Bug 43288 - A new dns entry is created if a server is joined which causes the host lookup to fail and therefore the drs replication fails
A new dns entry is created if a server is joined which causes the host lookup...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 critical (vote)
: UCS 4.1-4-errata
Assigned To: Stefan Gohmann
Felix Botner
http://sdb.univention.de/1378
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-04 15:44 CET by Christina Scheinig
Modified: 2019-10-14 14:57 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.429
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017010321002465, 2016121921000427
Bug group (optional): Workaround is available
Max CVSS v3 score:


Attachments
remove_msdcs.patch (957 bytes, patch)
2017-01-06 09:31 CET, Stefan Gohmann
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2017-01-04 15:44:47 CET
After joining a backupserver in a customer environment again, a new dns entry is created. This probably happens in environments where samba4 is installed before 4.0-4 and dns/backend is set to samba4

root@backup482:~# univention-s4search DC=_msdcs --cross-ncs dn
# record 1
dn: DC=_msdcs,DC=deadlock48.intranet,CN=MicrosoftDNS,DC=DomainDnsZones,DC=deadlock48,DC=intranet

# record 2
dn: DC=_msdcs,DC=deadlock48.intranet,CN=MicrosoftDNS,CN=System,DC=deadlock48,DC=intranet

This entry causes the further lookup for 9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet to fail. Maybe it is recognized as a dns zone, but there is no entry below.
-------------------------------------------------------------------------------------------------------------------------------------------
root@backup482:~# host -al $(dnsdomainname) |grep msdcs
gc._msdcs.deadlock48.intranet. 900 IN   A       10.201.48.1
gc._msdcs.deadlock48.intranet. 900 IN   A       10.201.48.2
gc._msdcs.deadlock48.intranet. 900 IN   A       10.203.10.251
gc._msdcs.deadlock48.intranet. 900 IN   A       10.201.48.3
_ldap._tcp.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 backup482.deadlock48.intranet.
_ldap._tcp.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 master481.deadlock48.intranet.
_ldap._tcp.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 slave483.deadlock48.intranet.
_ldap._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet.
_ldap._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 backup482.deadlock48.intranet.
_ldap._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 slave483.deadlock48.intranet.
_ldap._tcp.pdc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet.
_kerberos._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 master481.deadlock48.intranet.
_kerberos._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 backup482.deadlock48.intranet.
_kerberos._tcp.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 slave483.deadlock48.intranet.
9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet. 3600 IN CNAME backup482.deadlock48.intranet.
54452074-5088-4b85-b1ef-e2edf184e1c2._msdcs.deadlock48.intranet. 3600 IN CNAME master481.deadlock48.intranet.
47fe5d26-ffd2-464a-9a24-0e72af5cdf65._msdcs.deadlock48.intranet. 900 IN CNAME slave483.deadlock48.intranet.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 backup482.deadlock48.intranet.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 master481.deadlock48.intranet.
_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 3268 slave483.deadlock48.intranet.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 backup482.deadlock48.intranet.
_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 slave483.deadlock48.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 master481.deadlock48.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 backup482.deadlock48.intranet.
_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.deadlock48.intranet. 900 IN SRV 0 100 88 slave483.deadlock48.intranet.
_ldap._tcp.a785bb4a-c9b4-494e-b0a4-33ff8e2ed290.domains._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 master481.deadlock48.intranet.
_ldap._tcp.a785bb4a-c9b4-494e-b0a4-33ff8e2ed290.domains._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 backup482.deadlock48.intranet.
_ldap._tcp.a785bb4a-c9b4-494e-b0a4-33ff8e2ed290.domains._msdcs.deadlock48.intranet. 900 IN SRV 0 100 389 slave483.deadlock48.intranet.
-------------------------------------------------------------------------------------------------------------------------------------------
root@backup482:~# host 9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet.
9aa7b8db-c89b-4e0f-9df2-2dd9872e67cf._msdcs.deadlock48.intranet is an alias for backup482.deadlock48.intranet.
backup482.deadlock48.intranet has address 10.203.10.251
backup482.deadlock48.intranet has address 10.201.48.2
-------------------------------------------------------------------------------------------------------------------------------------------
After joining the server, the _msdcs entry can not be resolved anymore, though 
host -al $(dnsdomainname) | grep msdcs
shows the entries
54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs.deadlock48.intranet. 900 IN CNAME backup482.deadlock48.intranet.
54452074-5088-4b85-b1ef-e2edf184e1c2._msdcs.deadlock48.intranet. 900 IN CNAME master481.deadlock48.intranet.
47fe5d26-ffd2-464a-9a24-0e72af5cdf65._msdcs.deadlock48.intranet. 900 IN CNAME slave483.deadlock48.intranet.
-------------------------------------------------------------------------------------------------------------------------------------------
root@backup482:~# host 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs.deadlock48.intranet.
Host 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs.deadlock48.intranet. not found: 3(NXDOMAIN)
-------------------------------------------------------------------------------------------------------------------------------------------
The following script shows among others the following failure 
/usr/share/univention-samba4/scripts/check_essential_samba4_dns_records.sh 

