[Samba] DNS update fails after samba domain controller is restarted

Hoefle, Marco (Avnet Silica) Marco.Hoefle at avnet.eu
Fri Dec 6 07:18:32 UTC 2024


Hello,
first, after provisioning everything looks ok.
After a restart the samba server wants to update internal DNS records and this fails:

samba      | /usr/sbin/samba_dnsupdate: ERROR(runtime): Record already exists; record could not be added. zone[fffff.yyy] name[_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones] [WERR_DNS_ERROR_RECORD_ALREADY_EXISTS] - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')
samba      | /usr/sbin/samba_dnsupdate: Failed to get Kerberos credentials, falling back to samba-tool: kinit for DC$@fffff.yyy failed (Cannot contact any KDC for requested realm)
samba      | /usr/sbin/samba_dnsupdate: 
samba      | /usr/sbin/samba_dnsupdate: Failed update of 29 entries
samba      | dnsupdate_nameupdate_done: Failed DNS update with exit code 29


DNS updates of joined clients do work though:
root at dc:/# tail /var/log/bind/ddns.log -f
06-Dec-2024 08:11:43.249 update: info: client @0x70c94cea97b8 10.3.0.6#34593/key SAMBA-SRV\$\@fffff.yyy: updating zone 'fffff.yyy/NONE': deleting rrset at 'samba-srv.fffff.yyy' A
06-Dec-2024 08:11:43.251 update: info: client @0x70c94cea97b8 10.3.0.6#34593/key SAMBA-SRV\$\@fffff.yyy: updating zone 'fffff.yyy/NONE': adding an RR at 'samba-srv.fffff.yyy' A 10.3.0.6
06-Dec-2024 08:11:43.279 update: info: client @0x70c94cea97b8 10.3.0.6#33953/key SAMBA-SRV\$\@fffff.yyy: updating zone 'fffff.yyy/NONE': deleting rrset at 'samba-srv.fffff.yyy' AAAA



I am using bind as back-end:
samba-ad-dc    2:4.19.5+dfsg-4ubuntu9
bind9                1:9.18.28-0ubuntu0.24.04.1


root at dc:/# cat /etc/samba/smb.conf 
# Global parameters
[global]
	ldap server require strong auth = no
	bind interfaces only = yes
	interfaces = eth0
	log file = /var/log/samba/log.%m
	log level = 2 auth_json_audit:3@/var/log/samba/domain_join.log auth:2@/var/log/samba/auth.log passdb:2 rpc_srv:2 rpc_parse:2
	allow dns updates = nonsecure and secure
	template homedir = /home/%U
	template shell = /bin/bash
	rpc server dynamic port range = 49152-65535
	winbind nss info = rfc2307
	wins support = yes
	netbios name = DC
	realm = fffff.yyy
	server role = active directory domain controller
	server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
	workgroup = fffff
	idmap_ldb:use rfc2307 = yes

[sysvol]
	path = /var/lib/samba/sysvol
	read only = No

[netlogon]
	path = /var/lib/samba/sysvol/fffff.yyy/scripts
	read only = No



root at dc:/# cat /etc/named.conf 
acl local-networks {
    127.0.0.0/8;
    172.17.0.0/24;
    10.3.0.0/24;
};

options {
    directory "/var/named";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

    allow-query       { local-networks; };
    allow-recursion   { local-networks; };
    allow-query-cache { local-networks; };
    allow-transfer    { local-networks; };
    allow-update      { local-networks; };

    version none;
    hostname none;
    server-id none;

    auth-nxdomain yes;
    datasize default;
    empty-zones-enable no;
    tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
    minimal-responses yes;

    forwarders { 8.8.8.8; };

    listen-on-v6 { none; };
};

include "/var/lib/samba/bind-dns/named.conf";
# dlz "AD DNS Zones" {
#     database "dlopen /usr/lib/samba/bind9/dlz_bind9_16.so";
# };

