exists and then does one of three
> things:
> 
> It adds the record if one doesn't exist
> 
> If the record exists and it matches the supplied data, it does nothing
> 
> If the record exists and it doesn't match the supplied data, the record
> is deleted and a new record added
> 
> The 0.9.0 version of the script did not do this.
Thank you for the suggestion. I've already tried 0.9.3 yesterday. It 
does look like the code is a bit more robust - but the basic issue still 
exists. If somehow the dns back-end ends up with an A record with 
multiple IP addresses, or a PTR record with multiple hostnames (or 
both), the "samba-tool dns query" command returns multiple lines and
the
script is unable to delete the existing records - as it passes a 
multi-line argument to "samba-tool dns delete ..." command - which 
fails. So it just keeps on adding more IPs and/or hostnames to the 
existing records anyway, without deleting existing ones.

Would it be safer for the script to at least detect the presence of 
multi IP / multi host records, and maybe abort trying to add the 
IP/hostname to the DNS back-end - and exit with an error? Or simply exit 
if the "samba-tool dns delete ..." command returns an error? Or maybe 
delete one by one all the IP addresses for the respective A record, and 
all the hostnames for the PTR record - and then create the new A / PTR 
record?