samba - Nov 2021 - Device ends up with multiple dns records and IP addresses

Hi Rowland,

I tried the actual script just now and it quits in syslog with exit 
status 256.

I then started the script manual with the variables used and I get this 
output:

WARNING: The option -k|--kerberos is deprecated!
ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
186, in _run
 ??? return self.run(*args, **kwargs)
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
1094,
in run
 ??? raise e
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py", line
1088,
in run
 ??? 0, server, zone, name, add_rec_buf, None)

I double checked it I all have done as written in the Wiki article and 
found no error.

Regards
Ingo
https://github.com/WAdama

Rowland Penny via samba schrieb am 10.11.2021 um 16:59:
> On Wed, 2021-11-10 at 15:06 +0000, Sebastian Arcus via samba wrote:
>> On 09/11/2021 14:29, Rowland Penny via samba wrote:
>>> On Tue, 2021-11-09 at 13:08 +0000, Sebastian Arcus via samba wrote:
>>>> I have just checked this server today, and the printer has two
IP
>>>> addresses again:
>>>>
>>>>
>>>> # host SEC001599AB9439
>>>> SEC001599AB9439.ihs-uk.lan has address 192.168.51.235
>>>> SEC001599AB9439.ihs-uk.lan has address 192.168.51.229
>>>>
>>>>
>>>> There are some other hosts with multiple IP's - an iPhone
has 5
>>>> IP
>>>> addresses.
>>>>
>>>> I then went to test manually adding a record with two IP
>>>> addresses
>>>> to
>>>> the dns server using the dhcp-dyndns.sh script:
>>>>
>>>>
>>>>
>>>> /etc/dhcpd.d# ./dhcp-ddns.sh add 192.168.51.200 abcdef test1
>>> What OS is this running on ?
>>> I do not recognise '/etc/dhcpd.d'
>>>
>>>> However, by inserting debug statements, I discovered that the
>>>> line
>>>> above
>>> Can you supply the script line that crashes for you.
>> Ok - I might have a bit more useful information. I've added lots of
>> debug lines in the script and the source of the error messages seems
>> to
>> be two fold: if there is already an A record in the dns back-end
>> with
>> multiple IPs, and/or a PTR record with multiple hostnames, both the
>> corresponding "samba-tool dns delete ..." statements fail
with those
>> errors. Then everything snowballs down the hill, as every time the
>> device gets a new IP address, the script keeps on adding more
>> multiple
>> records to the database, with no chance of recovering from there.
>>
>> I still don't know for sure how did the multiple records happen in
>> the
>> first place. I do know however why I was still getting the error
>> after
>> deleting all the IPs in the dns back-end for this printer - it's
>> because
>> I didn't realise that there was also a PTR record with multiple
>> hostnames, as well as the A record with multiple IPs.
>>
>> Does the above help a bit? I don't know if the script should be
>> changed
>> to recognise multiple IP's / hostnames being returned when querying
>> the
>> dns back-end - and cope with that scenario? Or maybe that should
>> just
>> never ever happen in the first place?
> OK, try upgrading the script, the latest version has this:
>
>      add)
>          _KERBEROS
>          count=0
>          # does host have an existing 'A' record ?
>          A_REC=$(samba-tool dns query ${Server} ${domain} ${name} A -k
> yes 2>/dev/null | grep 'A:' | awk '{print $2}')
>          if [[ -z $A_REC ]]; then
>              # no A record to delete
>              result1=0
>              samba-tool dns add ${Server} ${domain} "${name}" A
${ip} -k
> yes
>              result2="$?"
>          elif [ "$A_REC" = "${ip}" ]; then
>                # Correct A record exists, do nothing
>                logger "Correct 'A' record exists, not
updating."
>                result1=0
>                result2=0
>                count=$((count+1))
>          elif [ "$A_REC" != "${ip}" ]; then
>                # Wrong A record exists
>                logger "'A' record changed, updating
record."
>                samba-tool dns delete ${Server} ${domain}
"${name}" A
> ${A_REC} -k yes
>                result1="$?"
>                samba-tool dns add ${Server} ${domain} "${name}" A
${ip}
> -k yes
>                result2="$?"
>          fi
>
> The script now checks if the record exists and then does one of three
> things:
>
> It adds the record if one doesn't exist
>
> If the record exists and it matches the supplied data, it does nothing
>
> If the record exists and it doesn't match the supplied data, the record
> is deleted and a new record added
>
> The 0.9.0 version of the script did not do this.
>
> Rowland
>
>
>

On Wed, 2021-11-10 at 20:21 +0100, Ingo Asche wrote:
> Hi Rowland,
> 
> I tried the actual script just now and it quits in syslog with exit 
> status 256.
> 
> I then started the script manual with the variables used and I get
> this 
> output:
> 
> WARNING: The option -k|--kerberos is deprecated!
> ERROR(runtime): uncaught exception - (5, 'WERR_ACCESS_DENIED')
>    File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 
> 186, in _run
>      return self.run(*args, **kwargs)
>    File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py",
line
> 1094, 
> in run
>      raise e
>    File "/usr/lib/python3/dist-packages/samba/netcmd/dns.py",
line
> 1088, 
> in run
>      0, server, zone, name, add_rec_buf, None)
> 
> I double checked it I all have done as written in the Wiki article
> and 
> found no error.
I feel version 0.9.4 of the script is immanent, From Samba 4.15.0, some
of the options changed, one of which was that '-k yes' was deprecated
and '--use-kerberos=required' should be used instead. Now
'deprecated'
should mean that the old method will still work, so can you try
replacing all mention of '-k yes' with
'--use-kerberos=required'.

Rowland