[Samba] DNS Update Failing
Rob Campbell
robcampbell08105 at gmail.com
Sun Oct 31 19:13:33 UTC 2021
My /etc/resolv.conf was overwritten. What service does this on Debian?
I've disabled systemd-resolved already.
Getting a different error now.
samba_dnsupdate --verbose --all-names
*29 DNS updates* and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/DC01.home.test-server.lan as
DC01$
update(nsupdate): A DC01.home.test-server.lan 10.0.0.19
Calling nsupdate for A DC01.home.test-server.lan 10.0.0.19 (add)
Successfully obtained Kerberos ticket to DNS/DC01.home.test-server.lan as
DC01$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
DC01.home.test-server.lan. 900 IN A 10.0.0.19
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG)
Failed nsupdate: 2
update(nsupdate): CNAME
f79b5e15-ea2b-4afd-a8ca-bb16e2531521._msdcs.home.test-server.lan
DC01.home.test-server.lan
...
*Failed update of 29 entries*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In all things, Be Intentional.
On Sun, Oct 31, 2021 at 2:46 PM Rob Campbell <robcampbell08105 at gmail.com>
wrote:
> My domain members (DM01, DM02, FSDM01) can nslookup the DC (DC01) but the
> DC can't nslookup the members.
>
>
> https://wiki.samba.org/index.php/Troubleshooting_Samba_Domain_Members#DNS_Update_failed:_ERROR_DNS_UPDATE_FAILED
> Sends me to
> https://wiki.samba.org/index.php/Testing_Dynamic_DNS_Updates
> Which sends me to
>
> https://wiki.samba.org/index.php/Samba_Internal_DNS_Back_End#Troubleshooting
>
> netstat -tulpn | grep ":53"
> tcp 0 0 0.0.0.0:53 0.0.0.0:*
> LISTEN 14311/samba: task[d
> tcp6 0 0 :::53 :::* LISTEN
> 14311/samba: task[d
> udp 0 0 0.0.0.0:53 0.0.0.0:*
> 14311/samba: task[d
> udp6 0 0 :::53 :::*
> 14311/samba: task[d
>
> [root at DC01/var/log/samba$] cat log.samba:
> [2021/10/31 14:11:04.615525, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
> [2021/10/31 14:11:04.615757, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 298,
> in check_dns_name
> [2021/10/31 14:11:04.615834, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: ans = check_one_dns_name(normalised_name,
> d.type, d)
> [2021/10/31 14:11:04.615858, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 275,
> in check_one_dns_name
> [2021/10/31 14:11:04.615895, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: return resolver.resolve(name, name_type)
> [2021/10/31 14:11:04.615916, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File
> "/usr/lib/python3/dist-packages/dns/resolver.py", line 1040, in resolve
> [2021/10/31 14:11:04.616069, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: (nameserver, port, tcp, backoff) =
> resolution.next_nameserver()
> [2021/10/31 14:11:04.616102, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File
> "/usr/lib/python3/dist-packages/dns/resolver.py", line 598, in
> next_nameserver
> [2021/10/31 14:11:04.616249, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: raise NoNameservers(request=self.request,
> errors=self.errors)
> [2021/10/31 14:11:04.616326, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: dns.resolver.NoNameservers: All nameservers
> failed to answer the query DC01.home.test-server.lan. IN A: Server 10.0.0.1
> UDP port 53 answered SERVFAIL
> [2021/10/31 14:11:04.616406, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate:
> [2021/10/31 14:11:04.616503, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: During handling of the above exception,
> another exception occurred:
> [2021/10/31 14:11:04.616526, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate:
> [2021/10/31 14:11:04.616561, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: Traceback (most recent call last):
> [2021/10/31 14:11:04.616603, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 848,
> in <module>
> [2021/10/31 14:11:04.616680, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: elif not check_dns_name(d):
> [2021/10/31 14:11:04.616726, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: File "/usr/sbin/samba_dnsupdate", line 302,
> in check_dns_name
> [2021/10/31 14:11:04.616771, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: raise Exception("Unable to contact a
> working DNS server while looking for %s as %s" % (d, normalised_name))
> [2021/10/31 14:11:04.616832, 0]
> ../../lib/util/util_runcmd.c:352(samba_runcmd_io_handler)
> /usr/sbin/samba_dnsupdate: Exception: Unable to contact a working DNS
> server while looking for A DC01.home.test-server.lan 10.0.0.19 as
> DC01.home.test-server.lan.
