Author Topic: [SOLVED] Samba won't update dns (still)  (Read 20522 times)

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
[SOLVED] Samba won't update dns (still)
« on: February 24, 2013, 02:33:45 am »
NB have simplified the issue further down in the history of this post


Hi I have Zentyal Community box (Core version 3.0.13 )

It runs the dhcp service and is configured to do dynamic domain updates. It is also running as a Windows domain controller and file server.

One of the windows XP clients keeps appearing to get two leases. These show up on the dashboard and in /var/lib/dhcp/dhcp.leases

The result is that the reverse lookup (by ip) matches the IP address handed out by the DHCP server on the zentyal box. The forward look up of the name comes up with a different IP.  :o

Interestingly if the machine is dropped out of the domain the dynamic IP address seems to work with both forward and revers lookups correct. If it's added back in to the domain then the problem reoccurs

I've tried changing the name of the windows box and manually hacking the dhcp.leases file and the forward lookup file for bind in /var/lib/bind (having stopped bind and deleted the journal.

At the moment the machine appears to work ok on the domain but it is annoying.

Anybody got any ideas?
« Last Edit: May 04, 2013, 01:02:00 am by fatbob »

christian

  • Guest
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #1 on: February 24, 2013, 06:43:18 am »
I can't really see the link between domain concept and DNS.
Even if your machine doesn't take part of your Windows domain, if you have set up DHCP and DNS so that new DNS record is created when new lease is issued (i.e. dynamic DNS), if, for some reason, 2 leases are issued, you will end-up with 2 DNS entries isn't it?

BTW, what is your lease duration ?

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #2 on: February 24, 2013, 11:38:45 am »
Hi Christian

To answer your question first the lease is 30 minutes, max lease is 2 hours and the problem still exits after the machine has been disconnected for 6 (overnight) (Ie it will happen again when the machine is powered up.

Firstly disregarding the involvement of the windows domain there are 2 questions raised by this
  • Why does the same machine with one nic / mac address appear to be assocaited with 2 ip addresses simultaneously
  • Why does the forward lookup on host name resolve to a different IP address then the one the machine has, perticualry when a revers record has been successfully created

Now coming back to the windows domain issue. The domain certainly has a dependancy on dns and I'm begining to suspect it actually has an impact on it too,

Let me explain the full details of what's happened leading up to this.

I'm switching from an old SuSE 11 server to a new Zentyal server, In fact it's the same machine I just have new set of hard drive with the zentyal build on them. I'll refer to them as if they are separate machines here for conveniece but  they would never both be connected to the same network simultaneously  ;)

Both servers are configured in a similar manner. Both have the same names, both were windows file server / domain controllers and both had dhcp that dynamically updated the dns server. Both handed out IP address in the same range (this is probably the important point). On the suse server the forward and revers records were added to the dns by the dhcp server. Both managed a windows domain of the same name

I had my old suse server running and the windows XP machine that is the source of the issue was connected to it. It had been leased an IP address by the suse server ending in 103. I dropped the XP machine off the old domain.

I powerd down the suse server and powered up the zentyal server. I then tried to connect the XP machine to the new domain. This resulted in the error "network path not found". At this point the XP machine still had the 103 address leased by the old suse server that was now powered down. The error occured because the zentyal dns server had no reverse dns entry for the XP machine and could not resolve the 103 address to the xp machines host name, since it had not leased that address out. This illustrates the dependancy on dns of the windows domain.

I executed an ipconfig /release followed by and ipconfig /renew on the XP machine and it was leased an IP address ending in 197. The reverse dns entry was created on the Zentyl server and this IP address successfully resolved to the XP machines host name. I then connected the XP machine to the domain successfully.

However having done this I made the following observersions

  • Executing Ipconfig on the XP machine revealed that it's IP address was ending 197 as expected. It has no reference to the 103 address
  • The 197 address correctly resolves to the host name of the xp machine
  • A forward lookup of the XP machines host name resolves to the 103 address. This is true on all machines on the lan.
  • A revers lookup of 103 address resloves to the XP machines host name
  • No machine on the lan actually has the 103 address
  • No machine shares the XP machines host name
  • Two leases show up simultaneously on the dasboard for the XP machines MAC. one ends 197 the other ends 103. Both leases appear simultaneously when the XP machine is powered on and connected to the lan
  • Both leases appear in /var/lib/dhcp/dhcp.leases
  • The 197 address becomes unresolvable to a host name when the lease expires and the XP machine has been shut down.
  • The XP machines host name stops resolving to the 103 address immediatly after the XP box is shut down
  • The 103 address is permanatly resolvable to the XP machine name
  • The 103 address appears in /var/lib/named db.x.x.x (where x.x.x are the other digits in the IP address range). Shutting down the name server, deleting the jnl file and removing it from this file does not fix the issue. Except in so much as 103 stops resolving to the host name. Once the  XP machine is powered on a 103 address is added back in
  • Dropping and renaming the XP machine has no effect on this problem. The same issue occures with the new host name

