[Samba] AD DC with log errors when sysvol replication is run
Rowland penny
rpenny at samba.org
Fri Apr 9 13:56:04 UTC 2021
On 09/04/2021 14:22, Peter Milesson via samba wrote:
> Hi folks,
>
> Continuing with AD DC problems. Everytime sysvol replication is run on
> the second DC, the following two error message pairs are written about
> 22 times in the log on the primary DC:
>
> Apr 09 14:55:01 konadc samba[11890]: [2021/04/09 14:55:01.349626, 0]
> ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
> Apr 09 14:55:01 konadc samba[11890]: /usr/sbin/samba_dnsupdate: ;
> TSIG error with server: tsig verify failure
>
> the whole sequence is terminated by the following error entries:
>
> Apr 09 14:55:02 konadc samba[11890]: [2021/04/09 14:55:02.015226, 0]
> ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_
> Apr 09 14:55:02 konadc samba[11890]:
> ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error
> code 29
>
> Kerberos works, DNS replication definitely works and it seems that
> sysvol replication also works.
Hmm, there is no sysvol replication, unless you are referring to one of
the manual methods shown in the wiki, if so which ?
> There are no errors in the log on the secondary DC.
I think you mean second instead of 'secondary', All DC's are equal
except for the FSMO roles.
> I have spent quite some time searching for this error, explanation,
> causes, and possible problems connected with the errors.
>
> The first DC is a self compiled Samba 4.9.1 under CentOS 7.9.2009, and
> elrepo kernel 5.11.7-1, the second DC is an up to date Debian Buster
> with the latest van Belle Samba packages (Samba 4.14.2).
>
> If anybody got any ideas about this, I would be grateful?
>
Replicating sysvol shouldn't cause the dns to be updated, but there is
code to check and update the DC's every 10 minutes, but it looks like it
is failing. If the DC's are not using themselves as their nameserver in
/etc/resolv.conf, then change it so they are. If this doesn't work, add
'dns update command = /usr/sbin/samba_dnsupdate --use-samba-tool' to the
DC's smb.conf
Rowland
More information about the samba
mailing list