[Samba] Strange Bind freezing

Thu Dec 2 08:43:52 UTC 2021

On Thu, 2021-12-02 at 06:32 +0100, Nikita Druba via samba wrote:
> Hi!
> 
> I wrote here 2 weeks ago with a problem with DCs SPN record for LDAP.
> We 
> found strange value for userAccountControl for my DC. And this
> problem 
> solved by migrating to new DC by adding new DC, moving fsmo roles
> and 
> demoting old. Unfortunately online method not worked, I did it with 
> stopped old DC.

How did you manage to join a new DC to a presumably stopped domain ?

> 
> After this actions some services working more fast and good. But I
> have 
> one very strange problem. I will describe my configuration before
> the 
> problem.
> 
> At all servers OS FreeBSD 12.2 and filesystem - zfs.

Well that is a configuration that is known to be problematical, Freebsd
and ZFS.

>  Samba 4.13.14 runs 
> in a jail with Bind 9.16.23 like backend.

Don't think running a Samba AD DC in a jail is going to work.

>  Also I have Bind 9.16.23 on 
> another server, its working like secondary dns.

Does your 'secondary' bind9 server forward the AD dns domain requests
to a Samba AD DC ?

>  Secondary Bind gets 
> zones from DC by transferring with a tsig-key. Also, I have several 
> subnetworks(loopback and 3 other), whom DC listen.
> 
> I have strange behaviour of Bind at new DC.
> 
> When I set in resolv.conf of new DC other dns server, for example -
> old 
> DC or secondary Bind, all works fine. New DC successfully resolve
> any 
> records by nslookup or host commands from himself or other host.
> 
> When I set in resolv.conf of new DC localhost or himself internal
> ip, 
> Bind periodically freezing by the next regularity:
> 
> - Bind stops to reply for the requests for a ~5 minutes. After start 
> working without service restart and freeze again.
> 
> - At the daytime(when employees in a office), in freezes after less
> 1 
> minute work, at the night - after 10-15 minutes.
> 
> - If I change resolv.conf from secondary Bind to internal IP, then
> not 
> need to restart Bind or Samba to start or stop periodically
> freezing. 
> Just change nameserver record and wait. If it was freezed, when 
> resolv.conf changing, then it will be in freeze state ~5 minutes
> after 
> start freezing and after will work fine.
> 
> - If I change resolv.conf from secondary Bind to loopback, then NEED
> to 
> restart Bind to start or stop freezing.
> 
> - When Bind freeze - it don't stopped service by a command and don't 
> killed by default, only kill -9 work.
> 
> - Internal Samba DNS work fine and don't freeze, when resolv.conf
> look 
> to localhost.
> 
> - Sometime Bind freeze not for all subnetworks. It can freeze for 
> localhost and 2 subnetworks. In one last subnetwork DC Bind can 
> successfully resolve any records from any subnetworks. But this 
> situation I saw only one time and can't repeat it for now.
> 
> - No special Bind log records with "debug 50", in time or before of 
> freezing. Its freezing after any messages. And all this messages I
> see 
> in log, when Bind works without freezing.
> 
> - I tried to run bind with logging to terminal, but don't saw no 
> additional information, when freeze. Terminal logs the same, like in
> log 
> files.
> 
> - rndc freeze also.

You shouldn't be using rndc.

Lets be honest here, you seem to be doing everything that I wouldn't
recommend:
I wouldn't recommend using Freebsd in production
I wouldn't recommend using ZFS in production
I wouldn't recommend using a separate Bind9 server, unless it forwards
all AD dns to an AD DC.

Rowland