Possible / probable bug: "net ads dns register" does not remove stale IPv6 AAAA records

James Johnston johnstonj.public at codenest.com
Mon May 16 02:38:34 UTC 2016


Hi,

I'm experimenting with setting up winbind and so forth on a simple system
joined to an existing AD domain and I've seem to run into some rather broken
behavior with DNS updates.

As everyone knows, Active Directory is heavily dependent on DNS and it's good
to make sure that the DNS records for each system joined to the domain stay
up-to-date.  So I'm testing to make sure that DNS records get properly updated
when IP addresses change.  It seems this is broken for IPv6.

Here is how I test:

1.  Join SAMBA system to domain.  DNS records are successfully populated.
2.  In DNS Manager on the domain controller, modify an IP address to some bogus
    value, to simulate an IP address change on the joined client.
3.  Run "net ads dns register -P" on the SAMBA system.  Check DNS Manager and
    verify that the bogus DNS entry has been replaced with a correct one.

The above procedure works if I tweak an IPv4 address.  But if I tweak an IPv6
address:

1.  net ads dns register will still add the new address in a new AAAA record.
2.  But it fails to delete the bogus address.  So anybody resolving the name
    might get a bad IP address.

My configuration is simple; it is just a testing domain:

* Single domain controller & DNS server: Windows Server 2012 R2
* DHCP provided by dnsmasq on OpenWrt router. (dnsmasq also provides DNS but it
  is set up to delegate a subdomain to the AD DNS server.)
* Joined system: Ubuntu 16.04 and SAMBA 4.3.9-Ubuntu

I think the guilty code might be here:

https://github.com/samba-team/samba/blob/82801f9ec895deb9536a2b0a4e0ce4b3d5853220/lib/addns/dnsrecord.c#L433

	/*
	 * Delete any existing A records
	 */

	err = dns_create_delete_record(req, hostname, QTYPE_A, DNS_CLASS_ANY,
				       &rec);

But I don't see any similar code for cleaning AAAA records.  My guess is it's
as simple as adding another function call with QTYPE_AAAA but I'm not a SAMBA
programmer and this is my first time ever looking at SAMBA code...

I also just sent an e-mail regarding the proposed "net ads dns unregister"
command but now upon further examination of the above code and the proposed
patch, I suspect the "dns unregister" command would also fail to unregister IPv6
addresses until this is fixed. (But have not checked for myself.)

Best regards,

James Johnston





More information about the samba-technical mailing list