[Samba] Samba errors everyday at 00:00:00

Kamal Chikh echioukh k_chikhechioukh at hotmail.com
Thu Mar 28 15:03:28 UTC 2024 

Hello Rawland,

I understand what happens every day at 00:00:00. There is a systemd timer called "unbound-anchor.timer" that runs once a day a systemd service named "unbound-anchor.service". This oneshot type service is used to update of the root trust anchor for DNSSEC validation in unbound. It execute the following command :

ExecStart=/usr/sbin/unbound-anchor -a /var/lib/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R

I just run it on a test DC (Rocky Linux 8.9) and produced the following logs :

Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.084507,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.084900,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.096939,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.097179,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.100113,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.100316,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.100515,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.100700,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.100900,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR
Mar 28 15:53:01 testadsrv3 samba[1675]: [2024/03/28 15:53:01.101095,  1] ../../source4/dns_server/dns_query.c:1141(dns_server_process_query_got_auth)
Mar 28 15:53:01 testadsrv3 samba[1675]:  dns_server_process_query_got_auth: Failed to add SOA record: WERR_DNS_ERROR_RCODE_FORMAT_ERROR

Best Regards,
__________________________

kamal Chikh Echioukh
________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Kamal Chikh echioukh via samba <samba at lists.samba.org>
Envoyé : jeudi, 28 mars 2024 13:17
À : samba at lists.samba.org <samba at lists.samba.org>
Objet : Re: [Samba] Samba errors everyday at 00:00:00

I will write a script which will contain tcpdump which will run on the DC which logs these errors. Thsi script will run a few minutes before and after midnight to see the processes/machines which try to add the SOA record and which fail.

For the moment, we have 5 DCs:

  *   1 DC Centos 7.9 "FSMO" which uses version 4.18.11-SerNet-RedHat-9.el7. This DC will be replaced and decommissioned soon. It will be replaced by a new DC Rocy Linux 8.9 which is already joined to the domain like DC last week.
  *   3 DCs in Rocky Linux 8.9 including the one which will replace the PDC "FSMO" (see above) which all use version 4.18.11-SerNet-RedHat-9.el8
  *   1 latest DC centos 7.9 in version 4.18.11-SerNet-RedHat-9.el7 which we will replace in the coming weeks with another DC Rocky linux 8.9.

version 4.18.11 (released on 03/13/2024) is normally the last stable version of the 4.18 branch.
We are planning to upgrade to 4.19 next month.
__________________________

kamal Chikh Echioukh

________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Rowland Penny via samba <samba at lists.samba.org>
Envoyé : jeudi, 28 mars 2024 12:18
À : samba at lists.samba.org <samba at lists.samba.org>
Cc : Rowland Penny <rpenny at samba.org>
Objet : Re: [Samba] Samba errors everyday at 00:00:00

On Thu, 28 Mar 2024 11:01:19 +0000
Kamal Chikh echioukh <k_chikhechioukh at hotmail.com> wrote:

> Hello Rawland,
>
> Thanks fro your help !
>
> I am investigating, but I noticed that these errors have disappeared
> from logs in recent days on the latest new DC (Rocky Linux 8.9) which
> will soon replace the primary DC "FSMO" (Centos 7.9). But these
> errors remain on the 2 other DCs (rocky Linux 8.9) that I added a few
> months ago to the domain to replace old DCs in Centos 7.9.
>
> I manage to reproduce this same error from a Windows PC by modifying
> its network configuration by pointing its DNS to the new DCs (Rocky
> Linux 8.9) instead of recovering them by dhcp. Do you see a link with
> these errors that some DCs logs every day at 00:00:00?
>

As I said, Samba is just responding to a request to add a SOA record to
a zone, but the request isn't in the correct format.

If your problem isn't being caused by a bug, you need to find what is
sending the request, stop it from sending the request if it isn't for
an AD dns zone, or fix it to send the correct format it is for an AD
zone.

Now, as you say it has stopped on your new DC (note it isn't a primary
DC, all DCs are equal except for the FSMO roles and they can be on any
DC), so it may be a bug. Your new DC may be running a newer version of
Samba or its version of Samba may have been patched to fix a bug, so
have you tried updating one of the other DCs ?

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list