Categories
SysOps

How to fix failed dynamic DNS update with Samba Active Directory and System Security Services Daemon

Fix failed dynamic DNS update with Samba Active Directory and System Security Services Daemon by upgrading internal Samba DNS to BIND.

Issue

DNS records are updated correctly, but dynamic DNS update process is marked as failed.

$ dig s1.example.org +short
172.16.0.117

Sample sssd debug log indicating that there is a problem with dynamic DNS update.

(2021-09-24 17:13:34): [be[example.org]] [be_ptask_execute] (0x0400): Task [Dyndns update]: executing task, timeout 360 seconds
(2021-09-24 17:13:34): [be[example.org]] [ad_dyndns_update_send] (0x0400): Performing update                                                               
(2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection                                                     
(2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection                                                     
(2021-09-24 17:13:34): [be[example.org]] [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::a00:27ff:fec3:abc9                                      
(2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection                                                     
(2021-09-24 17:13:34): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address                                   
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS                                                                
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 's1.example.org' in DNS                  
(2021-09-24 17:13:34): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds                                            
(2021-09-24 17:13:34): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher                                               
(2021-09-24 17:13:34): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply                                                     
(2021-09-24 17:13:34): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch                                                       
(2021-09-24 17:13:34): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 's1.example.org' in DNS
(2021-09-24 17:13:34): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds
(2021-09-24 17:13:34): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2021-09-24 17:13:34): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2021-09-24 17:13:34): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message -- 

update delete s1.example.org. in A
update add s1.example.org. 360 in A 172.16.0.117
send
update delete s1.example.org. in AAAA
send
 -- End nsupdate message -- 
(2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5117]
(2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5117]
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
(2021-09-24 17:13:34): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
setup_system()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg                                                                                                                                     
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39279
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org.                        IN      SOA

;; AUTHORITY SECTION:
example.org.            3600    IN      SOA     dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600

Found zone name: example.org
The master is: dc.example.org
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  23512
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2785519394.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
2785519394.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC
AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvBiOF8K0zASZG f5QOA5bI31cezgWZAWeyRWlVhF+kQMqA3SB20m7uzLo23fgC6ArYiGrh V/QNyihi8c0QKNZqzx35zl9lH260xRYqHMDQoVAEWAf/E
qOtOWYtP4Hj keYvN7nmaTcZ+YKQzWTsJqw6 0 

;; TSIG PSEUDOSECTION:
2785519394.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMqel6N2LrQxpqzVZPDw1jg== 23512 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  26970
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;example.org.                   IN      SOA

;; UPDATE SECTION:
s1.example.org.         0       ANY     A
s1.example.org.         360     IN      A       172.16.0.117
;; TSIG PSEUDOSECTION:
2785519394.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMqel6fMHCvf4TDVqcooqKg== 26970 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  54217
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org.                        IN      SOA

;; AUTHORITY SECTION:
example.org.            3600    IN      SOA     dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600

Found zone name: example.org
The master is: dc.example.org
start_gssrequest
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  13045
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3972432861.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
3972432861.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC
AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv+TEGXbVJHjVC gJW0LPDMRKkn3/BKNUiFlgiVSKYvot8f/xWLolfFLgkfBsU97ruSGuh0 XNX/b4BCTOwwmw5dXedMr9g/Ri7DLWXeCRBezjS8n324E
UpBuk1Z/nOy Fwbby4fCo1ymRa18hZUpAex5 0 

;; TSIG PSEUDOSECTION:
3972432861.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAAE6qgWXP8jAttRrBqAuaiHQ== 13045 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  42354
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.org.                   IN      SOA

