[Samba] On Debian 12: nsupdate (as called from samba_dnsupdate) crashes named/bind9_dlz

Rowland Penny rpenny at samba.org
Thu May 18 07:29:40 UTC 2023 


On 18/05/2023 04:31, Steven Monai via samba wrote:
> Hello,
> 
> I am testing Samba (v.4.17.8) in Debian 12 ("Bookworm") for use on two 
> DCs (as separate VMs) in a new AD domain.
> 
> "dc33" (IP: 10.150.10.33) is the first DC in the new domain 
> ("ttwo.ad.example.org"), provisioned via 'samba-tool domain provision DC'.
> 
> "dc34" (IP: 10.150.10.34) is the second DC, joined to the domain via 
> 'samba-tool domain join DC'.
> 
> The first oddity I encounter is I find that I have to manually run 
> 'samba_dnsupdate' to create the new DC's NS and SRV records in the DNS. 
> This seems new, as the DNS records were automatically created when I 
> previously did an identical setup using Debian 11 ("Bullseye", Samba 
> v.4.13.13).

Most of the DNS records are created during a provision, but very few are 
when joining an additional DC. That is where samba_dnsupdate comes in, 
it runs at Samba startup and then every 10 minutes, to create any 
missing dns records.

> 
> Regardless, the second, and more surprising issue, is that the 
> 'samba_dnsupdate' script, when run in its default mode, fails rather 
> spectacularly. The script calls 'nsupdate' to add the new DNS records 
> one-by-one, and EVERY call to 'nsupdate' results in a hard crash 
> ("assertion failure") of the 'named' service on the first DC.

It definitely should not crash.

> 
> I am able to work around the issue by running 'samba_dnsupdate 
> --use-samba-tool', which does not use 'nsupdate'.
> 
> Is this a known issue?  

It has been known before, but without the crash.

> Or is it more likely that I misconfigured 
> something?

Possibly, you haven't told us just how you have configured the OS and Samba.

> 
> Anyway, here is a snippet of the output from the client side, when I run 
> 'samba_dnsupdate':
> ------------------------------------------------------------------------
> dc34:~# samba_dnsupdate --verbose
> ...
> 24 DNS updates and 0 DNS deletes needed
> Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as 
> DC34$
> update(nsupdate): NS ttwo.ad.example.org dc34.ttwo.ad.example.org
> Calling nsupdate for NS ttwo.ad.example.org dc34.ttwo.ad.example.org (add)
> Successfully obtained Kerberos ticket to DNS/dc33.ttwo.ad.example.org as 
> DC34$

That's one misconfiguration you probably have there, it looks like your 
second DC isn't using itself as its nameserver, it appears to be still 
using the first DC.

Rowland

More information about the samba mailing list