One final note on this. I believe I was once told that when a windows machine connects to a (conventional windows server run) windows domain that it updates the DNS records with it's host name / IP address. As supposed to the scenario I had on the suse box where the dhcp server did that. i wonder if there is some similar process in effect here as I know samba 4 has some dns support in order for it to perform in a manner expected by windows clients.
« Last Edit: February 24, 2013, 12:04:23 pm by fatbob »

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #3 on: February 24, 2013, 03:48:13 pm »
I now have another windows xp that doesn't get a forward lookup at all. The forward and reverse lookups for both machines function fine when not connected to the domain.

christian

  • Guest
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #4 on: February 24, 2013, 04:24:49 pm »
Sorry, this is far above my knowledge  :-[

My understanding stops at DNS and /etc/hosts when it comes to resolve names.
I also understand that DHCP can update DNS based on valid leases.

All the "Windows domain" stuff that could impact above behaviour is not something I can understand (except if you involve WINS and Netbios but this is another story). I'm not saying you're wrong but I can't help  :-\

In a pure Microsoft world, this is different because they decided to, on purpose, mix everything: deploying PDC is the magic answer to everything as it provides DHCP, DNS, PKI, Kerberos, file sharing.... well, everything so you can easily mix up, it doesn't matter.

This said, you are testing something in a rather weird environment: you get lease from one DHCP server, then stop this server, start a new one as similar as possible (but nevertheless indeed different) and then try to use it as if nothing happened  ::)
This is making the (wrong) assumption that there is no DNS cache. I think this is the main reason why you have strange behaviour here and there.

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #5 on: February 24, 2013, 06:09:27 pm »
Hi Christian

Yes it was my mistake to not reboot the XP box in between switching servers. However after further experimentation with another XP machine and a windows 7 machine I can simplify the problem a bit to the following

  • For windows machines that are not in the domain and for non windows devices both forward and revers lookups work as expected
  • For windows devices that are in the domain a reverse lookup (by ip address) will resolve to the correct host name however a forward lookup will not work. In all cases bar this one odd XP machine, no forward lookup wil work. If the machine is dropped out of the domain then it works fine.

I think that points the finger squarely at samba. But I have NO idea about what it's doing. Like you I only know isc dhcp and bind. :( Anyone else got any ideas:

Zentyal module versions
Zentyal Core: 3.0.13
Zentyal Samba: 3.0.13
Zentyal DNS: 3.0.5
Zentyal DHCP: 3.0.2

These are the latest as far as i can see

« Last Edit: February 24, 2013, 06:17:24 pm by fatbob »

christian

  • Guest
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #6 on: February 24, 2013, 06:23:20 pm »
So we are somewhat converging.
One "control" question: how to you perform this "forward lookup"? (just curious)

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #7 on: February 24, 2013, 06:41:16 pm »
Yeah no worries

EG:
windows host name: xpbox
windows IP; 10.56.19.134

nslookup 10.53.19.134
gives name = xpbox.mydomain.lan

nslookup xpbox gives not found on any windows machine
using FQDN:
nslookup xpbox.mydomain.lan gives not found on any machine

nslookup xpbox on zentyal gives one slightly odd response which is :

Non-authoritative answer:
Name:   xpbox
Address: 67.215.65.132

this resolves to hit-nxdomain.opendns.com. I use opendns as my forwarders and if you try to resolve an unknown host in a web browser for example this "trick" forwards you to there search page.

Other then that not found



fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #8 on: February 24, 2013, 06:47:03 pm »
tried dig with similar results. Also tried dig for my one xp machine that has the incorrect forward lookup. The result is definately coming from dns on the local box.

