Aw: Re: Re: DNS server no in sync with database?

Andrew Bartlett abartlet at samba.org
Sun Mar 1 11:26:34 MST 2015 

On Sun, 2015-03-01 at 12:30 +0100, support at remsnet.de wrote:
> 
> > Gesendet: Samstag, 28. Februar 2015 um 21:13 Uhr
> > Von: "Andrew Bartlett" <abartlet at samba.org>
> > An: support at remsnet.de
> > Cc: "Amitay Isaacs" <amitay at gmail.com>, "Samba Technical" <samba-technical at lists.samba.org>
> > Betreff: Re: Aw: Re: DNS server no in sync with database?
> >
> > On Thu, 2015-02-26 at 07:34 +0100, support at remsnet.de wrote:
> > > Hello Amitay  & Andrew  and others
> > > 
> > > This "featger"  .. DB not in sync ..  exist when the dc runs awhile ... Same you can found on DLZ DB usage.
> > > 
> > > I ask again for  that :
> > > 
> > > - dns  IN NS , IN NS AUTO-generated in CN=MicrosoftDNS,CN=System,DC=samba,DC=example,DC=com - while deploy an DC or join as an DC
> > 
> > Yes, we seem to be missing NS records from the dns_update_list.  This
> > also impacts on changing a hostname with renamedc, because even with my
> > new samba_dnsupdate script to use samba-tool (bypassing the chicken and
> > egg issue), we do not fix up the NS record.
> 
> Ugly bady BUG stuff .
> 
> I am not an coder but:
>   - possibly way to solve this are fork an subprocess 
>    - use i.e IPCS 
>    - control the update it over that
>    - close forked suprocess when done.
> 
> .. there are many ways on linux to get an cleat hold over an " atomic state" - kernel & linux offer a lot of things  on the Process Intercomunications.

We do handle this in a subprocess, and I have patches for master that
improve the situation such that we now correctly catch the error code
from the script. 

> > 
> > > - dns for our OWN dns entries are get VALIDATED after an Join as DC ( either as an re-join  with the same SID ) 
> > 
> > We actually do that every time samba_dnsupdate runs.  The issue is:
> > with the internal dns server nobody looks at the output (because of the
> > noise from nsupdate and our broken server-side crypto), and there is a
> > bug that in 'standard' process mode, we don't get the status result from
> > running the script.  
> > 
> 
> sutch bug is ugly see aove comment.
> 
> > Ideally, samba_dnsupdate would never fail, and doing so would be a clear
> > sign of poor heath in this area. 
> > 
> > I agree it could potentially be run during the join, where failure would
> > be more likely to be noticed. 
> 
> The truth is :  samba_dnsupdate  failes sometimes  due out of sync , and if so , the AD itsself & AD Domain fall down .
> 
> > 
> > > - DC´s automatily added as IN NS for the zone 
> > 
> 
> Are you realy realy shure ? 

Sorry, I contradicted myself.  IN NS is missing, as I mention above. 

> > This is fundamentally what samba_dnsupdate does each time it runs.  You
> > can run it manually as well for that reason. 
> 
> I can say clearly prove that samba_dnsupdate don't do this all the time the right way.

Can you show me the samba_dnsupdate --verbose output when it fails?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list