Fix failed dynamic DNS update with Samba Active Directory and System Security Services Daemon by upgrading internal Samba DNS to BIND.
Issue
DNS records are updated correctly, but dynamic DNS update process is marked as failed.
$ dig s1.example.org +short
172.16.0.117
Sample sssd debug log indicating that there is a problem with dynamic DNS update.
(2021-09-24 17:13:34): [be[example.org]] [be_ptask_execute] (0x0400): Task [Dyndns update]: executing task, timeout 360 seconds (2021-09-24 17:13:34): [be[example.org]] [ad_dyndns_update_send] (0x0400): Performing update (2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection (2021-09-24 17:13:34): [be[example.org]] [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::a00:27ff:fec3:abc9 (2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection (2021-09-24 17:13:34): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 's1.example.org' in DNS (2021-09-24 17:13:34): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds (2021-09-24 17:13:34): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (2021-09-24 17:13:34): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply (2021-09-24 17:13:34): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch (2021-09-24 17:13:34): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 's1.example.org' in DNS (2021-09-24 17:13:34): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds (2021-09-24 17:13:34): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher (2021-09-24 17:13:34): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher (2021-09-24 17:13:34): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_next] (0x0200): No more address families to retry (2021-09-24 17:13:34): [be[example.org]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry (2021-09-24 17:13:34): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm. (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- update delete s1.example.org. in A update add s1.example.org. 360 in A 172.16.0.117 send update delete s1.example.org. in AAAA send -- End nsupdate message -- (2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5117] (2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5117] (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG (2021-09-24 17:13:34): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent! (2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete setup_system() reset_system() user_interaction() do_next_command() start_update() done_update() reset_system() user_interaction() do_next_command() evaluate_update() update_addordelete() do_next_command() evaluate_update() update_addordelete() do_next_command() start_update() recvsoa() About to create rcvmsg show_message() Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39279 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;s1.example.org. IN SOA ;; AUTHORITY SECTION: example.org. 3600 IN SOA dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600 Found zone name: example.org The master is: dc.example.org start_gssrequest Found realm from ticket: EXAMPLE.ORG send_gssrequest show_message() Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23512 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;2785519394.sig-dc.example.org. ANY TKEY ;; ANSWER SECTION: 2785519394.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvBiOF8K0zASZG f5QOA5bI31cezgWZAWeyRWlVhF+kQMqA3SB20m7uzLo23fgC6ArYiGrh V/QNyihi8c0QKNZqzx35zl9lH260xRYqHMDQoVAEWAf/E qOtOWYtP4Hj keYvN7nmaTcZ+YKQzWTsJqw6 0 ;; TSIG PSEUDOSECTION: 2785519394.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMqel6N2LrQxpqzVZPDw1jg== 23512 NOERROR 0 send_update() Sending update to 172.16.0.110#53 show_message() Out of recvgss update_completed() ; TSIG error with server: tsig verify failure show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 26970 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;example.org. IN SOA ;; UPDATE SECTION: s1.example.org. 0 ANY A s1.example.org. 360 IN A 172.16.0.117 ;; TSIG PSEUDOSECTION: 2785519394.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMqel6fMHCvf4TDVqcooqKg== 26970 NOERROR 0 done_update() reset_system() user_interaction() do_next_command() evaluate_update() update_addordelete() do_next_command() start_update() recvsoa() About to create rcvmsg show_message() Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54217 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;s1.example.org. IN SOA ;; AUTHORITY SECTION: example.org. 3600 IN SOA dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600 Found zone name: example.org The master is: dc.example.org start_gssrequest send_gssrequest show_message() Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13045 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3972432861.sig-dc.example.org. ANY TKEY ;; ANSWER SECTION: 3972432861.