Univention Bugzilla – Bug 43288
A new dns entry is created if a server is joined which causes the host lookup to fail and therefore the drs replication fails
Last modified: 2019-10-14 14:57:41 CEST
After joining a backupserver in a customer environment again, a new dns entry is created. This probably happens in environments where samba4 is installed before 4.0-4 and dns/backend is set to samba4 root@backup482:~# univention-s4search DC=_msdcs --cross-ncs dn # record 1 dn: DC=_msdcs,DC=deadlock48.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=deadlock48,DC=intranet # record 2 dn: DC=_msdcs,DC=deadlock48.intranet,CN=MicrosoftDNS,CN=System,DC=deadlock48,DC=intranet This entry causes the further lookup for 9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet to fail. Maybe it is recognized as a dns zone, but there is no entry below. ------------------------------------------------------------------------------------------------------------------------------------------- root@backup482:~# host -al $(dnsdomainname) |grep msdcs gc._msdcs.deadlock48.intranet. 900 IN A 10.201.48.1 gc._msdcs.deadlock48.intranet. 900 IN A 10.201.48.2 gc._msdcs.deadlock48.intranet. 900 IN A 10.203.10.251 gc._msdcs.deadlock48.intranet. 900 IN A 10.201.48.3 _ldap._tcp.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 backup482.deadlock48.intranet. _ldap._tcp.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 master481.deadlock48.intranet. _ldap._tcp.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 slave483.deadlock48.intranet. _ldap._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet. _ldap._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 backup482.deadlock48.intranet. _ldap._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 slave483.deadlock48.intranet. _ldap._tcp.pdc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet. _kerberos._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 master481.deadlock48.intranet. _kerberos._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 backup482.deadlock48.intranet. _kerberos._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 slave483.deadlock48.intranet. 9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet. 3600 IN CNAME backup482.deadlock48.intranet. 54452074-5088-4b85-b1ef-e2edf184e1c2._msdcs.deadlock48.intranet. 3600 IN CNAME master481.deadlock48.intranet. 47fe5d26-ffd2-464a-9a24-0e72af5cdf65._msdcs.deadlock48.intranet. 900 IN CNAME slave483.deadlock48.intranet. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 backup482.deadlock48.intranet. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 master481.deadlock48.intranet. _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 slave483.deadlock48.intranet. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 backup482.deadlock48.intranet. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 slave483.deadlock48.intranet. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 master481.deadlock48.intranet. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 backup482.deadlock48.intranet. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 slave483.deadlock48.intranet. _ldap._tcp.a785bb4a-c9b4-494e-b0a4-33ff8e2ed290.domains._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet. _ldap._tcp.a785bb4a-c9b4-494e-b0a4-33ff8e2ed290.domains._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 backup482.deadlock48.intranet. _ldap._tcp.a785bb4a-c9b4-494e-b0a4-33ff8e2ed290.domains._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 slave483.deadlock48.intranet. ------------------------------------------------------------------------------------------------------------------------------------------- root@backup482:~# host 9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet. 9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet is an alias for backup482.deadlock48.intranet. backup482.deadlock48.intranet has address 10.203.10.251 backup482.deadlock48.intranet has address 10.201.48.2 ------------------------------------------------------------------------------------------------------------------------------------------- After joining the server, the _msdcs entry can not be resolved anymore, though host -al $(dnsdomainname) | grep msdcs shows the entries 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs.deadlock48.intranet. 900 IN CNAME backup482.deadlock48.intranet. 54452074-5088-4b85-b1ef-e2edf184e1c2._msdcs.deadlock48.intranet. 900 IN CNAME master481.deadlock48.intranet. 