[Samba] FW: Problems after DC upgrade

Stephen Brandli steve at brandli.com
Mon Feb 10 15:30:20 UTC 2025 

Update:

I had resolv.conf pointing to my dns servers on different machines, which serve other domains including brandli.com and have entries for the name servers of the ADS domain (domain.brandli.com).  I change the pointer in resolv.conf to the local IP address, i.e. the samba internal dns.  Now it resolves fully qualified names but not short names.  I gather it does not look at the "search" records in resolv.conf, but I don't know.  I've set "dns resolver" in samba.conf.

resolv.conf (.8 is the local server)

nameserver 10.65.187.8
options edns0 trust-ad
search domain.brandli.com internal.brandli.com
search domain.brandlilaw.com internal.brandlilaw.com
search brandli.com brandlilaw.com

nsswitch.conf had "hosts:  files myhostname resolve [!UNAVAIL=return] dns" but I changed it to "hosts: files dns" just in case.

Still getting the dnsupdate_nameupdate error.

	Steve

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Stephen Brandli via samba
Sent: Monday, February 10, 2025 6:56 AM
To: samba at lists.samba.org
Subject: Re: [Samba] Problems after DC upgrade

It was systemd-resolved.  I disabled that.  Now samba is binding to the port.

But I'm still getting the dnsupdate failure.

And, I can't ping anything.  I get the "unknown host or service" error.  So names are not getting resolved on the machine.  I have to admit to complete ignorance about how this part of linux works.  When running systemd-networkd, what normally does name resolution?  Or can systemd-networkd do it without listening on port 53?  This works on my older dc's, which are not running system-resolved.

	Steve 

-----Original Message-----
From: samba <samba-bounces at lists.samba.org> On Behalf Of Rowland Penny via samba
Sent: Monday, February 10, 2025 1:36 AM
To: samba at lists.samba.org
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Problems after DC upgrade

On Mon, 10 Feb 2025 02:24:31 +0000
Stephen Brandli via samba <samba at lists.samba.org> wrote:

> Well, it almost went okay.
> 
> Thumbnail: I had two DCs, running the latest in buster.  I created a 
> new one running bookworm and 4.21.3.  I joined the new machine as a 
> DC.  I then transferred the FSMO roles from one of the old ones and 
> demoted that one.  My plan is to create a fourth new one and demote 
> the other old one.  But, two problems:
> 
> 
>   1.  The dns on the new DC is not responding.  It did when I got it 
> started, but in a reboot, it stopped responding.  Don't know why it's 
> trying to bind to 0.0.0.0.  The hosts is set up correctly.  Log:

0.0.0.0 is another way of saying 'all IPv4 on this machine'

> 
> Feb 09 18:11:11 minister2 samba[88]:   dnsupdate_nameupdate_done:
> Failed DNS update with exit code 26

That explains your missing dns records, samba_dnsupdate cannot add them.

> Feb 09 18:11:11 minister2
> samba[88]: [2025/02/09 18:11:11.816359,  0]
> source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09
> 18:01:10 minister2 samba[88]:   dnsupdate_nameupdate_done: Failed DNS
> update with exit code 26 Feb 09 18:01:10 minister2 samba[88]:
> [2025/02/09 18:01:10.720661,  0]
> source4/dsdb/dns/dns_update.c:85(dnsupdate_nameupdate_done) Feb 09
> 18:01:07 minister2 winbindd[80]:   Copyright Andrew Tridgell and the
> Samba Team 1992-2024 Feb 09 18:01:07 minister2 winbindd[80]:
> winbindd version 4.21.3-Debian-4.21.3+dfsg-6~bpo12+1 started. Feb 09
> 18:01:07 minister2 winbindd[80]: [2025/02/09 18:01:07.051147,  0]
> source3/winbindd/winbindd.c:1447(main) Feb 09 18:01:07 minister2
> samba[90]:   Failed to bind to 0.0.0.0:53 TCP -
> NT_STATUS_ADDRESS_ALREADY_ASSOCIATED

Could it be that something like Bind9 is also running ?
If that is the case, when you joined the new DC, did you add '--dns-backend=BIND9_DLZ' ?
If you didn't, you now have two choices, either turn off Bind9 or run samba_upgradedns to change to Bind9 instead of the builtin dns server, see here:

https://wiki.samba.org/index.php/Changing_the_DNS_Back_End_of_a_Samba_AD_DC

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list