Created attachment 8416 [details] Samba's smb.conf on dc2 (the only Domain Controller) Summary: Samba's internal DNS server will update an A record only in case if it doesn't already exists. What is expected: DNS server is expected to delete the old A record and create a new one Steps to reproduce: 1. Provision a Samba domain, edit krb5.conf and resolv.conf: # sbin/smbd --version Version 4.0.0 # bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --adminpass='5ecur3! PA$sw0rd' --domain=icetest --realm=icetest.local --option="interfaces = 10.146.146.1, 127.0.0.1" --option="bind interfaces only = Yes" --option="wins support = Yes" 2. Start smbd and join a Windows XP SP3 or Windows 7 workstation. 3. Reboot the workstation. 4. On DC: delete the initially created A record: # bin/samba-tool dns delete dc2 icetest.local winxpwb0 A 10.146.146.10 -k yes 5. On DC: make sure the record is gone: # busybox nslookup winxpwb0 Server: 127.0.0.1 Address 1: 127.0.0.1 dc2.icetest.local nslookup: can't resolve 'winxpwb0': No address associated with hostname 6. On workstation: run ipconfig /registerdns as admin 7. On DC: make sure the record appears: # busybox nslookup winxpwb0 Server: 127.0.0.1 Address 1: 127.0.0.1 dc2.icetest.local Name: winxpwb0 Address 1: 10.146.146.10 8. On workstation: change IP address and test if it is changed > ipconfig | find "IP" IP-address . . . . . . . . . . . . : 10.146.146.26 9. On workstation: run ipconfig /registerdns as admin 10. On DC: make sure the record changes: # busybox nslookup winxpwb0 Server: 127.0.0.1 Address 1: 127.0.0.1 dc2.icetest.local Name: winxpwb0 Address 1: 10.146.146.10 # bin/samba-tool dns query dc2 icetest.local winxpwb0 A -k yes Name=, Records=1, Children=0 A: 10.146.146.10 (flags=f0, serial=110, ttl=1200) The record is the same.
Created attachment 8417 [details] Network dump on UDP port 53 of the first (successfull) update request, DC side
Created attachment 8418 [details] Network dump on UDP port 53 of the second (failed) update request, DC side
I'll need a debug log at at least level 5 for this. Also, why do you remove the record manually with samba-tool?
Created attachment 8419 [details] log.samba log level = 7 from workstation boot to ipconfig /registerdns I remove the record with samba-tool just to illustrate the issue. I have the same bug on production domain since late 4.0.0alpha. In production we have dynamic VLAN assignment, so the IP address changes (via DHCP) just after an user logs in. In such case this bug is somewhat annoying one. By the way, not only Windows, but at least Samba 3.5.x based clients exhibit the same problem.
Ok, one thing that will trip you up is that you seem to be forwarding to yourself, causing a DNS loop. (Starting line 3801 of the logfile) Once you fix that, it might make the new logfile a bit easier to read. I have a bunch of fixes on the samba dns code coming up that might make debugging easier still. Will upload them to this bug once I have them.
Created attachment 8420 [details] Add new DNS debug class
Created attachment 8421 [details] Use new DNS debug class
Created attachment 8422 [details] Print outgoing packet trace
Ok, with these three patches I just attached, can you set your log level to include "dns:10" and send me the log file? A full line would be log level = 0 dns:10 or the like.
Created attachment 8424 [details] log.samba with patched DNS debug class Patches applied. log level = 0 dns:10
(In reply to comment #10) > Created attachment 8424 [details] > log.samba with patched DNS debug class > > Patches applied. > log level = 0 dns:10 Thanks. Unfortunately I misunderstood the implications of using debug classes and the dump_data() function, so the log file doesn't include the log information I needed. I'll get back to you when I know how to get decent but non-cluttered debug output from the DNS server. Sorry for the extra work.