logging {
     channel default_log {
          file "/var/log/bind/defaut.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel auth_servers_log {
          file "/var/log/bind/auth_servers.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel dnssec_log {
          file "/var/log/bind/dnssec.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel zone_transfers_log {
          file "/var/log/bind/zone_transfers.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel ddns_log {
          file "/var/log/bind/ddns.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel client_security_log {
          file "/var/log/bind/client_security.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel rate_limiting_log {
          file "/var/log/bind/rate_limiting.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel rpz_log {
          file "/var/log/bind/rpz.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
     channel dnstap_log {
          file "/var/log/bind/dnstap.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
//
// If you have the category ‘queries’ defined, and you don’t want query logging
// by default, make sure you add option ‘querylog no;’ - then you can toggle
// query logging on (and off again) using command ‘rndc querylog’
//
     channel queries_log {
          file "/var/log/bind/queries.log" versions 10 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity info;
     };
//
// This channel is dynamic so that when the debug level is increased using
// rndc while the server is running, extra information will be logged about
// failing queries.  Other debug information for other categories will be
// sent to the channel default_debug (which is also dynamic), but without
// affecting the regular logging.
//
     channel query-errors_log {
          file "/var/log/bind/query-errors.log" versions 3 size 20m;
          print-time yes;
          print-category yes;
          print-severity yes;
          severity dynamic;
     };
//
// This is the default syslog channel, defined here for clarity.  You don’t
// have to use it if you prefer to log to your own channels.
// It sends to syslog’s daemon facility, and sends only logged messages
// of priority info and higher.
// (The options to print time, category and severity are non-default.)
//
     channel default_syslog {
          print-time yes;
          print-category yes;
          print-severity yes;
          syslog daemon;
          severity info;
     };
//
// This is the default debug output channel, defined here for clarity.  You
// might want to redefine the output destination if it doesn’t fit with your
// local system administration plans for logging.  It is also a special
// channel that only produces output if the debug level is non-zero.
//
     channel default_debug {
          print-time yes;
          print-category yes;
          print-severity yes;
          file "/var/log/bind/debug.log";
          severity dynamic;
     };
//
// Log routine stuff to syslog and default log:
//
     category default { default_syslog; default_debug; default_log; };
     category config { default_syslog; default_debug; default_log; };
     category dispatch { default_syslog; default_debug; default_log; };
     category network { default_syslog; default_debug; default_log; };
     category general { default_syslog; default_debug; default_log; };
//
// From BIND 9.12 and newer, you can direct zone load logging to another
// channel with the new zoneload logging category.  If this would be useful
// then firstly, configure the new channel, and then edit the line below
// to direct the category there instead of to syslog and default log:
//
     category zoneload { default_syslog; default_debug; default_log; };
//
// Log messages relating to what we got back from authoritative servers during
// recursion (if lame-servers and edns-disabled are obscuring other messages
// they can be sent to their own channel or to null).  Sometimes these log
// messages will be useful to research why some domains don’t resolve or
// don’t resolve reliably
//
     category resolver { auth_servers_log; default_debug; };       
     category cname { auth_servers_log; default_debug; };
     category delegation-only { auth_servers_log; default_debug; };
     category lame-servers { auth_servers_log; default_debug; };
     category edns-disabled { auth_servers_log; default_debug; };
//
// Log problems with DNSSEC:
//
     category dnssec { dnssec_log; default_debug; };
//
// Log together all messages relating to authoritative zone propagation
//
     category notify { zone_transfers_log; default_debug; };       
     category xfer-in { zone_transfers_log; default_debug; };       
     category xfer-out { zone_transfers_log; default_debug; };
//
// Log together all messages relating to dynamic updates to DNS zone data:
//
     category update{ ddns_log; default_debug; };
     category update-security { ddns_log; default_debug; };
//
// Log together all messages relating to client access and security.
// (There is an additional category ‘unmatched’ that is by default sent to
// null but which can be added here if you want more than the one-line
// summary that is logged for failures to match a view).
//
     category client{ client_security_log; default_debug; };       
     category security { client_security_log; default_debug; };
//
// Log together all messages that are likely to be related to rate-limiting.
// This includes RRL (Response Rate Limiting) - usually deployed on authoritative
// servers and fetches-per-server|zone.  Note that it does not include
// logging of changes for clients-per-query (which are logged in category
// resolver).  Also note that there may on occasions be other log messages
// emitted by the database category that don’t relate to rate-limiting
// behaviour by named.
//
     category rate-limit { rate_limiting_log; default_debug; };       
     category spill { rate_limiting_log; default_debug; };       
     category database { rate_limiting_log; default_debug; };
//
// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ
// then you may want to comment out this category and associated channel)
//
     category rpz { rpz_log; default_debug; };
//
// Log messages relating to the "dnstap" DNS traffic capture system  (if you
// are not using dnstap, then you may want to comment out this category and
// associated channel).
//
     category dnstap { dnstap_log; default_debug; };
//
// If you are running a server (for example one of the Internet root
// nameservers) that is providing RFC 5011 trust anchor updates, then you
// may be interested in logging trust anchor telemetry reports that your
// server receives to analyze anchor propagation rates during a key rollover. 
// If this would be useful then firstly, configure the new channel, and then
// un-comment and the line below to direct the category there instead of to
// syslog and default log:
//
//
     category trust-anchor-telemetry { default_syslog; default_debug; default_log; };
//
// If you have the category ‘queries’ defined, and you don’t want query logging
// by default, make sure you add option ‘querylog no;’ - then you can toggle
// query logging on (and off again) using command ‘rndc querylog’
//
     category queries { queries_log; };
//
// This logging category will only emit messages at debug levels of 1 or
// higher - it can be useful to troubleshoot problems where queries are
// resulting in a SERVFAIL response.
//
     category query-errors {query-errors_log; };
};

We continuously commit to comply with the applicable data protection laws and ensure fair and transparent processing of your personal data. 
Please read our privacy statement including an information notice and data protection policy for detailed information on our website.



More information about the samba mailing list