Bug 9559 - Only initial signed DNS update for a host works
Summary: Only initial signed DNS update for a host works
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: DNS server (show other bugs)
Version: 4.0.0
Hardware: x64 All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 10749
  Show dependency treegraph
 
Reported: 2013-01-12 21:22 UTC by Dmitry
Modified: 2014-08-07 13:09 UTC (History)
6 users (show)

See Also:


Attachments
Samba's smb.conf on dc2 (the only Domain Controller) (723 bytes, application/octet-stream)
2013-01-12 21:22 UTC, Dmitry
no flags Details
Network dump on UDP port 53 of the first (successfull) update request, DC side (1.46 KB, application/octet-stream)
2013-01-12 21:23 UTC, Dmitry
no flags Details
Network dump on UDP port 53 of the second (failed) update request, DC side (1.48 KB, application/octet-stream)
2013-01-12 21:24 UTC, Dmitry
no flags Details
log.samba log level = 7 from workstation boot to ipconfig /registerdns (65.36 KB, application/gzip)
2013-01-13 12:23 UTC, Dmitry
no flags Details
Add new DNS debug class (1.27 KB, patch)
2013-01-14 07:29 UTC, Kai Blin
no flags Details
Use new DNS debug class (2.66 KB, patch)
2013-01-14 07:29 UTC, Kai Blin
no flags Details
Print outgoing packet trace (855 bytes, patch)
2013-01-14 07:30 UTC, Kai Blin
no flags Details
log.samba with patched DNS debug class (30.52 KB, application/octet-stream)
2013-01-14 08:54 UTC, Dmitry
no flags Details
Correctly delete empty dnsNode objects (5.44 KB, patch)
2013-06-01 09:44 UTC, Kai Blin
abartlet: review-
Details
patches cherry-picked from master (correctly delete dns objects) (11.56 KB, patch)
2013-06-02 09:43 UTC, Andrew Bartlett
kai: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Dmitry 2013-01-12 21:22:54 UTC
Created attachment 8416 [details]
Samba's smb.conf on dc2 (the only Domain Controller)

Summary:
Samba's internal DNS server will update an A record only in case if it doesn't already exists.

What is expected:
DNS server is expected to delete the old A record and create a new one

Steps to reproduce:
1. Provision a Samba domain, edit krb5.conf and resolv.conf:
# sbin/smbd --version
Version 4.0.0
# bin/samba-tool domain provision --use-ntvfs --use-rfc2307 --adminpass='5ecur3! PA$sw0rd' --domain=icetest --realm=icetest.local --option="interfaces = 10.146.146.1, 127.0.0.1" --option="bind interfaces only = Yes" --option="wins support = Yes"

2. Start smbd and join a Windows XP SP3 or Windows 7 workstation.

3. Reboot the workstation.

4. On DC: delete the initially created A record:
# bin/samba-tool dns delete dc2 icetest.local winxpwb0 A 10.146.146.10 -k yes

5. On DC: make sure the record is gone:
# busybox nslookup winxpwb0
Server:    127.0.0.1
Address 1: 127.0.0.1 dc2.icetest.local

nslookup: can't resolve 'winxpwb0': No address associated with hostname

6. On workstation: run ipconfig /registerdns as admin

7. On DC: make sure the record appears:
# busybox nslookup winxpwb0
Server:    127.0.0.1
Address 1: 127.0.0.1 dc2.icetest.local

Name:      winxpwb0
Address 1: 10.146.146.10

8. On workstation: change IP address and test if it is changed
> ipconfig | find "IP"
IP-address  . . . . . . . . . . . . : 10.146.146.26

9. On workstation: run ipconfig /registerdns as admin

10. On DC: make sure the record changes:
# busybox nslookup winxpwb0
Server:    127.0.0.1
Address 1: 127.0.0.1 dc2.icetest.local

Name:      winxpwb0
Address 1: 10.146.146.10

# bin/samba-tool dns query dc2 icetest.local winxpwb0 A -k yes
  Name=, Records=1, Children=0
    A: 10.146.146.10 (flags=f0, serial=110, ttl=1200)

