samba4 bind dlz module stops working on rndc reload

Bug #1670450 reported by Stéphane Berthelot on 2017-03-06
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
High
Unassigned

Bug Description

I am encountering the exact same problem as described in this bug report.
A patch seems available and should fix the problem.

https://forge.univention.org/bugzilla/show_bug.cgi?id=39139

When reloading bind while I have samba setup as a PDC and using BIND9_DLZ module, the zone is deleted.
Restarting named makes it work again but is not usable since many scripts (logrotate) use reload by default.

Issuing a simple "rndc zonestatus ad.zone" just after restart is OK, and after reload I get a "rndc: 'zonestatus' failed: not found
no matching zone 'ad.zone' in any view"

This may cause a lot of trouble for dynamic updates on somewhat complex setups with Samba as a PDC (samba internal DNS server is really limited...)

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: samba 2:4.3.11+dfsg-0ubuntu0.16.04.3
ProcVersionSignature: Ubuntu 4.8.0-39.42~16.04.1-generic 4.8.17
Uname: Linux 4.8.0-39-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.5
Architecture: amd64
Date: Mon Mar 6 19:00:47 2017
InstallationDate: Installed on 2017-02-24 (10 days ago)
InstallationMedia: Ubuntu-Server 16.04.2 LTS "Xenial Xerus" - Release amd64 (20170215.8)
NmbdLog:

OtherFailedConnect: Yes
SambaServerRegression: No
SmbConfIncluded: Yes
SmbLog:

SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)

The attachment "dlz_bind9_rndc_reload.patch (see univention bug report credits for it)" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Brian Murray (brian-murray) wrote :

This patch does not seem to exist in the source code of the zesty version of samba.

tags: added: zesty
Changed in samba (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Nish Aravamudan (nacc) wrote :

Hello and thank you for filing this bug report and going through the effort of finding a solution. Before we can pursue a SRU (https://wiki.ubuntu.com/StableReleaseUpdates), we will first need to ensure it is fixed in 17.04. Can you help verify if this is or is not the case?

Changed in samba (Ubuntu):
status: Confirmed → Triaged

Hello and thanks for taking time to look at this bug.

I have just setup a VM to test this and upgraded to zesty, all of xenial, yakkety AND zesty behave the same and present this bug.

To test it quickly if you need to reproduce, I have only setup an AD with "samba-tool domain provision", adjusted named configuration (include samba generated files for named) and then do a "
rndc zonestatus ad.dns.zone", a "rndc reload", and again a "rndc zonestatus ad.dns.zone".

On zesty I also had an apparmor permission denied on start because named couldn't file_mmap the dlz module (.so)

mars 07 12:38:51 l00p2 kernel: audit: type=1400 audit(1488886731.112:59): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=3149 comm="named" requested_mask="m" denied_mask="m" fsuid=120 ouid=0

(while adding "/usr/lib{,32,64}/**/*.so* mr," in /etc/apparmor.d/usr.sbin.named I could start named again, maybe I should file a different bug report)

I am adding my complete /etc/apparmor.d/usr.sbin.named if you need to reproduce since it also contains other lines according to Samba official Bind9_DLZ integration guide.

Any news on this bug ? Since it affects all versions and a tested patch exists I thought it would have been integrated sooner (at least -proposed)
It affects production (LTS) servers running Samba + Bind which is a quite rather common scenario on "real" environments for AD replacement. We also have identified indirect impact on integrated Ubuntu clients (with winbind and joined on AD domain) since it triggers sometimes DNS updates on server (along with dynamic DHCP updates to DNS Zone)
Restarting bind completely many times a day is not really a production-level solution to me ...

description: updated

Sorry to bump again but there have been 6 minor updates to samba package in 16.04 LTS and since this patch is not included we still have the same problem (fixed since 2015 on Univention bug tracker ...)

Is there any mean to help getting it included soon ?

Andreas Hasenack (ahasenack) wrote :

Do you know if this patch or bug report was ever submitted upstream?

I'm trying to update samba to 4.6.5 in artful (https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/326418) and then I can look more closely at this issue.

tags: added: server-next

Hm I looked at current samba git and bugtracker and did not find anything related to this bug. It seems noone ever submitted this upstream...
This is quite strange, I wonder how other people do. Maybe I missed something but this is reproducible and blocking for "real" production environements unless you never update your local DNS content ...

Do you want me to report upstream ?

Yes please, that would be very helpful

On Jul 18, 2017 04:55, "Stéphane Berthelot" <email address hidden> wrote:

> Hm I looked at current samba git and bugtracker and did not find anything
> related to this bug. It seems noone ever submitted this upstream...
> This is quite strange, I wonder how other people do. Maybe I missed
> something but this is reproducible and blocking for "real" production
> environements unless you never update your local DNS content ...
>
> Do you want me to report upstream ?
>
> --
> You received this bug notification because you are subscribed to samba
> in Ubuntu.
> https://bugs.launchpad.net/bugs/1670450
>
> Title:
> samba4 bind dlz module stops working on rndc reload
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/samba/+bug/1670450/+subscriptions
>

Reported upstream (univention is 3rd party)

Robie Basak (racb) on 2018-04-13
tags: added: server-next-drop

Hello,

I've just installed bionic (18.04) beta2 with samba 4.7.6 and bind 9.11.3 and the problem is still present.

Is there any mean to get this bug fixed soon ? How do others avoid the problem with dlz zone deleted on rndc reload ?

I reproduced the bug using the procedure on #5 (if needed)

Robie Basak (racb) on 2018-05-02
tags: removed: server-next server-next-drop
Andreas Hasenack (ahasenack) wrote :

Is it also present in cosmic, which has samba 4.8.x?

I also see that the upstream bug has no further activity.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.