[Samba] Strange DNS issue...

Wed Jun 9 14:58:04 UTC 2021

On 09/06/2021 15:18, Marco Gaiarin via samba wrote:
> Samba 4.9.18+dfsg-0.1stretch1, Louis package, i know i need to upgrade.
> A domain, 6 DC.
>
> I've still a separate DNS/DHCP setup, so client get DHCP and DNS
> addesses from another servers, in a different domain.
> Clearly, they have also a (forward) domain DNS name.
>
> Suddenly, by some days, i've some strange DNS issue. An example:
>
> Machine 'wilkie' boot and get addresses from primary DNS/DHCP setup:
>
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: DHCPOFFER on 10.5.2.220 to 34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:31:10 vdmsv1 named[10040]: client 127.0.0.1#31176/key sanvito: updating zone 'dyn.sv.lnf.it/IN': adding an RR at 'WILKIE.dyn.sv.lnf.it' A 10.5.2.220
>   Jun  9 08:31:10 vdmsv1 named[10040]: client 127.0.0.1#31176/key sanvito: updating zone 'dyn.sv.lnf.it/IN': adding an RR at 'WILKIE.dyn.sv.lnf.it' TXT "318a9edb2b4f1eac9e8b7e1d6e41f75b84"
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: DHCPREQUEST for 10.5.2.220 (10.5.1.3) from 34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: DHCPACK on 10.5.2.220 to 34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:31:10 vdmsv1 dhcpd[23742]: Added new forward map from WILKIE.dyn.sv.lnf.it to 10.5.2.220
>   Jun  9 08:31:10 vdmsv1 named[10040]: client 127.0.0.1#31176/key sanvito: updating zone '2.5.10.in-addr.arpa/IN': adding an RR at '220.2.5.10.in-addr.arpa' PTR WILKIE.dyn.sv.lnf.it.
>   Jun  9 08:31:11 vdmsv1 dhcpd[23742]: Added reverse map from 220.2.5.10.in-addr.arpa. to WILKIE.dyn.sv.lnf.it
>   Jun  9 08:36:11 vdmsv1 dhcpd[23742]: DHCPREQUEST for 10.5.2.220 from 34:64:a9:1c:1e:4a (WILKIE) via eth0
>   Jun  9 08:36:11 vdmsv1 dhcpd[23742]: DHCPACK on 10.5.2.220 to 34:64:a9:1c:1e:4a (WILKIE) via eth0
>   [...]
>
> At the same time, client register itself in domain DNS, on site 'SV',
> indeed with correct IP:
>
>   Jun  9 08:31:13 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.1-4114.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:13 vdcsv1 named[664]: client 10.5.2.220#52285/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting an RR at WILKIE.ad.fvg.lnf.it A
>   Jun  9 08:31:13 vdcsv1 named[664]: samba_dlz: subtracted rdataset WILKIE.ad.fvg.lnf.it 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.103'
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#50264/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'WILKIE.ad.fvg.lnf.it' AAAA
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#50264/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'WILKIE.ad.fvg.lnf.it' A
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#50264/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'WILKIE.ad.fvg.lnf.it' A 10.5.2.220
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset WILKIE.ad.fvg.lnf.it 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#53932/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'WILKIE.ad.fvg.lnf.it' AAAA
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#53932/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'WILKIE.ad.fvg.lnf.it' A
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: subtracted rdataset WILKIE.ad.fvg.lnf.it 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#53932/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'WILKIE.ad.fvg.lnf.it' A 10.5.2.220
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset WILKIE.ad.fvg.lnf.it 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=AAAA key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: allowing update of signer=WILKIE\$\@AD.FVG.LNF.IT name=WILKIE.ad.fvg.lnf.it tcpaddr= type=A key=1688-ms-7.2-42f8.28c7707f-c8ec-11eb-64ab-3464a91c1e4a/160/0
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#63100/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'WILKIE.ad.fvg.lnf.it' AAAA
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#63100/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': deleting rrset at 'WILKIE.ad.fvg.lnf.it' A
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: subtracted rdataset WILKIE.ad.fvg.lnf.it 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>   Jun  9 08:31:14 vdcsv1 named[664]: client 10.5.2.220#63100/key WILKIE\$\@AD.FVG.LNF.IT: updating zone 'ad.fvg.lnf.it/NONE': adding an RR at 'WILKIE.ad.fvg.lnf.it' A 10.5.2.220
>   Jun  9 08:31:14 vdcsv1 named[664]: samba_dlz: added rdataset WILKIE.ad.fvg.lnf.it 'WILKIE.ad.fvg.lnf.it.#0111200#011IN#011A#01110.5.2.220'
>
>
> If now i query DNS in their site, i get correct result:
>
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcsv1.ad.fvg.lnf.it | grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.220
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcsv2.ad.fvg.lnf.it | grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.220
>
> but if i query DNS for other site DCs, i get incorrect result:
>
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcpp1.ad.fvg.lnf.it | grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.57
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdcpp2.ad.fvg.lnf.it | grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.171
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdc3t1.ad.fvg.lnf.it | grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.57
>   gaio at hermione:~$ dig a wilkie.ad.fvg.lnf.it @vdctms1.ad.fvg.lnf.it | grep ^wilkie
>   wilkie.ad.fvg.lnf.it.	1200	IN	A	10.5.2.57
>
>
> Note that basic things like 'samba-tool drs showrepl' and
> 'samba-tool ldapcmp ldap://vdcsv1 ldap://vdcpp2 -U Administrator' show
> no replication differences or errors.
>
>
> What happens?! Thanks.
>

Why do you think I went to all the trouble to write this:

https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

You need to use the dns from your DC's , though you can get your main 
dns servers to forward requests for the AD domain to the AD DC's.

Putting it simply, your AD dns is broken.

Rowland