[Samba] Strange Bind freezing

Kunihiro Yasukochi kys at tbf.t-com.ne.jp
Wed Feb 16 11:34:55 UTC 2022 

Hi,

I also have this kind of strange problem about samba with bind9 on FreeBSD.

my environment is
  FreeBSD: 13.0-RELEASE-p7
  net/samba413: Samba 4.13.14 from pkg
  dns/bind916: bind 9.16.24 from ports with GSSAPI_HEIMDAL
  dns/bind-tools: bind 9.16.24 from ports with GSSAPI_HEIMDAL
  security/heimdal: haimdal 7.7.0_1 from pkg

  Debian 11.2 Bullseye
  Samba 4.13.17
  bind 9.16.22


while adding new DC, named would exit with signal 6(SIGABRT), and then periodically
named would exit every "DNS update check" running,, I think every 10 minutes.

and yes, like Nikita,
running "samba_dnsupdate --all-names --use-nsupdate" from console also make named exited.

so I've also set

  dns update command = /usr/local/sbin/samba_dnsupdate --use-samba-tool

instead

  nsupdate command = /usr/local/bin/nsupdate -g

to use samba-tool for checking and updating DNS (samba periodically called).


more strange for me is,
if running "samba_dnsupdate --all-names --use-nsupdate" first on another DC 
hosted on Debian 11 with samba413 from apt.van-belle.nl,
above exiting named and samba_dnsupdate failure have been gone. 

of cource, automatic called "DNS update check" using nsupdate could be done successfully.
and basically failure of samba_dnsupdate is solved after this.


however, another related strange,
If the AD have Windows DC (2k8 or 2k12), they would update thier some DNS record regularly via DDNS,
after that DDNS, failed "samba_dnsupdate --use-nsupdate" on FreeBSD again.
and running samba_dnsupdate on Debian again, that failure is gone again.


failure point of samba_dnsupdate on FreeBSD(vm-dc01) is, from logs and output,


Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
_ldap._tcp.ad.example.com. 900 IN  SRV     0 100 389 vm-dc01.ad.example.com.

; Communication with 192.168.16.226#53 failed: unexpected error
Failed nsupdate: 2
update(nsupdate): SRV _ldap._tcp.dc._msdcs.ad.example.com vm-dc01.ad.example.com 389
Calling nsupdate for SRV _ldap._tcp.dc._msdcs.ad.example.com vm-dc01.ad.example.com 389 (add)



Strictly speaking, after exiting named on FreeBSD, samba_dnsupdate on FreeBSD would try
to update to connect Debian(vm-dc02), and finish that update slowly. if no interrupt.
'cause on FreeBSD, /etc/resolv.conf have IP address of Debian for nameserver.

then, restart named on FreeBSD, run samba_dnsupdate again, no failure at this time.
I think this "no interrupt" is shown same result as running on Debian.


the difference between before and after by Windows DC DDNS are


(before Win DC DDNS: no problem samba_dnsupdate)
# samba-tool dns query vm-dc02 _msdcs.ad.example.com @ ALL -k yes
  Name=, Records=4, Children=0
    SOA: serial=276, refresh=900, retry=600, expire=86400, minttl=3600, ns=vm-dc02.ad.example.com., email=hostmaster.ad.example.com. (flags=600000f0, serial=275, ttl=3600)
    NS: vm-dc01.ad.example.com. (flags=600000f0, serial=275, ttl=900)
    NS: vm-dc02.ad.example.com. (flags=600000f0, serial=275, ttl=900)
    NS: vm-dc03.ad.example.com. (flags=600000f0, serial=275, ttl=3600)
  Name=417b68a5-fcc0-4d44-9963-030a9b8a5cb0, Records=1, Children=0
    CNAME: VM-DC02.ad.example.com. (flags=f0, serial=26, ttl=900)
  Name=9ece58eb-5ab9-4de4-818d-f074241628d8, Records=1, Children=0
    CNAME: vm-dc03.ad.example.com. (flags=f0, serial=474, ttl=600)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=e9a16ae0-b95c-4ab7-bd51-f46e64b3adea, Records=1, Children=0
    CNAME: vm-dc01.ad.example.com. (flags=f0, serial=110, ttl=900)
  Name=gc, Records=0, Children=2
  Name=pdc, Records=0, Children=1

# samba-tool dns query vm-dc02 _msdcs.ad.example.com _tcp.dc ALL -k yes
  Name=, Records=0, Children=0
  Name=_ldap, Records=3, Children=0
    SRV: vm-dc02.ad.example.com. (389, 0, 100) (flags=f0, serial=268, ttl=900)
    SRV: vm-dc03.ad.example.com. (389, 0, 100) (flags=f0, serial=268, ttl=900)
    SRV: vm-dc01.ad.example.com. (389, 0, 100) (flags=f0, serial=268, ttl=900)
  Name=_kerberos, Records=3, Children=0
    SRV: vm-dc02.ad.example.com. (88, 0, 100) (flags=f0, serial=270, ttl=900)
    SRV: vm-dc03.ad.example.com. (88, 0, 100) (flags=f0, serial=270, ttl=900)
    SRV: vm-dc01.ad.example.com. (88, 0, 100) (flags=f0, serial=270, ttl=900)


(after Win DC DDNS: problem samba_dnsupdate)
# samba-tool dns query vm-dc02 _msdcs.ad.example.com @ ALL -k yes
  Name=, Records=4, Children=0
    SOA: serial=276, refresh=900, retry=600, expire=86400, minttl=3600, ns=vm-dc02.ad.example.com., email=hostmaster.ad.example.com. (flags=600000f0, serial=275, ttl=3600)
    NS: vm-dc01.ad.example.com. (flags=600000f0, serial=275, ttl=900)
    NS: vm-dc02.ad.example.com. (flags=600000f0, serial=275, ttl=900)
    NS: vm-dc03.ad.example.com. (flags=600000f0, serial=275, ttl=3600)
  Name=417b68a5-fcc0-4d44-9963-030a9b8a5cb0, Records=1, Children=0
    CNAME: VM-DC02.ad.example.com. (flags=f0, serial=26, ttl=900)
  Name=9ece58eb-5ab9-4de4-818d-f074241628d8, Records=1, Children=0
    CNAME: vm-dc03.ad.example.com. (flags=f0, serial=491, ttl=600)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=e9a16ae0-b95c-4ab7-bd51-f46e64b3adea, Records=1, Children=0
    CNAME: vm-dc01.ad.example.com. (flags=f0, serial=110, ttl=900)
  Name=gc, Records=0, Children=2
  Name=pdc, Records=0, Children=1

# samba-tool dns query vm-dc02 _msdcs.ad.example.com _tcp.dc ALL -k yes
  Name=, Records=0, Children=0
  Name=_ldap, Records=3, Children=0
    SRV: vm-dc01.ad.example.com. (389, 0, 100) (flags=f0, serial=481, ttl=900)
    SRV: vm-dc03.ad.example.com. (389, 0, 100) (flags=f0, serial=481, ttl=600)
    SRV: vm-dc02.ad.example.com. (389, 0, 100) (flags=f0, serial=481, ttl=900)
  Name=_kerberos, Records=3, Children=0
    SRV: vm-dc01.ad.example.com. (88, 0, 100) (flags=f0, serial=479, ttl=900)
    SRV: vm-dc03.ad.example.com. (88, 0, 100) (flags=f0, serial=479, ttl=600)
    SRV: vm-dc02.ad.example.com. (88, 0, 100) (flags=f0, serial=479, ttl=900)


and after running samba_dnsupdate on Debian

# samba-tool dns query vm-dc02 _msdcs.ad.example.com @ ALL -k yes
  Name=, Records=4, Children=0
    SOA: serial=284, refresh=900, retry=600, expire=86400, minttl=3600, ns=vm-dc02.ad.example.com., email=hostmaster.ad.example.com. (flags=600000f0, serial=283, ttl=3600)
    NS: vm-dc01.ad.example.com. (flags=600000f0, serial=283, ttl=900)
    NS: vm-dc02.ad.example.com. (flags=600000f0, serial=283, ttl=900)
    NS: vm-dc03.ad.example.com. (flags=600000f0, serial=283, ttl=3600)
  Name=417b68a5-fcc0-4d44-9963-030a9b8a5cb0, Records=1, Children=0
    CNAME: VM-DC02.ad.example.com. (flags=f0, serial=26, ttl=900)
  Name=9ece58eb-5ab9-4de4-818d-f074241628d8, Records=1, Children=0
    CNAME: vm-dc03.ad.example.com. (flags=f0, serial=491, ttl=600)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=e9a16ae0-b95c-4ab7-bd51-f46e64b3adea, Records=1, Children=0
    CNAME: vm-dc01.ad.example.com. (flags=f0, serial=110, ttl=900)
  Name=gc, Records=0, Children=2
  Name=pdc, Records=0, Children=1

# samba-tool dns query vm-dc02 _msdcs.ad.example.com _tcp.dc  ALL -k yes
  Name=, Records=0, Children=0
  Name=_ldap, Records=3, Children=0
    SRV: vm-dc01.ad.example.com. (389, 0, 100) (flags=f0, serial=276, ttl=900)
    SRV: vm-dc03.ad.example.com. (389, 0, 100) (flags=f0, serial=276, ttl=900)
    SRV: vm-dc02.ad.example.com. (389, 0, 100) (flags=f0, serial=276, ttl=900)
  Name=_kerberos, Records=3, Children=0
    SRV: vm-dc01.ad.example.com. (88, 0, 100) (flags=f0, serial=278, ttl=900)
    SRV: vm-dc03.ad.example.com. (88, 0, 100) (flags=f0, serial=278, ttl=900)
    SRV: vm-dc02.ad.example.com. (88, 0, 100) (flags=f0, serial=278, ttl=900)


just I found is strange serial on *._tcp.dc of zone _msdcs.ad.example.com.
and why DNS of Win DC(vm-dc03) have different SOA record for _msdcs.ad.example.com zone as below?
on the other hands, replication about each DNS record seems no problem.


# samba-tool dns query vm-dc03 _msdcs.ad.example.com @ ALL -k yes
  Name=, Records=4, Children=0
    NS: vm-dc03.ad.example.com. (flags=600000f0, serial=0, ttl=3600)
    NS: vm-dc02.ad.example.com. (flags=600000f0, serial=0, ttl=900)
    NS: vm-dc01.ad.example.com. (flags=600000f0, serial=0, ttl=900)
    SOA: serial=491, refresh=900, retry=600, expire=86400, minttl=3600, ns=vm-dc03.ad.example.com., email=hostmaster.ad.example.com. (flags=600000f0, serial=0, ttl=3600)
  Name=417b68a5-fcc0-4d44-9963-030a9b8a5cb0, Records=1, Children=0
    CNAME: VM-DC02.ad.example.com. (flags=f0, serial=0, ttl=900)
  Name=9ece58eb-5ab9-4de4-818d-f074241628d8, Records=1, Children=0
    CNAME: vm-dc03.ad.example.com. (flags=f0, serial=0, ttl=600)
  Name=dc, Records=0, Children=2
  Name=domains, Records=0, Children=1
  Name=e9a16ae0-b95c-4ab7-bd51-f46e64b3adea, Records=1, Children=0
    CNAME: vm-dc01.ad.example.com. (flags=f0, serial=0, ttl=900)
  Name=gc, Records=0, Children=2
  Name=pdc, Records=0, Children=1


# samba-tool dns query vm-dc03 _msdcs.ad.example.com. _tcp.dc ALL -k yes
  Name=, Records=0, Children=0
  Name=_kerberos, Records=3, Children=0
    SRV: vm-dc02.ad.example.com. (88, 0, 100) (flags=f0, serial=0, ttl=900)
    SRV: vm-dc03.ad.example.com. (88, 0, 100) (flags=f0, serial=0, ttl=900)
    SRV: vm-dc01.ad.example.com. (88, 0, 100) (flags=f0, serial=0, ttl=900)
  Name=_ldap, Records=3, Children=0
    SRV: vm-dc02.ad.example.com. (389, 0, 100) (flags=f0, serial=0, ttl=900)
    SRV: vm-dc03.ad.example.com. (389, 0, 100) (flags=f0, serial=0, ttl=900)
    SRV: vm-dc01.ad.example.com. (389, 0, 100) (flags=f0, serial=0, ttl=900)



anyway.
I'm not sure but there are some problems on FreeBSD with samba bind dlz backend.
also I don't have any idea these origin,,, FreeBSD ? Samba ? bind ? little bit complicated.

are there any users encountered this kind of problems or any suggenstions?

Best Regards,
-- 
kei



In article (Subject: Re: [Samba] Strange Bind freezing 
            Date: Tue, 1 Feb 2022 01:28:14 +0100)
   You(Nikita Druba via samba <samba at lists.samba.org>) wrote :

> Hi again!
> 
> I found the stage, where named freezing and why its started after
> adding a new DC:
> 
> samba_dnsupdate
> 
> When I tried to run this command from terminal, the named freezed. My
> smb4.conf has the next line:
> 
> nsupdate command = /usr/local/bin/nsupdate -g
> 
> I tried to change parameter of command to -o or set it without
> parameters,
> 
> I tried also special port dns/samba-nsupdate and:
> 
> nsupdate command = /usr/local/bin/samba-nsupdate -g
> 
> But result of all my tries - now named guarantied freezing when I run
> samba_dnsupdate --all-names.
> 
> I tried to compiled named with Heimdal from ports and "base", but the
> same result.
> 
> This problem "successfully" repeated at my other FreeBSD DC. At
> openSUSE DC samba_dnsupdate by nsupdate (even with -g) just getting
> "permission denied".
> 
> The line, that solved my situation:
> 
> dns update command = /usr/local/sbin/samba_dnsupdate --use-samba-tool
> 
> Also, when I switched to built-in dns, samba_dnsupdate worked fine.
> 
> Any suggestions?
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list