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRv+TEGXbVJHjVC gJW0LPDMRKkn3/BKNUiFlgiVSKYvot8f/xWLolfFLgkfBsU97ruSGuh0 XNX/b4BCTOwwmw5dXedMr9g/Ri7DLWXeCRBezjS8n324E UpBuk1Z/nOy Fwbby4fCo1ymRa18hZUpAex5 0 ;; TSIG PSEUDOSECTION: 3972432861.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAAE6qgWXP8jAttRrBqAuaiHQ== 13045 NOERROR 0 send_update() Sending update to 172.16.0.110#53 show_message() Out of recvgss update_completed() ; TSIG error with server: tsig verify failure show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42354 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;example.org. IN SOA ;; UPDATE SECTION: s1.example.org. 0 ANY AAAA ;; TSIG PSEUDOSECTION: 3972432861.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAAE6qgWkNPatD45dtai/HVjg== 42354 NOERROR 0 done_update() reset_system() user_interaction() do_next_command() start_update() done_update() reset_system() user_interaction() cleanup() Shutting down task manager shutdown_program() Shutting down request manager Destroy DST lib Destroying request manager Freeing the dispatchers Shutting down dispatch manager Destroying event Shutting down socket manager Shutting down timer manager Removing log context Destroying memory context (2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5117]. (2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x0020): child [5117] failed with status [2]. (2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-09-24 17:13:34): [be[example.org]] [sdap_dyndns_update_done] (0x0080): nsupdate failed, retrying. (2021-09-24 17:13:34): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm [EXAMPLE.ORG]. (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message -- realm EXAMPLE.ORG update delete s1.example.org. in A update add s1.example.org. 360 in A 172.16.0.117 send update delete s1.example.org. in AAAA send -- End nsupdate message -- (2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5121] (2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5121] (2021-09-24 17:13:34): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent! (2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete [217/1845] (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG setup_system() reset_system() user_interaction() do_next_command() do_next_command() evaluate_update() update_addordelete() do_next_command() evaluate_update() update_addordelete() do_next_command() start_update() recvsoa() About to create rcvmsg show_message() Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49458 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;s1.example.org. IN SOA ;; AUTHORITY SECTION: example.org. 3600 IN SOA dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600 Found zone name: example.org The master is: dc.example.org start_gssrequest send_gssrequest show_message() Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2875 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;1404483627.sig-dc.example.org. ANY TKEY ;; ANSWER SECTION: 1404483627.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvrURsgDCurSLO MFo0nb3vTGsz1DufWDyKZtHTlh+PBfN0rVPYlLc1HYrSvyJrbA3bOQSe 0TmedEBXVCJe3Zur4IF7DhJgpjtVgsgCY7Mzlexyq+iaa 3DxYoaF7MjE dEdpRjpjIj49l/t3vFuEngon 0 ;; TSIG PSEUDOSECTION: 1404483627.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMwbdKT3hA0mh0f/fdvVSjQ== 2875 NOERROR 0 send_update() Sending update to 172.16.0.110#53 show_message() Out of recvgss update_completed() ; TSIG error with server: tsig verify failure show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 13348 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;example.org. IN SOA ;; UPDATE SECTION: s1.example.org. 0 ANY A s1.example.org. 360 IN A 172.16.0.117 ;; TSIG PSEUDOSECTION: 1404483627.