Aw: Re: Re: DNS server no in sync with database?
abartlet at samba.org
Sun Mar 1 11:26:34 MST 2015
On Sun, 2015-03-01 at 12:30 +0100, support at remsnet.de wrote:
> > Gesendet: Samstag, 28. Februar 2015 um 21:13 Uhr
> > Von: "Andrew Bartlett" <abartlet at samba.org>
> > An: support at remsnet.de
> > Cc: "Amitay Isaacs" <amitay at gmail.com>, "Samba Technical" <samba-technical at lists.samba.org>
> > Betreff: Re: Aw: Re: DNS server no in sync with database?
> > On Thu, 2015-02-26 at 07:34 +0100, support at remsnet.de wrote:
> > > Hello Amitay & Andrew and others
> > >
> > > This "featger" .. DB not in sync .. exist when the dc runs awhile ... Same you can found on DLZ DB usage.
> > >
> > > I ask again for that :
> > >
> > > - dns IN NS , IN NS AUTO-generated in CN=MicrosoftDNS,CN=System,DC=samba,DC=example,DC=com - while deploy an DC or join as an DC
> > Yes, we seem to be missing NS records from the dns_update_list. This
> > also impacts on changing a hostname with renamedc, because even with my
> > new samba_dnsupdate script to use samba-tool (bypassing the chicken and
> > egg issue), we do not fix up the NS record.
> Ugly bady BUG stuff .
> I am not an coder but:
> - possibly way to solve this are fork an subprocess
> - use i.e IPCS
> - control the update it over that
> - close forked suprocess when done.
> .. there are many ways on linux to get an cleat hold over an " atomic state" - kernel & linux offer a lot of things on the Process Intercomunications.
We do handle this in a subprocess, and I have patches for master that
improve the situation such that we now correctly catch the error code
from the script.
> > > - dns for our OWN dns entries are get VALIDATED after an Join as DC ( either as an re-join with the same SID )
> > We actually do that every time samba_dnsupdate runs. The issue is:
> > with the internal dns server nobody looks at the output (because of the
> > noise from nsupdate and our broken server-side crypto), and there is a
> > bug that in 'standard' process mode, we don't get the status result from
> > running the script.
> sutch bug is ugly see aove comment.
> > Ideally, samba_dnsupdate would never fail, and doing so would be a clear
> > sign of poor heath in this area.
> > I agree it could potentially be run during the join, where failure would
> > be more likely to be noticed.
> The truth is : samba_dnsupdate failes sometimes due out of sync , and if so , the AD itsself & AD Domain fall down .
> > > - DC´s automatily added as IN NS for the zone
> Are you realy realy shure ?
Sorry, I contradicted myself. IN NS is missing, as I mention above.
> > This is fundamentally what samba_dnsupdate does each time it runs. You
> > can run it manually as well for that reason.
> I can say clearly prove that samba_dnsupdate don't do this all the time the right way.
Can you show me the samba_dnsupdate --verbose output when it fails?
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical