[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz

Steven Monai stevemoca at gmail.com
Thu May 18 03:31:59 UTC 2023 

Hello,

I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use on two 
DCs (as separate VMs) in a new AD domain.

"dc33" (IP: 10.150.10.33) is the first DC in the new domain 
("ttwo.ad.example.org"), provisioned via 'samba-tool domain provision DC'.

"dc34" (IP: 10.150.10.34) is the second DC, joined to the domain via 
'samba-tool domain join DC'.

The first oddity I encounter is I find that I have to manually run 
'samba_dnsupdate' to create the new DC's NS and SRV records in the DNS. 
This seems new, as the DNS records were automatically created when I 
previously did an identical setup using Debian 11 ("Bullseye", Samba 
v.4.13.13).

Regardless, the second, and more surprising issue, is that the 
'samba_dnsupdate' script, when run in its default mode, fails rather 
spectacularly. The script calls 'nsupdate' to add the new DNS records 
one-by-one, and EVERY call to 'nsupdate' results in a hard crash 
("assertion failure") of the 'named' service on the first DC.

I am able to work around the issue by running 'samba_dnsupdate 
--use-samba-tool', which does not use 'nsupdate'.

Is this a known issue?  Or is it more likely that I misconfigured something?

Anyway, here is a snippet of the output from the client side, when I run 
'samba_dnsupdate':
------------------------------------------------------------------------
dc34:~# samba_dnsupdate --verbose
...
24 DNS updates and 0 DNS deletes needed
Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as 
DC34$
update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org
Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add)
Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as 
DC34$
Outgoing update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:      0
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; UPDATE SECTION:
ttwo.ad.example.org.     900     IN      NS      dc34.ttwo.ad.example.org.

; Communication with 10.150.10.33#53 failed: end of file
Failed nsupdate: 2
...
(repeat failure 23 more times)
...
------------------------------------------------------------------------

And here is a snippet of the resulting log on the server side:
------------------------------------------------------------------------
dc33:~# journalctl -u named.service
...
May 17 11:50:53 dc33 named[920]: samba_dlz: allowing update of 
signer=DC34\$\@TTWO.AD.EXAMPLE.ORG name=ttwo.ad.example.org 
tcpaddr=10.150.10.34 type=NS 
key=389657593.sig-dc33.ttwo.ad.example.org/159/0
May 17 11:50:53 dc33 named[920]: samba_dlz: starting transaction on zone 
ttwo.ad.example.org
May 17 11:50:53 dc33 named[920]: client @0x7ff9731fb568 
10.150.10.34#35837/key DC34\$\@TTWO.AD.EXAMPLE.ORG: updating zone 
'ttwo.ad.example.org/NONE': adding an RR at 'ttwo.ad.example.org' NS 
dc34.ttwo.ad.example.org.
May 17 11:50:53 dc33 named[920]: name.c:664: REQUIRE(((name1) != ((void 
*)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') 
<< 16 | ('S') << 8 | ('n'))))) failed, back trace
May 17 11:50:53 dc33 named[920]: /usr/sbin/named(+0x235e4) [0x557c33cec5e4]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc_assertion_failed+0xa) 
[0x7ff978239a5a]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(dns_name_equal+0x179) 
[0x7ff977e999d9]
May 17 11:50:53 dc33 named[920]: 
/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_18.so(dlz_addrdataset+0x1c4) 
[0x7ff976a72b54]
May 17 11:50:53 dc33 named[920]: /usr/sbin/named(+0x212e4) [0x557c33cea2e4]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(+0x12e4c4) [0x7ff977f2e4c4]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libdns-9.18.12-1-Debian.so(+0x4ec17) [0x7ff977e4ec17]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libns-9.18.12-1-Debian.so(+0x31dca) [0x7ff9787d8dca]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libns-9.18.12-1-Debian.so(+0x35466) [0x7ff9787dc466]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc_task_run+0x113) 
[0x7ff978258a43]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x26cb2) [0x7ff978226cb2]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27337) [0x7ff978227337]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27e73) [0x7ff978227e73]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libuv.so.1(+0xf09d) [0x7ff97814e09d]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libuv.so.1(+0x22e3c) [0x7ff978161e3c]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libuv.so.1(uv_run+0xc4) [0x7ff97814e9e4]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(+0x27654) [0x7ff978227654]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libisc-9.18.12-1-Debian.so(isc__trampoline_run+0x15) 
[0x7ff978261575]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libc.so.6(+0x88fd4) [0x7ff9774fbfd4]
May 17 11:50:53 dc33 named[920]: 
/lib/x86_64-linux-gnu/libc.so.6(+0x1095bc) [0x7ff97757c5bc]
May 17 11:50:53 dc33 named[920]: exiting (due to assertion failure)
May 17 11:50:53 dc33 systemd[1]: named.service: Main process exited, 
code=dumped, status=6/ABRT
May 17 11:50:53 dc33 systemd[1]: named.service: Failed with result 
'core-dump'.
May 17 11:50:53 dc33 systemd[1]: named.service: Scheduled restart job, 
restart counter is at 10.
...
(systemd restarts named, named crashes again soon after, etc., etc.)
...
------------------------------------------------------------------------

Thanks for your time.

Cheers,
-S.M.

More information about the samba mailing list