[Samba] Clients no longer updating DNS & unable to delete MX records
Thomas Simmons
twsnnva at gmail.com
Thu Mar 28 06:55:29 MDT 2013
On Thu, Mar 21, 2013 at 2:21 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
> On Wed, Mar 20, 2013 at 3:29 PM, Thomas Simmons <twsnnva at gmail.com> wrote:
>>
>> On Wed, Mar 20, 2013 at 9:05 AM, Thomas Simmons <twsnnva at gmail.com> wrote:
>>>
>>> Hello,
>>>
>>> After noticing some odd behavior on my domain, I realized that many of my
>>> DNS records are incorrect and that clients are no longer properly updating
>>> DNS. While looking into this, I also discovered that I am unable to delete
>>> MX records via AD DNS Manager or samba-tool. Both tools "see" the record but
>>> report it does not exist when I attempt to delete it. I can create new MX
>>> records, but cannot delete them. I can create and delete both A and CNAME
>>> records. The same behavior occurs under all zones. I can create and delete
>>> new forward lookup zones.
>>>
>>> [root at ADC1 log]# samba-tool dns query adc1 internal.testdom.com mailsrv
>>> MX
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'sasl-DIGEST-MD5' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> Using binding ncacn_ip_tcp:adc1[,sign]
>>> Name=, Records=3, Children=0
>>> MX: mailsrv.internal.testdom.com. (10) (flags=f0, serial=4, ttl=900)
>>>
>>> [root at ADC1 log]# samba-tool dns delete adc1 internal.testdom.com mailsrv
>>> MX 'mailsrv.internal.testdom.com 10'
>>> GENSEC backend 'gssapi_spnego' registered
>>> GENSEC backend 'gssapi_krb5' registered
>>> GENSEC backend 'gssapi_krb5_sasl' registered
>>> GENSEC backend 'sasl-DIGEST-MD5' registered
>>> GENSEC backend 'schannel' registered
>>> GENSEC backend 'spnego' registered
>>> GENSEC backend 'ntlmssp' registered
>>> GENSEC backend 'krb5' registered
>>> GENSEC backend 'fake_gssapi_krb5' registered
>>> Using binding ncacn_ip_tcp:adc1[,sign]
>>> ERROR(runtime): uncaught exception - (9701,
>>> 'WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST')
>>> File
>>> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/__init__.py",
>>> line 175, in _run
>>> return self.run(*args, **kwargs)
>>> File
>>> "/usr/local/samba/lib/python2.6/site-packages/samba/netcmd/dns.py", line
>>> 1169, in run
>>> del_rec_buf)
>>>
>>
>> With log level = 10, when attempting to deleting the record, it appears to
>> find it, but reports it doesn't exist anyway. Has anyone seen this behavior
>> before? The last DNS update was nearly 2 weeks ago and I am not aware of
>> anything that happened around that time that would have triggered this. I
>> don't know it this MX problem and the clients being unable to update DNS are
>> related.
>>
>> [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)]
>> ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>> ldb: ldb_trace_request: SEARCH
>> dn:
>> DC=internal.testdom.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=testdom,DC=com
>> scope: one
>> expr: (&(objectClass=dnsNode)(name=mailsrv))
>> attr: dnsRecord
>> control: <NONE>
>>
>> [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)]
>> ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>> ldb: ldb_trace_request: (resolve_oids)->search
>> ...
>> ...
>> ...
>>
>> [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)]
>> ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>> ldb: ldb_trace_response: ENTRY
>> dn:
>> DC=mailsrv,DC=internal.testdom.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=internal,DC=testdom,DC=com
>> dnsRecord::
>> IgAPAAXwAAAEAAAAAAADhAAAAAALIDcAAAoeBAdtYWlsc3J2CGludGVybmFsB7G4YX
>> lzZXMDY29tAA==
>> dnsRecord:: EAAPAAXwAAA+AAAAAAAAAAAAAADcIjcAAAoMAgZnb29nbGUDY29tAA==
>> dnsRecord::
>> IgAPAAXwAAAEAAAAAAADhAAAAAALIDcAAAoeBAdtYWlsc3J2CGludGVybmFsB7G4YX
>> lzZXMDY29tAA==
>>
>> [2013/03/20 13:52:20, 5, pid=2064, effective(0, 0), real(0, 0)]
>> ../lib/ldb-samba/ldb_wrap.c:69(ldb_wrap_debug)
>> ldb: ldb_trace_response: DONE
>> error: 0
>>
>> [2013/03/20 13:52:20, 1, pid=2064, effective(0, 0), real(0, 0)]
>> ../librpc/ndr/ndr.c:282(ndr_print_function_debug)
>> DnssrvUpdateRecord2: struct DnssrvUpdateRecord2
>> out: struct DnssrvUpdateRecord2
>> result :
>> WERR_DNS_ERROR_RECORD_DOES_NOT_EXIST
>
>
> It looks like the last DNS update occurred on March 7th. I restored a backup
> from March 5th to a sandbox environment and it's displaying the same
> behavior. I then restored a December backup (taken just after performing the
> classicupgrade) and do not have the problem. I'm not sure what would be the
> best way to recover from this. Is there anyway to "reset" DNS? Apart from
> that, all I can think to do is start at March 4th and restore each backup
> until the problem goes away. Would it be possible to restore AD (minus DNS)
> once this is done?