;; UPDATE SECTION:
s1.example.org.         0       ANY     AAAA

;; TSIG PSEUDOSECTION:
3972432861.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAAE6qgWkNPatD45dtai/HVjg== 42354 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5117].
(2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x0020): child [5117] failed with status [2].
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-09-24 17:13:34): [be[example.org]] [sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying.
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm [EXAMPLE.ORG].
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message -- 
realm EXAMPLE.ORG
update delete s1.example.org. in A
update add s1.example.org. 360 in A 172.16.0.117
send
update delete s1.example.org. in AAAA
send
 -- End nsupdate message -- 
(2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5121]
(2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5121]
(2021-09-24 17:13:34): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete                                    [217/1845]
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
setup_system()
reset_system()
user_interaction()
do_next_command()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  49458
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org.                        IN      SOA

;; AUTHORITY SECTION:
example.org.            3600    IN      SOA     dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600

Found zone name: example.org
The master is: dc.example.org
start_gssrequest
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   2875
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1404483627.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
1404483627.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC
AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvrURsgDCurSLO MFo0nb3vTGsz1DufWDyKZtHTlh+PBfN0rVPYlLc1HYrSvyJrbA3bOQSe 0TmedEBXVCJe3Zur4IF7DhJgpjtVgsgCY7Mzlexyq+iaa
3DxYoaF7MjE dEdpRjpjIj49l/t3vFuEngon 0 

;; TSIG PSEUDOSECTION:
1404483627.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMwbdKT3hA0mh0f/fdvVSjQ== 2875 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  13348
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;example.org.                   IN      SOA

;; UPDATE SECTION:
s1.example.org.         0       ANY     A
s1.example.org.         360     IN      A       172.16.0.117

;; TSIG PSEUDOSECTION:
1404483627.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMwbdKoMYg+7SVgFOztwuuQ== 13348 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  16004
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org.                        IN      SOA

;; AUTHORITY SECTION:
example.org.            3600    IN      SOA     dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600

Found zone name: example.org
The master is: dc.example.org
start_gssrequest
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  19711
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2232099187.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
2232099187.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC
AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvQyTtJH3oajQY V/2Wk58kaLttt3dmJncewKNj614ss1yoqae+ALQWKNknFBNv+O6DczL1 clkDt2h1ErXCYW11+/RcmEQLWsac4cL8rWjUEHeQxznjS
ctp9xQ2P2qp uV1N+cSkeNMTx+qBmipzMstd 0 

;; TSIG PSEUDOSECTION:
2232099187.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAADXap3Vsv5tBsut2AwjEBRw== 19711 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  54311
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1
;; ZONE SECTION:
;example.org.                   IN      SOA

;; UPDATE SECTION:
s1.example.org.         0       ANY     AAAA

;; TSIG PSEUDOSECTION:
2232099187.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAADXap3hvYMZxjIPkcn9rm4A== 54311 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5121].
(2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x0020): child [5121] failed with status [2].
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm [EXAMPLE.ORG].
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_create_ptr_msg] (0x0400):  -- Begin nsupdate message -- 
realm EXAMPLE.ORG
update delete 117.0.16.172.in-addr.arpa. in PTR
update add 117.0.16.172.in-addr.arpa. 360 in PTR s1.example.org.
send
 -- End nsupdate message -- 
(2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5125]
(2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5125]
(2021-09-24 17:13:34): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
setup_system()
reset_system()
user_interaction()
do_next_command()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  40386
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;117.0.16.172.in-addr.arpa.     IN      SOA

;; AUTHORITY SECTION:
0.16.172.in-addr.arpa.  3600    IN      SOA     dc.example.org. hostmaster.example.org. 1 900 600 86400 3600

Found zone name: 0.16.172.in-addr.arpa 
The master is: dc.example.org
start_gssrequest
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  18069
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;4017532097.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
4017532097.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC
AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvdeF/e5E6qFHK EH3+Edqh68RjuUvk9yZ1+Xnqra1S2hFRjwHNJPAdds06KPnwXUIx1VXt y0gIxSVCZ1L6phS1Gb0DrhdY/Pv17giRSiDlh84ERMSdT
UZb8Doqbp4n FNIRggSKhACxiejCVF7tHxaS 0 

;; TSIG PSEUDOSECTION:
4017532097.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAANDYVKV2wClUez/qaR7Mhfg== 18069 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
; TSIG error with server: tsig verify failure
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   9724
;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1
;; ZONE SECTION:
;0.16.172.in-addr.arpa.         IN      SOA

;; UPDATE SECTION:
117.0.16.172.in-addr.arpa. 0    ANY     PTR
117.0.16.172.in-addr.arpa. 360  IN      PTR     s1.example.org.