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAAMwbdKoMYg+7SVgFOztwuuQ== 13348 NOERROR 0 done_update() reset_system() user_interaction() do_next_command() evaluate_update() update_addordelete() do_next_command() start_update() recvsoa() About to create rcvmsg show_message() Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16004 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;s1.example.org. IN SOA ;; AUTHORITY SECTION: example.org. 3600 IN SOA dc.example.org. hostmaster.example.org. 1081 900 600 86400 3600 Found zone name: example.org The master is: dc.example.org start_gssrequest send_gssrequest show_message() Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19711 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;2232099187.sig-dc.example.org. ANY TKEY ;; ANSWER SECTION: 2232099187.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvQyTtJH3oajQY V/2Wk58kaLttt3dmJncewKNj614ss1yoqae+ALQWKNknFBNv+O6DczL1 clkDt2h1ErXCYW11+/RcmEQLWsac4cL8rWjUEHeQxznjS ctp9xQ2P2qp uV1N+cSkeNMTx+qBmipzMstd 0 ;; TSIG PSEUDOSECTION: 2232099187.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAADXap3Vsv5tBsut2AwjEBRw== 19711 NOERROR 0 send_update() Sending update to 172.16.0.110#53 show_message() Out of recvgss update_completed() ; TSIG error with server: tsig verify failure show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 54311 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; ZONE SECTION: ;example.org. IN SOA ;; UPDATE SECTION: s1.example.org. 0 ANY AAAA ;; TSIG PSEUDOSECTION: 2232099187.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAADXap3hvYMZxjIPkcn9rm4A== 54311 NOERROR 0 done_update() reset_system() user_interaction() do_next_command() start_update() done_update() reset_system() user_interaction() cleanup() Shutting down task manager shutdown_program() Shutting down request manager Destroy DST lib Destroying request manager Freeing the dispatchers Shutting down dispatch manager Destroying event Shutting down socket manager Shutting down timer manager Removing log context Destroying memory context (2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5121]. (2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x0020): child [5121] failed with status [2]. (2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-09-24 17:13:34): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for realm [EXAMPLE.ORG]. (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_create_ptr_msg] (0x0400): -- Begin nsupdate message -- realm EXAMPLE.ORG update delete 117.0.16.172.in-addr.arpa. in PTR update add 117.0.16.172.in-addr.arpa. 360 in PTR s1.example.org. send -- End nsupdate message -- (2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5125] (2021-09-24 17:13:34): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5125] (2021-09-24 17:13:34): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent! (2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG setup_system() reset_system() user_interaction() do_next_command() do_next_command() evaluate_update() update_addordelete() do_next_command() evaluate_update() update_addordelete() do_next_command() start_update() recvsoa() About to create rcvmsg show_message() Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40386 ;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;117.0.16.172.in-addr.arpa. IN SOA ;; AUTHORITY SECTION: 0.16.172.in-addr.arpa. 3600 IN SOA dc.example.org. hostmaster.example.org. 1 900 600 86400 3600 Found zone name: 0.16.172.in-addr.arpa The master is: dc.example.org start_gssrequest send_gssrequest show_message() Out of recvsoa recvgss() recvgss creating rcvmsg show_message() recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18069 ;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;4017532097.sig-dc.example.org. ANY TKEY ;; ANSWER SECTION: 4017532097.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632503614 1632503614 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgIC AG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvdeF/e5E6qFHK EH3+Edqh68RjuUvk9yZ1+Xnqra1S2hFRjwHNJPAdds06KPnwXUIx1VXt y0gIxSVCZ1L6phS1Gb0DrhdY/Pv17giRSiDlh84ERMSdT UZb8Doqbp4n FNIRggSKhACxiejCVF7tHxaS 0 ;; TSIG PSEUDOSECTION: 4017532097.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAANDYVKV2wClUez/qaR7Mhfg== 18069 NOERROR 0 send_update() Sending update to 172.16.0.110#53 show_message() Out of recvgss update_completed() ; TSIG error with server: tsig verify failure show_message() Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 9724 ;; flags: qr ra; ZONE: 1, PREREQ: 0, UPDATE: 2, ADDITIONAL: 1 ;; ZONE SECTION: ;0.16.172.in-addr.arpa. IN SOA ;; UPDATE SECTION: 117.0.16.172.in-addr.arpa. 0 ANY PTR 117.0.16.172.in-addr.arpa. 360 IN PTR s1.example.org. ;; TSIG PSEUDOSECTION: 4017532097.