[Samba] dnsupdate_nameupdate_done - Failed DNS update

Jonathan Hunter jmhunter1 at gmail.com
Fri Sep 23 16:21:53 UTC 2016

Thank you Denis and Rowland - I didn't realise this was the script, makes
sense now.

I've run it (on dc2) and it gets as far as:

need update: SRV _ldap._tcp.mysite._sites.ForestDnsZones.mydomain.org.uk
dc2.mydomain.org.uk 389
[lots of updates needed]
10 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc1.mydomain.org.uk as DC2$

and then it fails here:
update(nsupdate): SRV _ldap._tcp.mysite._
sites.ForestDnsZones.mydomain.org.uk dc2.mydomain.org.uk 389
Calling nsupdate for SRV _ldap._tcp.mysite._
sites.ForestDnsZones.mydomain.org.uk dc2.mydomain.org.uk 389 (add)
Failed nsupdate: SRV _ldap._tcp.mysite._sites.ForestDnsZones.mydomain.org.uk
dc2.mydomain.org.uk 389 : [Errno 2] No such file or directory

which I assume is due to a needed file not being in $PATH, or similar.

I'll have a poke about using strace and see if I can spot exactly what it's
trying to run, and where it might be..

Thanks, both - I'm much further forward now!



On 23 September 2016 at 16:43, Denis Cardon <
denis.cardon at tranquil-it-systems.fr> wrote:

> Hi Jonathan,
> All 3 of my DCs regularly display an error in syslog almost exactly every
>> 10 minutes. They have been doing this for quite some time, and I have so
>> far ignored the message as everything else DNS-wise seemed to mostly be
>> working - but I figured it was worth getting to the bottom of it if I can.
>> So this isn't new at all but rather something that has been present for
>> some time.
>> I am using the internal Samba DNS server, currently with Samba 4.5.0. The
>> message is as follows, every 10 minutes (I have pasted in from all 3 DCs
>> here):
>> Sep 23 13:03:54 dc1 samba[13117]: [2016/09/23 13:03:54.867360,  0]
>> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
>> Sep 23 13:03:54 dc1 samba[13117]:   ../source4/dsdb/dns/dns_update.c:290:
>> Failed DNS update - with error code 5
> could you please try to run samba_dnsupdate --verbose from the command
> line on your three DC. When a DC starts, it will try to update its own DNS
> fields, but it your DNS zones is missing some stuff, it may not be able to
> do it.
> Cheers,
> Denis
>> Sep 23 13:00:11 dc2 samba[901]: [2016/09/23 13:00:11.584679,  0]
>> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
>> Sep 23 13:00:11 dc2 samba[901]:   ../source4/dsdb/dns/dns_update.c:290:
>> Failed DNS update - with error code 10
>> Sep 23 13:05:28 dc3 samba[897]: [2016/09/23 13:05:28.800364,  0]
>> ../source4/dsdb/dns/dns_update.c:290(dnsupdate_nameupdate_done)
>> Sep 23 13:05:28 dc3 samba[897]:   ../source4/dsdb/dns/dns_update.c:290:
>> Failed DNS update - with error code 1
>> The precise error codes vary (I have had 1, 6, 10, 110 recently) but I do
>> get some sort of message every 10 minutes, and the error code usually
>> stays
>> the same on a particular DC. If it makes a difference, DC1 and DC2 are in
>> site A, and DC3 is at site B, there is full connectivity between them all
>> (or at least, there should be).
>> I've tried tcpdump and wireshark to figure out what's going on, but I
>> can't
>> seem to spot any form of DNS request coming in that would be an update.
>> The
>> most I can see via tcpdump at any time I've looked are some queries that
>> return NXDOMAIN - e.g. there are frequent ones from an VMWare ESXi server
>> querying for _kerberos-master.udp.MYDOMAIN.ORG.UK as per
>> https://communities.vmware.com/thread/491621 and getting NXDOMAIN - but I
>> wouldn't have thought that these queries would constitute a "DNS update"
>> that would fail?
>> My debugging method so far has been to run tcpdump against port 53 - but
>> either I am somehow managing to not see the failing DNS packet when I look
>> at the results, or the DNS update arrives at the DC some other way.
>> Looking
>> at the code in dns_update.c it looks like there may be some form of
>> regular
>> DNS check, that is failing in my case?
>> Does anybody know
>>   - if I can turn debugging on for just this DNS functionality? I expect
>> the log file here to be massive as a DC is also a DNS server.. but
>> hopefully that will give me more of a clue as to what "update" is failing?
>>   - if there is some other way I might be able to capture / check this
>> traffic?
>>   - what else I should maybe be looking for in my packet dumps or
>> elsewhere?
>> Are the error codes regular UNIX values, in which case I believe
>> 1 = EPERM (Operation not permitted)
>> 6 = ENXIO (No such device or address)
>> 10 = ECHILD (No child processes)
>> 110 = ETIMEDOUT (Connection timed out)
>> This would explain what the errors mean; but I don't know why they are
>> occurring, and so regularly..
>> Thank you for any pointers! :)
>> Jonathan
> --
> Denis Cardon
> Tranquil IT Systems
> Les Espaces Jules Verne, bâtiment A
> 12 avenue Jules Verne
> 44230 Saint SĂ©bastien sur Loire
> tel : +33 (0)
> http://www.tranquil-it-systems.fr

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list