The record is the same.
Comment 1 Dmitry 2013-01-12 21:23:49 UTC
Created attachment 8417 [details]
Network dump on UDP port 53 of the first (successfull) update request, DC side
Comment 2 Dmitry 2013-01-12 21:24:21 UTC
Created attachment 8418 [details]
Network dump on UDP port 53 of the second (failed) update request, DC side
Comment 3 Kai Blin 2013-01-13 08:47:19 UTC
I'll need a debug log at at least level 5 for this. Also, why do you remove the record manually with samba-tool?
Comment 4 Dmitry 2013-01-13 12:23:28 UTC
Created attachment 8419 [details]
log.samba log level = 7 from workstation boot to ipconfig /registerdns

I remove the record with samba-tool just to illustrate the issue. I have the same bug on production domain since late 4.0.0alpha. In production we have dynamic VLAN assignment, so the IP address changes (via DHCP) just after an user logs in. In such case this bug is somewhat annoying one.
By the way, not only Windows, but at least Samba 3.5.x based clients exhibit the same problem.
Comment 5 Kai Blin 2013-01-14 00:08:18 UTC
Ok, one thing that will trip you up is that you seem to be forwarding to yourself, causing a DNS loop. (Starting line 3801 of the logfile)

Once you fix that, it might make the new logfile a bit easier to read. I have a bunch of fixes on the samba dns code coming up that might make debugging easier still. Will upload them to this bug once I have them.
Comment 6 Kai Blin 2013-01-14 07:29:17 UTC
Created attachment 8420 [details]
Add new DNS debug class
Comment 7 Kai Blin 2013-01-14 07:29:43 UTC
Created attachment 8421 [details]
Use new DNS debug class
Comment 8 Kai Blin 2013-01-14 07:30:29 UTC
Created attachment 8422 [details]
Print outgoing packet trace
Comment 9 Kai Blin 2013-01-14 07:31:37 UTC
Ok, with these three patches I just attached, can you set your log level to include "dns:10" and send me the log file?

A full line would be

log level = 0 dns:10

or the like.
Comment 10 Dmitry 2013-01-14 08:54:54 UTC
Created attachment 8424 [details]
log.samba with patched DNS debug class

Patches applied.
log level = 0 dns:10
Comment 11 Kai Blin 2013-01-14 09:10:17 UTC
(In reply to comment #10)
> Created attachment 8424 [details]
> log.samba with patched DNS debug class
> 
> Patches applied.
> log level = 0 dns:10

Thanks. Unfortunately I misunderstood the implications of using debug classes and the dump_data() function, so the log file doesn't include the log information I needed. I'll get back to you when I know how to get decent but non-cluttered debug output from the DNS server.
Sorry for the extra work.
Comment 12 ZZ 2013-05-09 15:37:04 UTC
I too am having this same issue. I am currently running Samba 4.0.5 and I can not get dynamic DNS updates to work. In my smb.conf file, I have the option set for Samba to accept unsecured and secured dns updates from clients. When I join a machine to the domain it creates a DNS record, yet if I change the IP address of the machine and run ipconfig /registerdns, I cannot get it to update the record. In addition, if I delete the host record from the DNS server, it will never reappear. How can I get this to work?

Any help would be appreciated! :)
Comment 13 Dmitry 2013-05-09 20:32:57 UTC
(In reply to comment #12)
Well, I personally hadn't checked if this bug is present in the current Samba release. Upon your words it looks like it is, but

> I have the option set
> for Samba to accept unsecured and secured dns updates from clients.
> In addition, if I delete the host record from the DNS server, it will
> never reappear.

sounds strange - in my experience unsigned updates handling works and the A record gets created after manual deletion (see #1, steps 4-7).

In production we still use BIND9_FLATFILE for signed updates and it works very well. If you don't need AD-managed (i.e. stored in AD partition) zones then, most likely, it fits your needs, otherwise you should probably try BIND9_DLZ (however, last time I tried, it had some problems with signed updates, too).
Comment 14 ZZ 2013-05-09 23:18:51 UTC
Yeah I noticed that my scenario slightly differs from yours, still, using the internal DNS server I'm not able to get any client updates. For instance today I joined a Windows 7 machine to the domain to do testing on. During the initial joining to the domain the DNS record was created and all was well. Then when I changed the IP address of the client and ran ipconfig /registerdns, the client record was automatically deleted. When I changed the IP address back to what it was when I joined it to the domain and ran the command again, the record was still not there.