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632503614 300 28 BAQF//////8AAAAANDYVKhqERbcBNDMCaQHP2Q== 9724 NOERROR 0 done_update() reset_system() user_interaction() do_next_command() start_update() done_update() reset_system() user_interaction() cleanup() Shutting down task manager shutdown_program() Shutting down request manager Destroy DST lib Destroying request manager Freeing the dispatchers Shutting down dispatch manager Destroying event Shutting down socket manager Shutting down timer manager Removing log context Destroying memory context (2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5125]. (2021-09-24 17:13:34): [be[example.org]] [child_sig_handler] (0x0020): child [5125] failed with status [2]. (2021-09-24 17:13:34): [be[example.org]] [nsupdate_child_handler] (0x0040): Dynamic DNS child failed with status [512] (2021-09-24 17:13:34): [be[example.org]] [be_nsupdate_done] (0x0040): nsupdate child execution failed [1432158240]: Dynamic DNS update failed (2021-09-24 17:13:34): [be[example.org]] [ad_dyndns_sdap_update_done] (0x0040): Dynamic DNS update failed [1432158240]: Dynamic DNS update failed (2021-09-24 17:13:34): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection (2021-09-24 17:13:34): [be[example.org]] [be_ptask_done] (0x0040): Task [Dyndns update]: failed with [1432158240]: Dynamic DNS update failed (2021-09-24 17:13:34): [be[example.org]] [be_ptask_schedule] (0x0400): Task [Dyndns update]: scheduling task 360 seconds from now [1632503974]
This issue is related to the Samba internal DNS, you can ignore it for now or change DNS backend to BIND to make it go away.
Alter DNS backend
Change DNS backend from Samba internal DNS to BIND.
At first, ensure that /etc/krb5.conf is not a link to /var/lib/samba/private/krb5.conf as bind user will silently get permission denied which will result in dns_tkey_gssnegotiate: TKEY is unacceptable client error.
$ ls -l /etc/krb5.conf
-rw-r--r-- 1 root root 184 Sep 24 19:39 /etc/krb5.conf
Install bind package.
$ sudo apt install bind9
Stop the service as it not configured at this moment.
$ sudo systemctl stop bind9
Initiate upgrade process to generate required configuration files.
$ sudo samba_upgradedns --dns-backend=BIND9_DLZ --migrate=yes
Reading domain information DNS accounts already exist No zone file /var/lib/samba/bind-dns/dns/EXAMPLE.ORG.zone DNS records will be automatically created DNS partitions already exist dns-dc account already exists See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates Finished upgrading DNS You have switched to using BIND9_DLZ as your dns backend, but still have the internal dns starting. Please make sure you add '-dns' to your server services line in your smb.conf.
Check bind version.
$ sudo named -v
BIND 9.16.15-Debian (Stable Release) <id:4469e3e>
Determine configuration directory.
$ sudo smbd -b | grep BINDDNS
BINDDNS_DIR: /var/lib/samba/bind-dns
Ensure that proper database version is used.
$ sudo cat /var/lib/samba/bind-dns/named.conf
# This DNS configuration is for BIND 9.8.0 or later with dlz_dlopen support.
#
# This file should be included in your main BIND configuration file
#
# For example with
# include "/var/lib/samba/bind-dns/named.conf";
#
# This configures dynamically loadable zones (DLZ) from AD schema
# Uncomment only single database line, depending on your BIND version
#
dlz "AD DNS Zone" {
# For BIND 9.8.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9.so";
# For BIND 9.9.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_9.so";
# For BIND 9.10.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so";
# For BIND 9.11.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
# For BIND 9.12.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_12.so";
# For BIND 9.14.x
# database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_14.so";
# For BIND 9.16.x
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_16.so";
};
Include these dynamically loadable zones.
$ sudo cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/var/lib/samba/bind-dns/named.conf";
Ensure that Kerberos keytab is provided for DNS updates.
$ cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab";
};
Inspect default BIND options to determine username.
$ cat /etc/default/named
# # run resolvconf? RESOLVCONF=no # startup options for the server OPTIONS="-u bind"
Ensure that mentioned earlier keytab file can be read.
