samba - Nov 2022 - accidentally upgraded DC to 4.17.3 ... didn't work

Am 30.11.22 um 11:19 schrieb Rowland Penny via samba:
> 
> 
> On 30/11/2022 10:03, Stefan G. Weichinger via samba wrote:
>>
>> starting adc1 broke DNS for the windows clients, so I had to stop it 
>> again for now
>>
>> on adc1 I find:
>>
>> Nov 30 10:23:26 adc1 samba[80993]:?? /usr/sbin/samba_dnsupdate: ; TSIG 
>> error with server: tsig verify failure
>> Nov 30 10:23:26 adc1 samba[80993]: [2022/11/30 10:23:26.255163,? 0] 
>> ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_n>
>> Nov 30 10:23:26 adc1 samba[80993]:?? dnsupdate_nameupdate_done: Failed 
>> DNS update with exit code 41
>>
>> I assumed that would be cleared after some initialization phase (like 
>> last week).
>>
>>
> 
> Did the new DC's nameserver point to its own ipaddress before you 
> started Samba ?
adc1 has the IP 10.0.0.231 on interface "eno1"

the resolv.conf contains its own IP at first and 10.0.0.230 for "adc2"
at second ->

# resolv.conf

nameserver 10.0.0.231
nameserver 10.0.0.230
search arbeitsgruppe.my.tld

both DCs have several VLAN-interfaces and IPs as well

on adc2 I have

bind interfaces only = yes
interfaces = lo enp0s31f6

while on adc1 these lines are currently missing -> smb.conf was created 
from scratch at the join

Last week there were numerous DNS-records added: one per VLAN ... maybe 
that is a problem, I removed them last week to run the DC in plain 
VLAN1= LAN only.

I assume I should add that binding-config to adc1 as well.
> You could try adding:
> 
> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
> 
> to the DC's smb.conf and then restart Samba.
Can do, have to check with the customer first: breaking the DNS as 
before isn't good while people are working.

Just an observation:

to me it looks as if adc2 is still on 2.6.1+samba4.17.3+dfsg-1~bpo11+1 
for samba packages

I'd have to check for all related packages step by step.

I DON'T want to upgrade adc2 now, as long as it is the only working DC.

-

adc1 is on 2.6.1+samba4.17.3+dfsg-2 already.

Maybe that is part of my problems.

On 30/11/2022 10:58, Stefan G. Weichinger via samba wrote:
>>>
>>
>> Did the new DC's nameserver point to its own ipaddress before you 
>> started Samba ?
> 
> adc1 has the IP 10.0.0.231 on interface "eno1"
> 
> the resolv.conf contains its own IP at first and 10.0.0.230 for
"adc2"
> at second ->
> 
> # resolv.conf
> 
> nameserver 10.0.0.231
> nameserver 10.0.0.230
> search arbeitsgruppe.my.tld
> 
> both DCs have several VLAN-interfaces and IPs as well
> 
> on adc2 I have
> 
> bind interfaces only = yes
> interfaces = lo enp0s31f6
> 
> while on adc1 these lines are currently missing -> smb.conf was created 
> from scratch at the join
> 
> Last week there were numerous DNS-records added: one per VLAN ... maybe 
> that is a problem, I removed them last week to run the DC in plain 
> VLAN1= LAN only.
What are the VLANs for and what do they have to do with the DC ?
> 
> I assume I should add that binding-config to adc1 as well.
> 
>> You could try adding:
>>
>> dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool
>>
>> to the DC's smb.conf and then restart Samba.
> 
> Can do, have to check with the customer first: breaking the DNS as 
> before isn't good while people are working.
> 
The samba_dnsupdate python script is run by a DC at startup and then 
every 10 minutes, it adds any missing AD dns records and there are quite 
a few missing from a newly joined DC. You can see the records that are 
added here:

/var/lib/samba/private/dns_update_list

There can be a problem with the ticket, but, by using samba-tool, this 
can be got around.

Rowland