;; ANSWER SECTION:
xpbox.mydomain.lan. 900 IN   A   10.53.19.103 <--This is total boll*x it's .197

;; AUTHORITY SECTION:
mydomain.lan.   900   IN   NS   myserver.mydomain.lan.

christian

  • Guest
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #9 on: February 24, 2013, 06:56:41 pm »
first comment:
nslookup on Windows if definitely strange as
it should return something like:
Code: [Select]
nslookup 10.56.19.134
server: your Zentyal server
address: your zentyal server IP#53

143.19.56.10.in-addr.arpa   name=xpbox.mydomain.lan.

notice the tailing dot  ;)

second comment linked to above:
you should thus try
Code: [Select]
nslookup xpbox.mydomain.lan.(notice the tailing dot here again)

Third comment:
it would be interesting to understand better whenever you push DNS, domain, and search domain to DHCP clients and what is your DNS configuration on Zentyal. with tailing dot, such request should not be forwarded BTW.

christian

  • Guest
Re: Incorrect forward dns for Windows XP client on domain with dyanmic IP
« Reply #10 on: February 24, 2013, 07:06:05 pm »
;; ANSWER SECTION:
xpbox.mydomain.lan. 900 IN   A   10.53.19.103 <--This is total boll*x it's .197

;; AUTHORITY SECTION:
mydomain.lan.   900   IN   NS   myserver.mydomain.lan.

This one is interesting: your DNS, according to dig (see authority section) does contain 103 as IP address. This said, how many DNS are running on Zentyal 3.0 ? is it like LDAP, meaning we have one standard DNS for Zentyal and one dedicated to Samba ? 5I'm nit sure any more but it looks like this)
So perhaps there is a side effect with some DNS synchro or not refreshed zone or whatever else like this . I can't help about this because I'm not running 3.0.
Rather ask Zentyal team to help here  ;)

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect or no forward dns for Windows clients on domain with dyanmic IP
« Reply #11 on: February 24, 2013, 08:59:33 pm »
Hi there

In relation to your first point nslookup on windows always seems to give output without the trailing dot ie
eg nslookup 91.189.94.156 gives:

Name: vostok.cannonical.com
Address: 91,189.94.156

in relation to your second point I tried with the trailing . ie nslookup xpbox.mydomain.lan. and had the same result nothing found. The request only gets sent to the forwarder if you request nslookup xpbox, if you use the FQDN then it never gets forwarded

In any case dispite your efforts I'm no closser to finding out why my forward lookups for windows domain pc's don't work (other then there is no dns entry for some reason)

christian

  • Guest
Re: Incorrect or no forward dns for Windows clients on domain with dyanmic IP
« Reply #12 on: February 24, 2013, 09:17:14 pm »
still your additional post about wrong IP (using dig) is very strange.

what if you type:
Code: [Select]
dig mydomain.lan AXFR

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect or no forward dns for Windows clients on domain with dyanmic IP
« Reply #13 on: February 24, 2013, 09:28:27 pm »
I've attached the output of your command to this post.

Interstingly I saw this in the log ---

24/02/2013 20:20:17   myserver   named[15927]   client 10.53.19.197#53332: updating zone 'mydomain.lan/NONE': update failed: rejected by secure update (REFUSED)

Now I wonder if this is the windows client trying to update the zone.
« Last Edit: February 24, 2013, 09:41:36 pm by christian »

fatbob

  • Zen Warrior
  • ***
  • Posts: 102
  • Karma: +1/-0
    • View Profile
Re: Incorrect or no forward dns for Windows clients on domain with dyanmic IP
« Reply #14 on: February 24, 2013, 09:32:24 pm »
And yet more - it would seem samba is trying to update the zone but being rejected:

24/02/2013 20:30:14   vmhost   named[15927]   samba_dlz: starting transaction on zone oilmovements.lan
24/02/2013 20:30:14   vmhost   named[15927]   client 10.53.19.100#62149: update 'oilmovements.lan/IN' denied
24/02/2013 20:30:14   vmhost   named[15927]   samba_dlz: cancelling transaction on zone oilmovements.lan
24/02/2013 20:30:14   vmhost   named[15927]   samba_dlz: starting transaction on zone oilmovements.lan
24/02/2013 20:30:14   vmhost   named[15927]   samba_dlz: disallowing update of signer=newboy\$\@OILMOVEMENTS.LAN name=newboy.oilmovements.lan type=A error=insufficient access rights
24/02/2013 20:30:14   vmhost   named[15927]   client 10.53.19.100#49186: updating zone 'oilmovements.lan/NONE': update failed: rejected by secure update (REFUSED)
24/02/2013 20:30:14   vmhost   named[15927]   samba_dlz: cancelling transaction on zone oilmovements.lan