$ sudo stat /var/lib/samba/bind-dns
File: /var/lib/samba/bind-dns Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 920738 Links: 3 Access: (0770/drwxrwx---) Uid: ( 0/ root) Gid: ( 116/ bind) Access: 2021-09-24 19:02:40.453649392 +0000 Modify: 2021-09-24 18:54:32.418371941 +0000 Change: 2021-09-24 18:54:32.418371941 +0000 Birth: 2021-09-23 22:29:55.976668746 +0000
$ sudo ls -l /var/lib/samba/bind-dns
total 16 drwxrwx--- 3 root bind 4096 Sep 24 18:54 dns -rw-r----- 2 root bind 457 Sep 24 18:53 dns.keytab -rw-r--r-- 1 root root 1087 Sep 24 18:54 named.conf -rw-r--r-- 1 root root 2051 Sep 24 18:54 named.txt
Check BIND configuration.
$ sudo named-checkconf
Disable Samba internal DNS.
$ sudo cat /etc/samba/smb.conf
# Global parameters
[global]
bind interfaces only = Yes
dns forwarder = 10.0.2.3
interfaces = lo eth1
netbios name = DC
realm = EXAMPLE.ORG
server role = active directory domain controller
workgroup = EXAMPLE
idmap_ldb:use rfc2307 = yes
server services = -dns
[sysvol]
path = /var/lib/samba/sysvol
read only = No
[netlogon]
path = /var/lib/samba/sysvol/example.org/scripts
read only = No
Restart Samba AD DC service.
$ sudo systemctl restart samba-ad-dc.service
Start and enable BIND DNS service.
$ sudo systemctl enable --now named
Ensure that it is running.
$ systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-09-24 19:06:48 UTC; 34s ago
Docs: man:named(8)
Main PID: 1853 (named)
Tasks: 8 (limit: 645)
Memory: 39.6M
CPU: 180ms
CGroup: /system.slice/named.service
└─1853 /usr/sbin/named -f -u bind
Check DNS resolution.
$ dig -x 172.16.0.117 +short
s1.example.org.
Sample sssd debug log using BIND DNS server.
(2021-09-24 19:41:22): [be[example.org]] [be_ptask_execute] (0x0400): Task [Dyndns update]: executing task, timeout 360 seconds
(2021-09-24 19:41:22): [be[example.org]] [ad_dyndns_update_send] (0x0400): Performing update
(2021-09-24 19:41:22): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(2021-09-24 19:41:22): [be[example.org]] [sdap_id_op_connect_step] (0x4000): reusing cached connection
(2021-09-24 19:41:22): [be[example.org]] [check_ipv6_addr] (0x0200): Link local IPv6 address fe80::a00:27ff:fec3:abc9
(2021-09-24 19:41:22): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2021-09-24 19:41:22): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve A record of 's1.example.org' in DNS
(2021-09-24 19:41:22): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds
(2021-09-24 19:41:22): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2021-09-24 19:41:22): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_dns_parse] (0x1000): Parsing an A reply
(2021-09-24 19:41:22): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch
(2021-09-24 19:41:22): [be[example.org]] [resolv_is_address] (0x4000): [s1.example.org] does not look like an IP address
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_step] (0x2000): Querying DNS
(2021-09-24 19:41:22): [be[example.org]] [resolv_gethostbyname_dns_query] (0x0100): Trying to resolve AAAA record of 's1.example.org' in DNS
(2021-09-24 19:41:22): [be[example.org]] [schedule_request_timeout] (0x2000): Scheduling a timeout of 3 seconds
(2021-09-24 19:41:22): [be[example.org]] [schedule_timeout_watcher] (0x2000): Scheduling DNS timeout watcher
(2021-09-24 19:41:23): [be[example.org]] [unschedule_timeout_watcher] (0x4000): Unscheduling DNS timeout watcher
(2021-09-24 19:41:23): [be[example.org]] [request_watch_destructor] (0x0400): Deleting request watch
(2021-09-24 19:41:23): [be[example.org]] [resolv_gethostbyname_next] (0x0200): No more address families to retry
(2021-09-24 19:41:23): [be[example.org]] [resolv_gethostbyname_next] (0x0100): No more hosts databases to retry
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_create_fwd_msg] (0x0400): -- Begin nsupdate message --
update delete s1.example.org. in A
update add s1.example.org. 360 in A 172.16.0.117
send
update delete s1.example.org. in AAAA
send
-- End nsupdate message --
