Steven Monai
2023-May-18 03:31 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
Hello,
I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use on two
DCs (as separate VMs) in a new AD domain.
"dc33" (IP: 10.150.10.33) is the first DC in the new domain
("ttwo.ad.example.org"), provisioned via 'samba-tool domain
provision DC'.
"dc34" (IP: 10.150.10.34) is the second DC, joined to the domain via
'samba-tool domain join DC'.
The first oddity I encounter is I find that I have to manually run
'samba_dnsupdate' to create the new DC's NS and SRV records in the
DNS.
This seems new, as the DNS records were automatically created when I
previously did an identical setup using Debian 11 ("Bullseye", Samba
v.4.13.13).
Regardless, the second, and more surprising issue, is that the
'samba_dnsupdate' script, when run in its default mode, fails rather
spectacularly. The script calls 'nsupdate' to add the new DNS records
one-by-one, and EVERY call to 'nsupdate' results in a hard crash
("assertion failure") of the 'named' service on the first DC.
I am able to work around the issue by running 'samba_dnsupdate
--use-samba-tool', which does not use 'nsupdate'.
Is this a known issue? Or is it more likely that I misconfigured something?
Anyway, here is a snippet of the output from the client side, when I run
'samba_dnsupdate':
------------------------------------------------------------------------
dc34:~# samba_dnsupdate --verbose
...
24 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as
DC34$
update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org
Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add)
Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as
DC34$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ttwo.ad.example.org. 900 IN NS dc34.ttwo.ad.example.org.
; Communication with 10.150.10.33#53 failed: end of file
Failed nsupdate: 2
...
(repeat failure 23 more times)
...
------------------------------------------------------------------------
And here is a snippet of the resulting log on the server side:
------------------------------------------------------------------------
dc33:~# journalctl -u named.service
...
May 17 11:50:53 dc33 named[920]: samba_dlz: allowing update of
signer=DC34\$\@TTWO.AD.EXAMPLE.ORG name=ttwo.ad.example.org
tcpaddr=10.150.10.34 type=NS
key=389657593.sig-dc33.ttwo.ad.example.org/159/0
May 17 11:50:53 dc33 named[920]: samba_dlz: starting transaction on zone
ttwo.ad.example.org
May 17 11:50:53 dc33 named[920]: client @0x7ff9731fb568
10.150.10.34#35837/key DC34\$\@TTWO.AD.EXAMPLE.ORG: updating zone
'ttwo.ad.example.org/NONE': adding an RR at
'ttwo.ad.example.org' NS
dc34.ttwo.ad.example.org.
May 17 11:50:53 dc33 named[920]: name.c:664: REQUIRE(((name1) != ((void
*)0) && ((const isc__magic_t *)(name1))->magic == ((('D')
<< 24 | ('N')
<< 16 | ('S') << 8 | ('n'))))) failed, back trace
May 17 11:50:53 dc33 named[920]: /usr/sbin/named(+0x235e4) [0x557c33cec5e4]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc_assertion_failed+0xa)
[0x7ff978239a5a]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(dns_name_equal+0x179)
[0x7ff977e999d9]
May 17 11:50:53 dc33 named[920]:
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so(dlz_addrdataset+0x1c4)
[0x7ff976a72b54]
May 17 11:50:53 dc33 named[920]: /usr/sbin/named(+0x212e4) [0x557c33cea2e4]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(+0x12e4c4) [0x7ff977f2e4c4]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(+0x4ec17) [0x7ff977e4ec17]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libns-9.18.12-1-Debian.so(+0x31dca) [0x7ff9787d8dca]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libns-9.18.12-1-Debian.so(+0x35466) [0x7ff9787dc466]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc_task_run+0x113)
[0x7ff978258a43]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x26cb2) [0x7ff978226cb2]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27337) [0x7ff978227337]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27e73) [0x7ff978227e73]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libuv.so.1(+0xf09d) [0x7ff97814e09d]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libuv.so.1(+0x22e3c) [0x7ff978161e3c]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libuv.so.1(uv_run+0xc4) [0x7ff97814e9e4]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27654) [0x7ff978227654]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc__trampoline_run+0x15)
[0x7ff978261575]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libc.so.6(+0x88fd4) [0x7ff9774fbfd4]
May 17 11:50:53 dc33 named[920]:
/lib/x86_64-linux-gnu/libc.so.6(+0x1095bc) [0x7ff97757c5bc]
May 17 11:50:53 dc33 named[920]: exiting (due to assertion failure)
May 17 11:50:53 dc33 systemd[1]: named.service: Main process exited,
code=dumped, status=6/ABRT
May 17 11:50:53 dc33 systemd[1]: named.service: Failed with result
'core-dump'.
May 17 11:50:53 dc33 systemd[1]: named.service: Scheduled restart job,
restart counter is at 10.
...
(systemd restarts named, named crashes again soon after, etc., etc.)
...
------------------------------------------------------------------------
Thanks for your time.
Cheers,
-S.M.
Rowland Penny
2023-May-18 07:29 UTC
[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz
On 18/05/2023 04:31, Steven Monai via samba wrote:> Hello, > > I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use on two > DCs (as separate VMs) in a new AD domain. > > "dc33" (IP: 10.150.10.33) is the first DC in the new domain > ("ttwo.ad.example.org"), provisioned via 'samba-tool domain provision DC'. > > "dc34" (IP: 10.150.10.34) is the second DC, joined to the domain via > 'samba-tool domain join DC'. > > The first oddity I encounter is I find that I have to manually run > 'samba_dnsupdate' to create the new DC's NS and SRV records in the DNS. > This seems new, as the DNS records were automatically created when I > previously did an identical setup using Debian 11 ("Bullseye", Samba > v.4.13.13).Most of the DNS records are created during a provision, but very few are when joining an additional DC. That is where samba_dnsupdate comes in, it runs at Samba startup and then every 10 minutes, to create any missing dns records.> > Regardless, the second, and more surprising issue, is that the > 'samba_dnsupdate' script, when run in its default mode, fails rather > spectacularly. The script calls 'nsupdate' to add the new DNS records > one-by-one, and EVERY call to 'nsupdate' results in a hard crash > ("assertion failure") of the 'named' service on the first DC.It definitely should not crash.> > I am able to work around the issue by running 'samba_dnsupdate > --use-samba-tool', which does not use 'nsupdate'. > > Is this a known issue?It has been known before, but without the crash.> Or is it more likely that I misconfigured > something?Possibly, you haven't told us just how you have configured the OS and Samba.> > Anyway, here is a snippet of the output from the client side, when I run > 'samba_dnsupdate': > ------------------------------------------------------------------------ > dc34:~# samba_dnsupdate --verbose > ... > 24 DNS updates and 0 DNS deletes needed > Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as > DC34$ > update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org > Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add) > Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as > DC34$That's one misconfiguration you probably have there, it looks like your second DC isn't using itself as its nameserver, it appears to be still using the first DC. Rowland