[Samba] dnsupdate_nameupdate_done - Failed DNS update

Jonathan Hunter jmhunter1 at gmail.com
Fri Sep 23 13:40:56 UTC 2016


All 3 of my DCs regularly display an error in syslog almost exactly every
10 minutes. They have been doing this for quite some time, and I have so
far ignored the message as everything else DNS-wise seemed to mostly be
working - but I figured it was worth getting to the bottom of it if I can.
So this isn't new at all but rather something that has been present for
some time.

I am using the internal Samba DNS server, currently with Samba 4.5.0. The
message is as follows, every 10 minutes (I have pasted in from all 3 DCs

Sep 23 13:03:54 dc1 samba[13117]: [2016/09/23 13:03:54.867360,  0]
Sep 23 13:03:54 dc1 samba[13117]:   ../source4/dsdb/dns/dns_update.c:290:
Failed DNS update - with error code 5

Sep 23 13:00:11 dc2 samba[901]: [2016/09/23 13:00:11.584679,  0]
Sep 23 13:00:11 dc2 samba[901]:   ../source4/dsdb/dns/dns_update.c:290:
Failed DNS update - with error code 10

Sep 23 13:05:28 dc3 samba[897]: [2016/09/23 13:05:28.800364,  0]
Sep 23 13:05:28 dc3 samba[897]:   ../source4/dsdb/dns/dns_update.c:290:
Failed DNS update - with error code 1

The precise error codes vary (I have had 1, 6, 10, 110 recently) but I do
get some sort of message every 10 minutes, and the error code usually stays
the same on a particular DC. If it makes a difference, DC1 and DC2 are in
site A, and DC3 is at site B, there is full connectivity between them all
(or at least, there should be).

I've tried tcpdump and wireshark to figure out what's going on, but I can't
seem to spot any form of DNS request coming in that would be an update. The
most I can see via tcpdump at any time I've looked are some queries that
return NXDOMAIN - e.g. there are frequent ones from an VMWare ESXi server
querying for _kerberos-master.udp.MYDOMAIN.ORG.UK as per
https://communities.vmware.com/thread/491621 and getting NXDOMAIN - but I
wouldn't have thought that these queries would constitute a "DNS update"
that would fail?

My debugging method so far has been to run tcpdump against port 53 - but
either I am somehow managing to not see the failing DNS packet when I look
at the results, or the DNS update arrives at the DC some other way. Looking
at the code in dns_update.c it looks like there may be some form of regular
DNS check, that is failing in my case?

Does anybody know
  - if I can turn debugging on for just this DNS functionality? I expect
the log file here to be massive as a DC is also a DNS server.. but
hopefully that will give me more of a clue as to what "update" is failing?
  - if there is some other way I might be able to capture / check this
  - what else I should maybe be looking for in my packet dumps or elsewhere?

Are the error codes regular UNIX values, in which case I believe
1 = EPERM (Operation not permitted)
6 = ENXIO (No such device or address)
10 = ECHILD (No child processes)
110 = ETIMEDOUT (Connection timed out)
This would explain what the errors mean; but I don't know why they are
occurring, and so regularly..

Thank you for any pointers! :)


"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list