;; TSIG PSEUDOSECTION:
4017532097.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632503614 300 28 BAQF//////8AAAAANDYVKhqERbcBNDMCaQHP2Q== 9724 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5125].
(2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x0020): child [5125] failed with status [2].
(2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512]
(2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed
(2021-09-24 17:13:34): [be[example.org]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed
(2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2021-09-24 17:13:34): [be[example.org]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed
(2021-09-24 17:13:34): [be[example.org]] [be_ptask_schedule] (0x0400): Task [Dyndns update]: scheduling task 360 seconds from now [1632503974]

This issue is related to the Samba internal DNS, you can ignore it for now or change DNS backend to BIND to make it go away.

Alter DNS backend

Change DNS backend from Samba internal DNS to BIND.

At first, ensure that /etc/krb5.conf is not a link to /var/lib/samba/private/krb5.conf as bind user will silently get permission denied which will result in dns_tkey_gssnegotiate: TKEY is unacceptable client error.

$ ls -l /etc/krb5.conf
-rw-r--r-- 1 root root 184 Sep 24 19:39 /etc/krb5.conf

Install bind package.

$ sudo apt install bind9

Stop the service as it not configured at this moment.

$ sudo systemctl stop bind9

Initiate upgrade process to generate required configuration files.

$ sudo samba_upgradedns --dns-backend=BIND9_DLZ --migrate=yes
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/EXAMPLE.ORG.zone
DNS records will be automatically created
DNS partitions already exist
dns-dc account already exists
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS
You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.

Check bind version.

$ sudo named -v
BIND 9.16.15-Debian (Stable Release) 

Determine configuration directory.

$ sudo smbd -b | grep BINDDNS
   BINDDNS_DIR: /var/lib/samba/bind-dns

Ensure that proper database version is used.

$ sudo cat /var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";

#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
    # For BIND 9.8.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";

    # For BIND 9.9.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";

    # For BIND 9.10.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";

    # For BIND 9.11.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";

    # For BIND 9.12.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so";

    # For BIND 9.14.x
    # database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_14.so";

    # For BIND 9.16.x
    database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
};

Include these dynamically loadable zones.

$ sudo cat  /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/var/lib/samba/bind-dns/named.conf";

Ensure that Kerberos keytab is provided for DNS updates.

$ cat /etc/bind/named.conf.options 
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        listen-on-v6 { any; };

        tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};

Inspect default BIND options to determine username.

$ cat /etc/default/named 
#
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind"

Ensure that mentioned earlier keytab file can be read.

$ sudo stat /var/lib/samba/bind-dns
  File: /var/lib/samba/bind-dns
  Size: 4096            Blocks: 8          IO Block: 4096   directory
Device: 801h/2049d      Inode: 920738      Links: 3
Access: (0770/drwxrwx---)  Uid: (    0/    root)   Gid: (  116/    bind)
Access: 2021-09-24 19:02:40.453649392 +0000
Modify: 2021-09-24 18:54:32.418371941 +0000
Change: 2021-09-24 18:54:32.418371941 +0000
 Birth: 2021-09-23 22:29:55.976668746 +0000
$ sudo ls -l /var/lib/samba/bind-dns
total 16
drwxrwx--- 3 root bind 4096 Sep 24 18:54 dns
-rw-r----- 2 root bind  457 Sep 24 18:53 dns.keytab
-rw-r--r-- 1 root root 1087 Sep 24 18:54 named.conf
-rw-r--r-- 1 root root 2051 Sep 24 18:54 named.txt

Check BIND configuration.

