samba - May 2023 - On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz

On 18/05/2023 04:31, Steven Monai via samba wrote:
> Hello,
> 
> I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use
on two
> DCs (as separate VMs) in a new AD domain.
> 
> "dc33" (IP: 10.150.10.33) is the first DC in the new domain 
> ("ttwo.ad.example.org"), provisioned via 'samba-tool domain
provision DC'.
> 
> "dc34" (IP: 10.150.10.34) is the second DC, joined to the domain
via
> 'samba-tool domain join DC'.
> 
> The first oddity I encounter is I find that I have to manually run 
> 'samba_dnsupdate' to create the new DC's NS and SRV records in
the DNS.
> This seems new, as the DNS records were automatically created when I 
> previously did an identical setup using Debian 11 ("Bullseye",
Samba
> v.4.13.13).
Most of the DNS records are created during a provision, but very few are 
when joining an additional DC. That is where samba_dnsupdate comes in, 
it runs at Samba startup and then every 10 minutes, to create any 
missing dns records.
> 
> Regardless, the second, and more surprising issue, is that the 
> 'samba_dnsupdate' script, when run in its default mode, fails
rather
> spectacularly. The script calls 'nsupdate' to add the new DNS
records
> one-by-one, and EVERY call to 'nsupdate' results in a hard crash 
> ("assertion failure") of the 'named' service on the first
DC.
It definitely should not crash.
> 
> I am able to work around the issue by running 'samba_dnsupdate 
> --use-samba-tool', which does not use 'nsupdate'.
> 
> Is this a known issue?  
It has been known before, but without the crash.
> Or is it more likely that I misconfigured 
> something?
Possibly, you haven't told us just how you have configured the OS and Samba.
> 
> Anyway, here is a snippet of the output from the client side, when I run 
> 'samba_dnsupdate':
> ------------------------------------------------------------------------
> dc34:~# samba_dnsupdate --verbose
> ...
> 24 DNS updates and 0 DNS deletes needed
> Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as 
> DC34$
> update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org
> Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add)
> Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as 
> DC34$
That's one misconfiguration you probably have there, it looks like your 
second DC isn't using itself as its nameserver, it appears to be still 
using the first DC.

Rowland

Thanks for your reply.

On 2023-05-18 12:29 a.m., Rowland Penny via samba wrote:
> On 18/05/2023 04:31, Steven Monai via samba wrote:
>> Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org 
>> as DC34$
> 
> That's one misconfiguration you probably have there, it looks like your
> second DC isn't using itself as its nameserver, it appears to be still 
> using the first DC.
To be concrete: What do you recommend should be the contents of the 
respective /etc/resolv.conf files in my test?

Here is what I currently have:

* On dc33 (IP: 10.150.10.33), /etc/resolv.conf:

domain ttwo.ad.example.org
search ttwo.ad.example.org
nameserver 10.150.10.34
nameserver 10.150.10.33


* On dc34 (IP: 10.150.10.34), /etc/resolv.conf:

domain ttwo.ad.example.org
search ttwo.ad.example.org
nameserver 10.150.10.33
nameserver 10.150.10.34


--
-S.M.