Bug 13841 - dlz_bind zone update broken
dlz_bind zone update broken
Status: RESOLVED FIXED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS server
4.10.0rc4
All All
: P5 regression
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-03-18 19:25 UTC by Michael Saxl
Modified: 2019-04-03 10:31 UTC (History)
4 users (show)

See Also:


Attachments
add_dc_at_to_basedn (602 bytes, patch)
2019-03-19 08:53 UTC, Michael Saxl
no flags Details
patch for 4.10.0 (1.26 KB, patch)
2019-03-19 12:34 UTC, Michael Saxl
no flags Details
Test patch (which fails on 4.10) (1.86 KB, patch)
2019-03-21 03:19 UTC, Garming Sam
no flags Details
selftest for this regression signed off by Garming Sam and myself (1.91 KB, patch)
2019-03-21 09:53 UTC, Michael Saxl
no flags Details
s4_dlz_make_b9_has_soa_check_dc_at_node.patch (1.30 KB, patch)
2019-03-21 17:25 UTC, Michael Saxl
no flags Details
patch for master (3.61 KB, patch)
2019-03-21 21:20 UTC, Garming Sam
no flags Details
patch for 4.10 cherry-picked from master (3.84 KB, patch)
2019-03-26 05:00 UTC, Andrew Bartlett
garming: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saxl 2019-03-18 19:25:24 UTC
Cleaning up my configuration after migrating to 4.10rc4 I saw that dynamic updates quit with NOTAUTH

Of course I checked the configuration more than twice and began tracing bind.

Luckily I have access to a "old" 4.7 installation where I saw a difference:
samba_dlz: configured writeable zone xy is not printed on 4.10

Some digging later I think the reason is the following:
For every zone in AD before adding to the "writable" list several things are checked. The thing that fails is b9_has_soa.
Even though I have a SOA record, the final call that fetches this SOA does it with this filter (in dns_common_lookup):

(&(objectClass=dnsNode)(!(dNSTombstoned=TRUE)))

probably this should be
(&(|(objectClass=dnsNode)(objectClass=dnsZone))(!(dNSTombstoned=TRUE)))

The compilation takes some time since I am on armhf architecture, but as soon as I can I will confirm if the fix above works and add a diff
Comment 1 Michael Saxl 2019-03-19 08:53:05 UTC
Created attachment 14942 [details]
add_dc_at_to_basedn

The problem actually wasnt the objectClass query but a regression introduced with 28e2a518ff32

This patch readds DC=@ to the dn before dns_common_lookup is called as it was before
Comment 2 Michael Saxl 2019-03-19 12:34:24 UTC
Created attachment 14950 [details]
patch for 4.10.0

This patch file is rebased on 4.10.0
Comment 3 Garming Sam 2019-03-19 23:15:18 UTC
The patch looks correct to me. I'll see if I can get a test written for it.
Comment 4 Garming Sam 2019-03-21 03:19:22 UTC
Created attachment 14967 [details]
Test patch (which fails on 4.10)
Comment 5 Garming Sam 2019-03-21 03:21:40 UTC
(In reply to Michael Saxl from comment #2)

Can you add your Signed-off-by: tag onto the commit, and made sure you've sent in your Samba Developer Certificate of Origin (DCO)?
Comment 6 Michael Saxl 2019-03-21 09:53:35 UTC
Created attachment 14969 [details]
selftest for this regression signed off by Garming Sam and myself
Comment 7 Michael Saxl 2019-03-21 17:25:43 UTC
Created attachment 14972 [details]
s4_dlz_make_b9_has_soa_check_dc_at_node.patch

signed-off included
Comment 8 Michael Saxl 2019-03-21 20:37:39 UTC
(In reply to Michael Saxl from comment #6)
Please ignore this attachment. I must admit that i did not read or knew https://wiki.samba.org/index.php/CodeReview and was not aware what you wanted me to do.
I'm sorry about that.
Comment 9 Garming Sam 2019-03-21 21:19:32 UTC
(In reply to Michael Saxl from comment #8)

No worries. Some of our processes aren't very obvious for outsiders.

I've just amended your patch to instruct the test system that we're now passing the test I wrote. I will try to get this reviewed and upstream, so that we can get it into 4.10 as soon as possible.

Thanks.
Comment 10 Garming Sam 2019-03-21 21:20:25 UTC
Created attachment 14973 [details]
patch for master
Comment 11 Andrew Bartlett 2019-03-26 04:58:01 UTC
Fixed in master with 6c62e05466917d9454d67eb2dd77e303e612c8a9 for Samba 4.11.  Cherry-pick for 4.10 shortly.
Comment 12 Andrew Bartlett 2019-03-26 05:00:28 UTC
Created attachment 14992 [details]
patch for 4.10 cherry-picked from master
Comment 13 Karolin Seeger 2019-03-28 08:32:42 UTC
(In reply to Andrew Bartlett from comment #12)
Pushed to autobuild-v4-10-test.
Comment 14 Karolin Seeger 2019-04-02 08:00:22 UTC
(In reply to Karolin Seeger from comment #13)
Pushed again to autobuild-v4-10-test.
Comment 15 Karolin Seeger 2019-04-03 10:31:22 UTC
(In reply to Karolin Seeger from comment #14)
Pushed to v4-10-test.
Closing out bug report.

Thanks!