$ sudo named-checkconf

Disable Samba internal DNS.

$ sudo cat  /etc/samba/smb.conf 
# Global parameters
[global]
        bind interfaces only = Yes
        dns forwarder = 10.0.2.3
        interfaces = lo eth1
        netbios name = DC
        realm = EXAMPLE.ORG
        server role = active directory domain controller
        workgroup = EXAMPLE
        idmap_ldb:use rfc2307 = yes

        server services = -dns

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/example.org/scripts
        read only = No

Restart Samba AD DC service.

$ sudo systemctl restart samba-ad-dc.service

Start and enable BIND DNS service.

$ sudo systemctl enable --now named

Ensure that it is running.

$ systemctl status named
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
     Active: active (running) since Fri 2021-09-24 19:06:48 UTC; 34s ago
       Docs: man:named(8)
   Main PID: 1853 (named)
      Tasks: 8 (limit: 645)
     Memory: 39.6M
        CPU: 180ms
     CGroup: /system.slice/named.service
             └─1853 /usr/sbin/named -f -u bind

Check DNS resolution.

$ dig -x 172.16.0.117 +short
s1.example.org.

Sample sssd debug log using BIND DNS server.

(2021-09-24 19:41:22): [be[example.org]] [be_ptask_execute] (0x0400): Task [Dyndns update]: executing task, timeout 360 seconds                            
(2021-09-24 19:41:22): [be[example.org]] [ad_dyndns_update_send] (0x0400): Performing update
(2021-09-24 19:41:22): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(2021-09-24 19:41:22): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(2021-09-24 19:41:22): [be[example.org]] [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::a00:27ff:fec3:abc9
(2021-09-24 19:41:22): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2021-09-24 19:41:22): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 's1.example.org' in DNS                  
(2021-09-24 19:41:22): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds                                            
(2021-09-24 19:41:22): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2021-09-24 19:41:22): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(2021-09-24 19:41:22): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch
(2021-09-24 19:41:22): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 's1.example.org' in DNS
(2021-09-24 19:41:22): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds
(2021-09-24 19:41:22): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2021-09-24 19:41:23): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2021-09-24 19:41:23): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch                                                       
(2021-09-24 19:41:23): [be[example.org]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(2021-09-24 19:41:23): [be[example.org]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_create_fwd_msg] (0x0400):  -- Begin nsupdate message -- 
                                                                             
update delete s1.example.org. in A
update add s1.example.org. 360 in A 172.16.0.117
send                                  
update delete s1.example.org. in AAAA
send                                                                                                                                                       
 -- End nsupdate message --                                                                                                                                
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5873]                                       
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5873]                                              
(2021-09-24 19:41:23): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!                                                            
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete                                              
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG                                                         
setup_system()
reset_system()                                                                                                                                             
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   5544
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org.                        IN      SOA

;; AUTHORITY SECTION:
example.org.            3600    IN      SOA     dc.example.org. hostmaster.example.org. 1225 900 600 86400 3600

Found zone name: example.org
The master is: dc.example.org
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  39772
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2219081169.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
2219081169.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632512483 1632516083 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgIC
AG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrYv8V8K3D7aL3 i72t+BIJxwLlth84Ea61GjSOxQ3U0CBnGmxe+vYM64JD5KGqnGoHlQk0 2mV22aR+QIkhfVnUPu3S1vGxvazkR6Cv5ng/nEeuk3qaf
kHzBO09kDyC j14XOlRJbRZr1ZWkcFs= 0

;; TSIG PSEUDOSECTION:
2219081169.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632512483 300 28 BAQF//////8AAAAABBkCbgqjiYrePDDWD4fDUA== 39772 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
tsig verification successful
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  52297
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.org.                   IN      SOA

;; TSIG PSEUDOSECTION:
2219081169.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632512483 300 28 BAQF//////8AAAAABBkCb58HOzBnkmo533Ix0g== 52297 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   1631
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org.                        IN      SOA