I too am having this same issue. I am currently running Samba 4.0.5 and I can not get dynamic DNS updates to work. In my smb.conf file, I have the option set for Samba to accept unsecured and secured dns updates from clients. When I join a machine to the domain it creates a DNS record, yet if I change the IP address of the machine and run ipconfig /registerdns, I cannot get it to update the record. In addition, if I delete the host record from the DNS server, it will never reappear. How can I get this to work? Any help would be appreciated! :)
(In reply to comment #12) Well, I personally hadn't checked if this bug is present in the current Samba release. Upon your words it looks like it is, but > I have the option set > for Samba to accept unsecured and secured dns updates from clients. > In addition, if I delete the host record from the DNS server, it will > never reappear. sounds strange - in my experience unsigned updates handling works and the A record gets created after manual deletion (see #1, steps 4-7). In production we still use BIND9_FLATFILE for signed updates and it works very well. If you don't need AD-managed (i.e. stored in AD partition) zones then, most likely, it fits your needs, otherwise you should probably try BIND9_DLZ (however, last time I tried, it had some problems with signed updates, too).
Yeah I noticed that my scenario slightly differs from yours, still, using the internal DNS server I'm not able to get any client updates. For instance today I joined a Windows 7 machine to the domain to do testing on. During the initial joining to the domain the DNS record was created and all was well. Then when I changed the IP address of the client and ran ipconfig /registerdns, the client record was automatically deleted. When I changed the IP address back to what it was when I joined it to the domain and ran the command again, the record was still not there. I know that Samba has options available for Bind, but I also know that the Samba team created the internal DNS server because of a lack of support from the Bind people. So, in my option, the proprietary DNS implementation for Samba is the internal DNS server. I mean I'd switch to BIND if I had to, but I'm not too excited to.
(In reply to comment #14) > Yeah I noticed that my scenario slightly differs from yours, still, using the > internal DNS server I'm not able to get any client updates. For instance today > I joined a Windows 7 machine to the domain to do testing on. During the initial > joining to the domain the DNS record was created and all was well. Then when I > changed the IP address of the client and ran ipconfig /registerdns, the client > record was automatically deleted. When I changed the IP address back to what it > was when I joined it to the domain and ran the command again, the record was > still not there. > > I know that Samba has options available for Bind, but I also know that the > Samba team created the internal DNS server because of a lack of support from > the Bind people. So, in my option, the proprietary DNS implementation for Samba > is the internal DNS server. I mean I'd switch to BIND if I had to, but I'm not > too excited to. Observing same exact behavior as Zane reports above. Internal DNS, Samba 4.0.5. x64 Ubuntu 12.04.
I can also confirm this bug: Doing an ipconfig /registerdns on Windows 8 creates a new A record. Changing the IP Address on the Windows 8 client and re-running ipconfig /registerdns does not update the A record. The Windows Event logs shows: EventID 8016 The system failed to register host resource records for network adapter with settings... The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.
Sorry, forgot to confirm: Internal DNS, Samba 4.0.5. (In reply to comment #16) > I can also confirm this bug: > > Doing an ipconfig /registerdns on Windows 8 creates a new A record. > > Changing the IP Address on the Windows 8 client and re-running ipconfig > /registerdns does not update the A record. > > The Windows Event logs shows: > > EventID 8016 > > The system failed to register host resource records for network adapter with > settings... > > The reason the system could not register these RRs was because the DNS server > failed the update request. The most likely cause of this is that the > authoritative DNS server required to process this update request has a lock in > place on the zone, probably because a zone transfer is in progress.
Seen the problem, working on it.
Created attachment 8936 [details] Correctly delete empty dnsNode objects
Comment on attachment 8936 [details] Correctly delete empty dnsNode objects Oops. This looks good, but we need to wait for it to get past autobuild, so we can upload the git cherry-pick -x form. (I can do that if needed).
Created attachment 8937 [details] patches cherry-picked from master (correctly delete dns objects) This patch applies to v4-0-test and passes DNS tests there, after being cherry-picked along with the other changes needed for a clean application.
Comment on attachment 8937 [details] patches cherry-picked from master (correctly delete dns objects) Thanks
Karolin, please pick for 4.0.next. Thanks, Kai
Pushed to autobuild-v4-0-test.
Applied the patches, working flawlessly for both signed and unsigned updates. Thanks Kai!
Pushed to v4-0-test. Closing out bug report. Thanks!