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5873]
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5873]
(2021-09-24 19:41:23): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
setup_system()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5544
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org. IN SOA
;; AUTHORITY SECTION:
example.org. 3600 IN SOA dc.example.org. hostmaster.example.org. 1225 900 600 86400 3600
Found zone name: example.org
The master is: dc.example.org
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39772
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;2219081169.sig-dc.example.org. ANY TKEY
;; ANSWER SECTION:
2219081169.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632512483 1632516083 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgIC
AG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrYv8V8K3D7aL3 i72t+BIJxwLlth84Ea61GjSOxQ3U0CBnGmxe+vYM64JD5KGqnGoHlQk0 2mV22aR+QIkhfVnUPu3S1vGxvazkR6Cv5ng/nEeuk3qaf
kHzBO09kDyC j14XOlRJbRZr1ZWkcFs= 0
;; TSIG PSEUDOSECTION:
2219081169.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632512483 300 28 BAQF//////8AAAAABBkCbgqjiYrePDDWD4fDUA== 39772 NOERROR 0
send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
tsig verification successful
show_message()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 52297
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.org. IN SOA
;; TSIG PSEUDOSECTION:
2219081169.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632512483 300 28 BAQF//////8AAAAABBkCb58HOzBnkmo533Ix0g== 52297 NOERROR 0
done_update()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1631
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1.example.org. IN SOA
;; AUTHORITY SECTION:
example.org. 3600 IN SOA dc.example.org. hostmaster.example.org. 1225 900 600 86400 3600
Found zone name: example.org
The master is: dc.example.org
start_gssrequest
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1738
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;3755771582.sig-dc.example.org. ANY TKEY
;; ANSWER SECTION:
3755771582.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632512483 1632516083 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgIC
AG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRr0umsLJ90r2d2 YvVbudfl5IUiJ7Z1FKlrGU0XDxuIH+j1NH8aTs72WDhVHz1A9eICpetZ vxVNupI++sbOl/3XsxaHTNhEluENFm+maiww9SABl1sHu
P+dqL5kQDDQ y1PbLPXLQUTh4W78nTE= 0
;; TSIG PSEUDOSECTION:
3755771582.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632512483 300 28 BAQF//////8AAAAAJoS8Lk++7RHCqiNaxwRjbw== 1738 NOERROR 0
send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
tsig verification successful
show_message()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 9983
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;example.org. IN SOA
;; TSIG PSEUDOSECTION:
3755771582.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632512483 300 28 BAQF//////8AAAAAJoS8L4rQh6AlQSAehEm+Uw== 9983 NOERROR 0
done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 19:41:23): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5873].
(2021-09-24 19:41:23): [be[example.org]] [child_sig_handler] (0x0100): child [5873] finished successfully.
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_done] (0x0200): nsupdate child status: 0
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_msg_create_common] (0x0200): Creating update message for auto-discovered realm.
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_create_ptr_msg] (0x0400): -- Begin nsupdate message --
update delete 117.0.16.172.in-addr.arpa. in PTR
update add 117.0.16.172.in-addr.arpa. 360 in PTR s1.example.org.
send
-- End nsupdate message --
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Setting up signal handler up for pid [5877]
(2021-09-24 19:41:23): [be[example.org]] [child_handler_setup] (0x2000): Signal handler set up for pid [5877]
(2021-09-24 19:41:23): [be[example.org]] [write_pipe_handler] (0x0400): All data has been sent!