;; AUTHORITY SECTION:
example.org.            3600    IN      SOA     dc.example.org. hostmaster.example.org. 1225 900 600 86400 3600

Found zone name: example.org
The master is: dc.example.org
start_gssrequest
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   1738
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3755771582.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
3755771582.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632512483 1632516083 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgIC
AG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr0umsLJ90r2d2 YvVbudfl5IUiJ7Z1FKlrGU0XDxuIH+j1NH8aTs72WDhVHz1A9eICpetZ vxVNupI++sbOl/3XsxaHTNhEluENFm+maiww9SABl1sHu
P+dqL5kQDDQ y1PbLPXLQUTh4W78nTE= 0

;; TSIG PSEUDOSECTION:
3755771582.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632512483 300 28 BAQF//////8AAAAAJoS8Lk++7RHCqiNaxwRjbw== 1738 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
tsig verification successful
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:   9983
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.org.                   IN      SOA

;; TSIG PSEUDOSECTION:
3755771582.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632512483 300 28 BAQF//////8AAAAAJoS8L4rQh6AlQSAehEm+Uw== 9983 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 19:41:23): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5873].
(2021-09-24 19:41:23): [be[example.org]] [child_sig_handler] (0x0100): child [5873] finished successfully.
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_done] (0x0200): nsupdate child status: 0
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_create_ptr_msg] (0x0400):  -- Begin nsupdate message -- 

update delete 117.0.16.172.in-addr.arpa. in PTR
update add 117.0.16.172.in-addr.arpa. 360 in PTR s1.example.org.
send
 -- End nsupdate message -- 
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5877]
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5877]
(2021-09-24 19:41:23): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
setup_system()
reset_system()
user_interaction()                                                                                                                                         
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  41913
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;117.0.16.172.in-addr.arpa.     IN      SOA

;; AUTHORITY SECTION:
0.16.172.in-addr.arpa.  3600    IN      SOA     dc.example.org. hostmaster.example.org. 1 900 600 86400 3600

Found zone name: 0.16.172.in-addr.arpa 
The master is: dc.example.org
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  12205
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1018028506.sig-dc.example.org. ANY     TKEY

;; ANSWER SECTION:
1018028506.sig-dc.example.org. 0 ANY    TKEY    gss-tsig. 1632512483 1632516083 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgIC
AG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrM9QFk0V/Rw2m IVC70mIHerhl8VPQAPmC8QpMimgc2p4Sijyy0aEuF+f5RYabMeeLZf7L i7QunNq8BHxS5EjdXQdwsYhLQc6EijzL37grZ8EP5wDpU
XfEp4n0QdD6 UMvuVh1BWYn022/tFs8= 0

;; TSIG PSEUDOSECTION:
1018028506.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632512483 300 28 BAQF//////8AAAAAKGLtgC/rr0FLFl2px5uwcQ== 12205 NOERROR 0 

send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
tsig verification successful
show_message()

Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id:  23830
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;0.16.172.in-addr.arpa.         IN      SOA

;; TSIG PSEUDOSECTION:
1018028506.sig-dc.example.org. 0 ANY    TSIG    gss-tsig. 1632512484 300 28 BAQF//////8AAAAAKGLtgbL0nVY1Zy6WOa3bbg== 23830 NOERROR 0 

done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 19:41:24): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5877].
(2021-09-24 19:41:24): [be[example.org]] [child_sig_handler] (0x0100): child [5877] finished successfully.
(2021-09-24 19:41:24): [be[example.org]] [be_nsupdate_done] (0x0200): nsupdate child status: 0
(2021-09-24 19:41:24): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2021-09-24 19:41:24): [be[example.org]] [be_ptask_done] (0x0400): Task [Dyndns update]: finished successfully
(2021-09-24 19:41:24): [be[example.org]] [be_ptask_schedule] (0x0400): Task [Dyndns update]: scheduling task 360 seconds from last execution time [16325128
42]

Additional notes

Read more at BIND9 DLZ DNS Back End page.