47fe5d26-ffd2-464a-9a24-0e72af5cdf65._msdcs.deadlock48.intranet. 900 IN CNAME slave483.deadlock48.intranet. ------------------------------------------------------------------------------------------------------------------------------------------- root@backup482:~# host 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs.deadlock48.intranet. Host 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs.deadlock48.intranet. not found: 3(NXDOMAIN) ------------------------------------------------------------------------------------------------------------------------------------------- The following script shows among others the following failure /usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh [..] Host 47fe5d26-ffd2-464a-9a24-0e72af5cdf65._msdcs not found: 3(NXDOMAIN) Host 54452074-5088-4b85-b1ef-e2edf184e1c2._msdcs not found: 3(NXDOMAIN) Host 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs not found: 3(NXDOMAIN) [..] ------------------------------------------------------------------------------------------------------------------------------------------- This causes the complete drs replication to fail. The entry can be deleted, but it will be recreated again from samba-dnsupdate ldbdel -H /var/lib/samba/private/sam.ldb 'DC=_msdcs,DC=deadlock48.intranet,CN=MicrosoftDNS,CN=System,DC=deadlock48,DC=intranet' ------------------------------------------------------------------------------------------------------------------------------------------- A temporary workaround is setting the dns/backend=ldap on all samba4 servers
This has been changed between Samba 4.3.7 and Samba 4.5.1: diff -Nur samba-4.3.7/source4/setup/dns_update_list samba-4.5.1/source4/setup/dns_update_list --- samba-4.3.7/source4/setup/dns_update_list 2015-07-21 11:47:50.000000000 +0200 +++ samba-4.5.1/source4/setup/dns_update_list 2016-08-11 09:51:05.000000000 +0200 @@ -2,6 +2,13 @@ # dynamic DNS update. It is processed by the samba_dnsupdate script A ${HOSTNAME} $IP AAAA ${HOSTNAME} $IP +${IF_RWDNS_DOMAIN}NS ${DNSDOMAIN} ${HOSTNAME} +${IF_RWDNS_FOREST}NS ${DNSFOREST} ${HOSTNAME} +${IF_RWDNS_FOREST}NS _msdcs.${DNSFOREST} ${HOSTNAME} + +# Stub entries in the parent zone +${IF_RWDNS_DOMAIN}RPC ${DNSFOREST} NS ${DNSDOMAIN} ${HOSTNAME} +${IF_RWDNS_FOREST}RPC ${DNSFOREST} NS _msdcs.${DNSFOREST} ${HOSTNAME} # RW domain controller ${IF_RWDC}A ${DNSDOMAIN} $IP So, samba_dnsupdate creates the _msdcs "zone".
With Samba 4.5 an object DC=_msdcs is created in the DNS zone below CN=MicrosoftDNS,CN=System. Afterwards, the Bind9 DLZ module is unable to resolve names like <GUID>._msdcs.<DNS domain>. This breaks the DRS replication. It happened only after rejoining a system because only in that case the file /usr/share/samba/setup/dns_update_list is copied to /var/lib/samba/private/ and updates the old configuration. I've now added a patch which reverts the upstream commits for dns_update_lists (96_dnsupdate_list_remove_msdcs.quilt): https://git.samba.org/?p=samba.git;a=commitdiff;h=e3822497c87dade49ac85374e695f0a4f10bbc70 https://git.samba.org/?p=samba.git;a=commitdiff;h=8f1659e540e661326791c3ca25789d9c50d85298#patch2 I've created a second patch which removes the DC=_msdcs object in the Samba postinst and copied the new /usr/share/samba/setup/dns_update_list to /var/lib/samba/private (96_dnsupdate_list_remove_msdcs_postinst.patch). Waiting for my test results.
Created attachment 8338 [details] remove_msdcs.patch
Workaround on every Samba 4 DC (Master, Backup Slave with Samba 4): wget -O remove_msdcs.patch --no-check-certificate https://forge.univention.org/bugzilla/attachment.cgi?id=8338 patch -d /usr/share/samba/setup/ -p0 <remove_msdcs.patch cp /usr/share/samba/setup/dns_update_list /var/lib/samba/private/dns_update_list ldbdel -H /var/lib/samba/private/sam.ldb "DC=_msdcs,DC=$(ucr get domainname),CN=MicrosoftDNS,CN=System,$(ucr get samba4/ldap/base)"
My tests were successful: YAML (r75632): Samba 4.5 creates an DNS object _msdcs below the position CN=MicrosoftDNS,CN=System. If CN=System is still used by Bind9, the DRS replication will be stopped. This can only happen if Samba 4 was installed before UCS 4.0-4 and a Samba 4 system is installed or rejoined. This update removes the created DNS object and prevented its recreation.
OK - patches OK - YAML OK - merged to 4.2 OK - jenkins test OK - broken setup is repaired during update OK - resync does no longer break dsn / drs OK - quick tests with new samba packages
<http://errata.software-univention.de/ucs/4.1/372.html>