[..]
Host 47fe5d26-ffd2-464a-9a24-0e72af5cdf65._msdcs not found: 3(NXDOMAIN)
Host 54452074-5088-4b85-b1ef-e2edf184e1c2._msdcs not found: 3(NXDOMAIN)
Host 54a3d4fb-76a8-4983-aedb-c83bae062ea9._msdcs not found: 3(NXDOMAIN)
[..]
-------------------------------------------------------------------------------------------------------------------------------------------
This causes the complete drs replication to fail.
The entry can be deleted, but it will be recreated again from samba-dnsupdate

ldbdel -H /var/lib/samba/private/sam.ldb 'DC=_msdcs,DC=deadlock48.intranet,CN=MicrosoftDNS,CN=System,DC=deadlock48,DC=intranet'
-------------------------------------------------------------------------------------------------------------------------------------------

A temporary workaround is setting the dns/backend=ldap on all samba4 servers
Comment 1 Stefan Gohmann univentionstaff 2017-01-04 21:39:18 CET
This has been changed between Samba 4.3.7 and Samba 4.5.1:

diff -Nur samba-4.3.7/source4/setup/dns_update_list  samba-4.5.1/source4/setup/dns_update_list 
--- samba-4.3.7/source4/setup/dns_update_list   2015-07-21 11:47:50.000000000 +0200
+++ samba-4.5.1/source4/setup/dns_update_list   2016-08-11 09:51:05.000000000 +0200
@@ -2,6 +2,13 @@
 # dynamic DNS update. It is processed by the samba_dnsupdate script
 A                      ${HOSTNAME}                                           $IP
 AAAA                   ${HOSTNAME}                                           $IP
+${IF_RWDNS_DOMAIN}NS   ${DNSDOMAIN}                                          ${HOSTNAME}
+${IF_RWDNS_FOREST}NS   ${DNSFOREST}                                          ${HOSTNAME}
+${IF_RWDNS_FOREST}NS   _msdcs.${DNSFOREST}                                   ${HOSTNAME}
+
+# Stub entries in the parent zone
+${IF_RWDNS_DOMAIN}RPC ${DNSFOREST}   NS ${DNSDOMAIN}                         ${HOSTNAME}
+${IF_RWDNS_FOREST}RPC ${DNSFOREST}   NS _msdcs.${DNSFOREST}                  ${HOSTNAME}
 
 # RW domain controller
 ${IF_RWDC}A            ${DNSDOMAIN}                                          $IP


So, samba_dnsupdate creates the _msdcs "zone".
Comment 2 Stefan Gohmann univentionstaff 2017-01-05 08:50:47 CET
With Samba 4.5 an object DC=_msdcs is created in the DNS zone below CN=MicrosoftDNS,CN=System. Afterwards, the Bind9 DLZ module is unable to resolve names like <GUID>._msdcs.<DNS domain>. This breaks the DRS replication.

It happened only after rejoining a system because only in that case the file /usr/share/samba/setup/dns_update_list is copied to /var/lib/samba/private/ and updates the old configuration.

I've now added a patch which reverts the upstream commits for dns_update_lists (96_dnsupdate_list_remove_msdcs.quilt):
 https://git.samba.org/?p=samba.git;a=commitdiff;h=e3822497c87dade49ac85374e695f0a4f10bbc70
 https://git.samba.org/?p=samba.git;a=commitdiff;h=8f1659e540e661326791c3ca25789d9c50d85298#patch2

I've created a second patch which removes the DC=_msdcs object in the Samba postinst and copied the new /usr/share/samba/setup/dns_update_list to /var/lib/samba/private (96_dnsupdate_list_remove_msdcs_postinst.patch).

Waiting for my test results.
Comment 3 Stefan Gohmann univentionstaff 2017-01-06 09:31:45 CET
Created attachment 8338 [details]
remove_msdcs.patch
Comment 4 Stefan Gohmann univentionstaff 2017-01-06 09:37:41 CET
Workaround on every Samba 4 DC (Master, Backup Slave with Samba 4):

wget -O remove_msdcs.patch --no-check-certificate https://forge.univention.org/bugzilla/attachment.cgi?id=8338

patch -d /usr/share/samba/setup/ -p0 <remove_msdcs.patch

cp /usr/share/samba/setup/dns_update_list /var/lib/samba/private/dns_update_list

ldbdel -H /var/lib/samba/private/sam.ldb  "DC=_msdcs,DC=$(ucr get domainname),CN=MicrosoftDNS,CN=System,$(ucr get samba4/ldap/base)"
Comment 5 Stefan Gohmann univentionstaff 2017-01-09 07:57:57 CET
My tests were successful:

YAML (r75632):
Samba 4.5 creates an DNS object _msdcs below the position CN=MicrosoftDNS,CN=System. If CN=System is still used by Bind9, the DRS replication will be stopped. This can only happen if Samba 4 was installed before UCS 4.0-4 and a Samba 4 system is installed or rejoined.
This update removes the created DNS object and prevented its recreation.
Comment 6 Felix Botner univentionstaff 2017-01-10 11:35:47 CET
OK - patches
OK - YAML
OK - merged to 4.2
OK - jenkins test 
OK - broken setup is repaired during update
OK - resync does no longer break dsn / drs
OK - quick tests with new samba packages
Comment 7 Janek Walkenhorst univentionstaff 2017-01-11 12:19:34 CET
<http://errata.software-univention.de/ucs/4.1/372.html>