> [2021/10/31 14:11:04.656491, 0]
> ../../source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done)
> dnsupdate_nameupdate_done: Failed DNS update with exit code 1
>
> [root at DC01/var/log/samba$] samba_dnsupdate --verbose --all-names
> IPs: ['10.0.0.19']
> force update: A DC01.home.test-server.lan 10.0.0.19
> force update: CNAME
> f79b5e15-ea2b-4afd-a8ca-bb16e2531521._msdcs.home.test-server.lan
> DC01.home.test-server.lan
> force update: NS home.test-server.lan DC01.home.test-server.lan
> force update: NS _msdcs.home.test-server.lan DC01.home.test-server.lan
> force update: A home.test-server.lan 10.0.0.19
> force update: SRV _ldap._tcp.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV _ldap._tcp.dc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV
> _ldap._tcp.3cc42946-b7ec-46c9-9760-1d885e427ca9.domains._msdcs.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV _kerberos._tcp.home.test-server.lan
> DC01.home.test-server.lan 88
> force update: SRV _kerberos._udp.home.test-server.lan
> DC01.home.test-server.lan 88
> force update: SRV _kerberos._tcp.dc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 88
> force update: SRV _kpasswd._tcp.home.test-server.lan
> DC01.home.test-server.lan 464
> force update: SRV _kpasswd._udp.home.test-server.lan
> DC01.home.test-server.lan 464
> force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.home.test-server.lan
> DC01.home.test-server.lan 88
> force update: SRV
> _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 88
> force update: SRV _ldap._tcp.pdc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: A gc._msdcs.home.test-server.lan 10.0.0.19
> force update: SRV _gc._tcp.home.test-server.lan DC01.home.test-server.lan
> 3268
> force update: SRV _ldap._tcp.gc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 3268
> force update: SRV
> _gc._tcp.Default-First-Site-Name._sites.home.test-server.lan
> DC01.home.test-server.lan 3268
> force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.home.test-server.lan
> DC01.home.test-server.lan 3268
> force update: A DomainDnsZones.home.test-server.lan 10.0.0.19
> force update: SRV _ldap._tcp.DomainDnsZones.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: A ForestDnsZones.home.test-server.lan 10.0.0.19
> force update: SRV _ldap._tcp.ForestDnsZones.home.test-server.lan
> DC01.home.test-server.lan 389
> force update: SRV
> _ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.home.test-server.lan
> DC01.home.test-server.lan 389
> 29 DNS updates and 0 DNS deletes needed
> Failed to get Kerberos credentials, falling back to samba-tool: kinit for
> DC01$@HOME.TEST-SERVER.LAN failed (Cannot contact any KDC for requested
> realm)
>
> [root at DC01/var/log/samba$] klist -e -t -k
> Keytab name: FILE:/etc/krb5.keytab
> klist: Key table file '/etc/krb5.keytab' not found while starting keytab
> scan
>
> [root at DC01/var/log/samba$] klist -t -k
> /var/lib/samba/private/secrets.keytab
> Keytab name: FILE:/var/lib/samba/private/secrets.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 10/27/2021 14:17:28 HOST/dc01 at HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28
> HOST/dc01.home.test-server.lan at HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28 DC01$@HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28 HOST/dc01 at HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28
> HOST/dc01.home.test-server.lan at HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28 DC01$@HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28 HOST/dc01 at HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28
> HOST/dc01.home.test-server.lan at HOME.TEST-SERVER.LAN
> 1 10/27/2021 14:17:28 DC01$@HOME.TEST-SERVER.LAN
>
> Copied file
> [root at DC01/var/log/samba$] cp /var/lib/samba/private/secrets.keytab
> /etc/krb5.keytab
>
> [root at DC01/var/log/samba$] klist -e -t -k
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- -------------------
> ------------------------------------------------------
> 1 10/27/2021 14:17:28 HOST/dc01 at HOME.TEST-SERVER.LAN
> (aes256-cts-hmac-sha1-96)
> 1 10/27/2021 14:17:28
> HOST/dc01.home.test-server.lan at HOME.TEST-SERVER.LAN
> (aes256-cts-hmac-sha1-96)
> 1 10/27/2021 14:17:28 DC01$@HOME.TEST-SERVER.LAN
> (aes256-cts-hmac-sha1-96)
> 1 10/27/2021 14:17:28 HOST/dc01 at HOME.TEST-SERVER.LAN
> (aes128-cts-hmac-sha1-96)
> 1 10/27/2021 14:17:28
> HOST/dc01.home.test-server.lan at HOME.TEST-SERVER.LAN
> (aes128-cts-hmac-sha1-96)
> 1 10/27/2021 14:17:28 DC01$@HOME.TEST-SERVER.LAN
> (aes128-cts-hmac-sha1-96)
> 1 10/27/2021 14:17:28 HOST/dc01 at HOME.TEST-SERVER.LAN
> (DEPRECATED:arcfour-hmac)
> 1 10/27/2021 14:17:28
> HOST/dc01.home.test-server.lan at HOME.TEST-SERVER.LAN
> (DEPRECATED:arcfour-hmac)
> 1 10/27/2021 14:17:28 DC01$@HOME.TEST-SERVER.LAN
> (DEPRECATED:arcfour-hmac)
>
> That didn't really help anything. At least it didn't help these issues
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> In all things, Be Intentional.
>
More information about the samba
mailing list