[Samba] AD DC with log errors when sysvol replication is run

Rowland penny rpenny at samba.org
Fri Apr 9 14:34:34 UTC 2021 

On 09/04/2021 15:22, Peter Milesson via samba wrote:
>
>
> On 2021-04-09 15:56, Rowland penny via samba wrote:
>> On 09/04/2021 14:22, Peter Milesson via samba wrote:
>>> Hi folks,
>>>
>>> Continuing with AD DC problems. Everytime sysvol replication is run 
>>> on the second DC, the following two error message pairs are written 
>>> about 22 times in the log on the primary DC:
>>>
>>> Apr 09 14:55:01 konadc samba[11890]: [2021/04/09 14:55:01.349626, 0] 
>>> ../lib/util/util_runcmd.c:327(samba_runcmd_io_handler)
>>> Apr 09 14:55:01 konadc samba[11890]: /usr/sbin/samba_dnsupdate: ; 
>>> TSIG error with server: tsig verify failure
>>>
>>> the whole sequence is terminated by the following error entries:
>>>
>>> Apr 09 14:55:02 konadc samba[11890]: [2021/04/09 14:55:02.015226, 0] 
>>> ../source4/dsdb/dns/dns_update.c:330(dnsupdate_nameupdate_
>>> Apr 09 14:55:02 konadc samba[11890]: 
>>> ../source4/dsdb/dns/dns_update.c:330: Failed DNS update - with error 
>>> code 29
>>>
>>> Kerberos works, DNS replication definitely works and it seems that 
>>> sysvol replication also works.
>>
>>
>> Hmm, there is no sysvol replication, unless you are referring to one 
>> of the manual methods shown in the wiki, if so which ?
>>
>>> There are no errors in the log on the secondary DC.
>>
>>
>> I think you mean second instead of 'secondary', All DC's are equal 
>> except for the FSMO roles.
>>
>>> I have spent quite some time searching for this error, explanation, 
>>> causes, and possible problems connected with the errors.
>>>
>>> The first DC is a self compiled Samba 4.9.1 under CentOS 7.9.2009, 
>>> and elrepo kernel 5.11.7-1, the second DC is an up to date Debian 
>>> Buster with the latest van Belle Samba packages (Samba 4.14.2).
>>>
>>> If anybody got any ideas about this, I would be grateful?
>>>
>>
>> Replicating sysvol shouldn't cause the dns to be updated, but there 
>> is code to check and update the DC's every 10 minutes, but it looks 
>> like it is failing. If the DC's are not using themselves as their 
>> nameserver in /etc/resolv.conf, then change it so they are. If this 
>> doesn't work, add 'dns update command = /usr/sbin/samba_dnsupdate 
>> --use-samba-tool' to the DC's smb.conf
>>
>> Rowland
>>
>>
>>
> Hi Rowland,
>
> Sysvol replication is one way, from the first DC to the second DC with 
> rsync (rsyncd running on the first DC with the FSMO roles, and cron.d 
> on the second DC). At least it works if I run it by hand.
>
> Both DCs are using themselves as nameserver, there is nothing else 
> here. Running samba-dnsupdate raises lots of python exceptions, but I 
> guess it's for existing records, like so:
>
> ERROR(runtime): uncaught exception - (9711, 
> 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 177, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib64/python2.7/site-packages/samba/netcmd/dns.py", line 
> 945, in run
>     raise e


That isn't actually an error, it is a bad way of telling you the record 
already exists  and it has been fixed in a later version than the one 
you are using.

Rowland

More information about the samba mailing list