I know that Samba has options available for Bind, but I also know that the Samba team created the internal DNS server because of a lack of support from the Bind people. So, in my option, the proprietary DNS implementation for Samba is the internal DNS server. I mean I'd switch to BIND if I had to, but I'm not too excited to.
Comment 15 Justin Foreman 2013-05-10 14:49:49 UTC
(In reply to comment #14)
> Yeah I noticed that my scenario slightly differs from yours, still, using the
> internal DNS server I'm not able to get any client updates. For instance today
> I joined a Windows 7 machine to the domain to do testing on. During the initial
> joining to the domain the DNS record was created and all was well. Then when I
> changed the IP address of the client and ran ipconfig /registerdns, the client
> record was automatically deleted. When I changed the IP address back to what it
> was when I joined it to the domain and ran the command again, the record was
> still not there.
> 
> I know that Samba has options available for Bind, but I also know that the
> Samba team created the internal DNS server because of a lack of support from
> the Bind people. So, in my option, the proprietary DNS implementation for Samba
> is the internal DNS server. I mean I'd switch to BIND if I had to, but I'm not
> too excited to.


Observing same exact behavior as Zane reports above. Internal DNS, Samba 4.0.5. x64 Ubuntu 12.04.
Comment 16 Christopherrowson 2013-05-13 09:20:21 UTC
I can also confirm this bug:

Doing an ipconfig /registerdns on Windows 8 creates a new A record.

Changing the IP Address on the Windows 8 client and re-running ipconfig /registerdns does not update the A record. 

The Windows Event logs shows:
 
EventID 8016

The system failed to register host resource records for network adapter with settings...

The reason the system could not register these RRs was because the DNS server failed the update request. The most likely cause of this is that the authoritative DNS server required to process this update request has a lock in place on the zone, probably because a zone transfer is in progress.
Comment 17 Christopherrowson 2013-05-13 09:21:05 UTC
Sorry, forgot to confirm: Internal DNS, Samba 4.0.5.

(In reply to comment #16)
> I can also confirm this bug:
> 
> Doing an ipconfig /registerdns on Windows 8 creates a new A record.
> 
> Changing the IP Address on the Windows 8 client and re-running ipconfig
> /registerdns does not update the A record. 
> 
> The Windows Event logs shows:
> 
> EventID 8016
> 
> The system failed to register host resource records for network adapter with
> settings...
> 
> The reason the system could not register these RRs was because the DNS server
> failed the update request. The most likely cause of this is that the
> authoritative DNS server required to process this update request has a lock in
> place on the zone, probably because a zone transfer is in progress.
Comment 18 Kai Blin 2013-05-25 10:18:29 UTC
Seen the problem, working on it.
Comment 19 Kai Blin 2013-06-01 09:44:12 UTC
Created attachment 8936 [details]
Correctly delete empty dnsNode objects
Comment 20 Andrew Bartlett 2013-06-01 09:56:51 UTC
Comment on attachment 8936 [details]
Correctly delete empty dnsNode objects

Oops.  This looks good, but we need to wait for it to get past autobuild, so we can upload the git cherry-pick -x form.  (I can do that if needed).
Comment 21 Andrew Bartlett 2013-06-02 09:43:09 UTC
Created attachment 8937 [details]
patches cherry-picked from master (correctly delete dns objects)

This patch applies to v4-0-test and passes DNS tests there, after being cherry-picked along with the other changes needed for a clean application.
Comment 22 Kai Blin 2013-06-02 20:54:05 UTC
Comment on attachment 8937 [details]
patches cherry-picked from master (correctly delete dns objects)

Thanks
Comment 23 Kai Blin 2013-06-02 20:54:40 UTC
Karolin, please pick for 4.0.next.
Thanks,
Kai
Comment 24 Karolin Seeger 2013-06-03 10:17:34 UTC
Pushed to autobuild-v4-0-test.
Comment 25 ZZ 2013-06-03 15:27:38 UTC
Applied the patches, working flawlessly for both signed and unsigned updates. Thanks Kai!
Comment 26 Karolin Seeger 2013-06-04 07:48:39 UTC
Pushed to v4-0-test.
Closing out bug report.

Thanks!