(2021-09-24 19:41:23): [be[example.org]] [nsupdate_child_stdin_done] (0x1000): Sending nsupdate data complete
(2021-09-24 19:41:23): [be[example.org]] [be_nsupdate_args] (0x0200): nsupdate auth type: GSS-TSIG
setup_system()
reset_system()
user_interaction()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
evaluate_update()
update_addordelete()
do_next_command()
start_update()
recvsoa()
About to create rcvmsg
show_message()
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41913
;; flags: qr aa rd ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;117.0.16.172.in-addr.arpa. IN SOA
;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 3600 IN SOA dc.example.org. hostmaster.example.org. 1 900 600 86400 3600
Found zone name: 0.16.172.in-addr.arpa
The master is: dc.example.org
start_gssrequest
Found realm from ticket: EXAMPLE.ORG
send_gssrequest
show_message()
Out of recvsoa
recvgss()
recvgss creating rcvmsg
show_message()
recvmsg reply from GSS-TSIG query
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12205
;; flags: qr ra; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;1018028506.sig-dc.example.org. ANY TKEY
;; ANSWER SECTION:
1018028506.sig-dc.example.org. 0 ANY TKEY gss-tsig. 1632512483 1632516083 3 NOERROR 182 oYGzMIGwoAMKAQChCwYJKoZIhvcSAQICooGbBIGYYIGVBgkqhkiG9xIB AgIC
AG+BhTCBgqADAgEFoQMCAQ+idjB0oAMCAReibQRrM9QFk0V/Rw2m IVC70mIHerhl8VPQAPmC8QpMimgc2p4Sijyy0aEuF+f5RYabMeeLZf7L i7QunNq8BHxS5EjdXQdwsYhLQc6EijzL37grZ8EP5wDpU
XfEp4n0QdD6 UMvuVh1BWYn022/tFs8= 0
;; TSIG PSEUDOSECTION:
1018028506.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632512483 300 28 BAQF//////8AAAAAKGLtgC/rr0FLFl2px5uwcQ== 12205 NOERROR 0
send_update()
Sending update to 172.16.0.110#53
show_message()
Out of recvgss
update_completed()
tsig verification successful
show_message()
Reply from update query:
;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 23830
;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1
;; ZONE SECTION:
;0.16.172.in-addr.arpa. IN SOA
;; TSIG PSEUDOSECTION:
1018028506.sig-dc.example.org. 0 ANY TSIG gss-tsig. 1632512484 300 28 BAQF//////8AAAAAKGLtgbL0nVY1Zy6WOa3bbg== 23830 NOERROR 0
done_update()
reset_system()
user_interaction()
do_next_command()
start_update()
done_update()
reset_system()
user_interaction()
cleanup()
Shutting down task manager
shutdown_program()
Shutting down request manager
Destroy DST lib
Destroying request manager
Freeing the dispatchers
Shutting down dispatch manager
Destroying event
Shutting down socket manager
Shutting down timer manager
Removing log context
Destroying memory context
(2021-09-24 19:41:24): [be[example.org]] [child_sig_handler] (0x1000): Waiting for child [5877].
(2021-09-24 19:41:24): [be[example.org]] [child_sig_handler] (0x0100): child [5877] finished successfully.
(2021-09-24 19:41:24): [be[example.org]] [be_nsupdate_done] (0x0200): nsupdate child status: 0
(2021-09-24 19:41:24): [be[example.org]] [sdap_id_op_destroy] (0x4000): releasing operation connection
(2021-09-24 19:41:24): [be[example.org]] [be_ptask_done] (0x0400): Task [Dyndns update]: finished successfully
(2021-09-24 19:41:24): [be[example.org]] [be_ptask_schedule] (0x0400): Task [Dyndns update]: scheduling task 360 seconds from last execution time [16325128
42]
Additional notes
Read more at BIND9 DLZ DNS Back End page.