[Samba] AD DC with log errors when sysvol replication is run

Peter Milesson miles at atmos.eu
Fri Apr 9 14:22:33 UTC 2021 


On 2021-04-09 15:56, Rowland penny via samba wrote:
> On 09/04/2021 14:22, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> Continuing with AD DC problems. Everytime sysvol replication is run 
>> on the second DC, the following two error message pairs are written 
>> about 22 times in the log on the primary DC:
>>
>> Apr 09 14:55:01 konadc samba[11890]: [2021/04/09 14:55:01.349626, 0] 
>> ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>> Apr 09 14:55:01 konadc samba[11890]: /usr/sbin/samba_dnsupdate: ; 
>> TSIG error with server: tsig verify failure
>>
>> the whole sequence is terminated by the following error entries:
>>
>> Apr 09 14:55:02 konadc samba[11890]: [2021/04/09 14:55:02.015226, 0] 
>> ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_
>> Apr 09 14:55:02 konadc samba[11890]: 
>> ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error 
>> code 29
>>
>> Kerberos works, DNS replication definitely works and it seems that 
>> sysvol replication also works.
>
>
> Hmm, there is no sysvol replication, unless you are referring to one 
> of the manual methods shown in the wiki, if so which ?
>
>> There are no errors in the log on the secondary DC.
>
>
> I think you mean second instead of 'secondary', All DC's are equal 
> except for the FSMO roles.
>
>> I have spent quite some time searching for this error, explanation, 
>> causes, and possible problems connected with the errors.
>>
>> The first DC is a self compiled Samba 4.9.1 under CentOS 7.9.2009, 
>> and elrepo kernel 5.11.7-1, the second DC is an up to date Debian 
>> Buster with the latest van Belle Samba packages (Samba 4.14.2).
>>
>> If anybody got any ideas about this, I would be grateful?
>>
>
> Replicating sysvol shouldn't cause the dns to be updated, but there is 
> code to check and update the DC's every 10 minutes, but it looks like 
> it is failing. If the DC's are not using themselves as their 
> nameserver in /etc/resolv.conf, then change it so they are. If this 
> doesn't work, add 'dns update command = /usr/sbin/samba_dnsupdate 
> --use-samba-tool' to the DC's smb.conf
>
> Rowland
>
>
>
Hi Rowland,

Sysvol replication is one way, from the first DC to the second DC with 
rsync (rsyncd running on the first DC with the FSMO roles, and cron.d on 
the second DC). At least it works if I run it by hand.

Both DCs are using themselves as nameserver, there is nothing else here. 
Running samba-dnsupdate raises lots of python exceptions, but I guess 
it's for existing records, like so:

ERROR(runtime): uncaught exception - (9711, 
'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
line 177, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 
945, in run
     raise e

I'll post the samba-debug output for both DCs shortly.

Thanks for your input.

Best regards,

Peter

More information about the samba mailing list