>
> The last time a client successfully updated DNS was Mar 7 17:58:08:
>
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: starting transaction on zone
> internal.testdom.com
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: allowing update of
> signer=aspire\$\@INTERNAL.TESTDOM.COM name=ASPIRE.internal.testdom.com
> tcpaddr= type=AAAA key=...
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: allowing update of
> signer=aspire\$\@INTERNAL.TESTDOM.COM name=ASPIRE.internal.testdom.com
> tcpaddr= type=A key=...
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: allowing update of
> signer=aspire\$\@INTERNAL.TESTDOM.COM name=ASPIRE.internal.testdom.com
> tcpaddr= type=A key=...
> Mar 7 17:58:08 ADC1 named[977]: client 10.10.65.22#49865: updating zone
> 'internal.testdom.com/NONE': deleting rrset at 'ASPIRE.internal.testdom.com'
> AAAA
> Mar 7 17:58:08 ADC1 named[977]: client 10.10.65.22#49865: updating zone
> 'internal.testdom.com/NONE': deleting rrset at 'ASPIRE.internal.testdom.com'
> A
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: subtracted rdataset
> ASPIRE.internal.testdom.com
> 'ASPIRE.internal.testdom.com.#0111200#011IN#011A#01110.10.65.22'
> Mar 7 17:58:08 ADC1 named[977]: client 10.10.65.22#49865: updating zone
> 'internal.testdom.com/NONE': adding an RR at 'ASPIRE.internal.testdom.com' A
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: added rdataset
> ASPIRE.internal.testdom.com
> 'ASPIRE.internal.testdom.com.#0111200#011IN#011A#01110.10.65.22'
> Mar 7 17:58:08 ADC1 named[977]: samba_dlz: committed transaction on zone
> internal.testdom.com
>
> All DNS updates after that one fail:
>
> Mar 7 18:59:37 ADC1 named[977]: samba_dlz: starting transaction on zone
> internal.testdom.com
> Mar 7 18:59:37 ADC1 named[977]: client 10.10.65.23#57259: update
> 'internal.testdom.com/IN' denied
> Mar 7 18:59:37 ADC1 named[977]: samba_dlz: cancelling transaction on zone
> internal.testdom.com
> Mar 7 18:59:37 ADC1 named[977]: samba_dlz: starting transaction on zone
> internal.testdom.com
> Mar 7 18:59:37 ADC1 named[977]: client 10.10.65.23#65190: update
> 'internal.testdom.com/IN' denied
> Mar 7 18:59:37 ADC1 named[977]: samba_dlz: cancelling transaction on zone
> internal.testdom.com
It appears the inability to delete MX records is a bug that is
specific to 32-bit Linux. I am able to duplicate this behavior and
error (can create but not delete MX records) on a clean
install/provision using any version of Samba4 and CentOS 6.x or Ubuntu
12.04. I actually stumbled on this problem - while troubleshooting, I
just happened to restore to a 64-bit Linux VM and it worked. I
originally deployed Samba4 in a VM, later moving it to a physical, 32
bit server. I never noticed this problem because I never tried
deleting an MX record - I'm only doing it now for troubleshooting
purposes. If any is running S4 on 32-bit Linux, please try creating
and deleting an MX record to see if you can duplicate what I am
seeing. I will open a bug for this after a little more testing.
Back to the original problem (clients not updating), restoring to a
64-bit VM did not help. However, I temporarily reverted to internal
DNS as a test, and clients could then update DNS. This is not
currently a viable solution since internal DNS does not support MX or
CNAME records, but it does let me know that the problem is specific to
BIND9_DLZ. Running bind in debugging, I see the following output:
28-Mar-2013 08:26:15.759 failed gss_inquire_cred: GSSAPI error: Major
= Unspecified GSS failure. Minor code may provide more information,
Minor = Success.
28-Mar-2013 08:26:15.760 failed gss_accept_sec_context: GSSAPI error:
Major = Unspecified GSS failure. Minor code may provide more
information, Minor = .
28-Mar-2013 08:26:15.760 process_gsstkey(): dns_tsigerror_badkey
Searching for this doesn't yield much. I see someone had the issue a
few years back and Andrew recommended upgrading to Bind 9.8, which I
am already running.
More information about the samba
mailing list