samba4 bind dlz module stops working on rndc reload

The attachment "dlz_bind9_rndc_reload.patch (see univention bug report credits for it)" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

This patch does not seem to exist in the source code of the zesty version of samba.

Hello and thank you for filing this bug report and going through the effort of finding a solution. Before we can pursue a SRU (https://wiki.ubuntu.com/StableReleaseUpdates), we will first need to ensure it is fixed in 17.04. Can you help verify if this is or is not the case?

Hello and thanks for taking time to look at this bug.

I have just setup a VM to test this and upgraded to zesty, all of xenial, yakkety AND zesty behave the same and present this bug.

To test it quickly if you need to reproduce, I have only setup an AD with "samba-tool domain provision", adjusted named configuration (include samba generated files for named) and then do a "
rndc zonestatus ad.dns.zone", a "rndc reload", and again a "rndc zonestatus ad.dns.zone".

On zesty I also had an apparmor permission denied on start because named couldn't file_mmap the dlz module (.so)

mars 07 12:38:51 l00p2 kernel: audit: type=1400 audit(1488886731.112:59): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/named" name="/usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_10.so" pid=3149 comm="named" requested_mask="m" denied_mask="m" fsuid=120 ouid=0

(while adding "/usr/lib{,32,64}/**/*.so* mr," in /etc/apparmor.d/usr.sbin.named I could start named again, maybe I should file a different bug report)

I am adding my complete /etc/apparmor.d/usr.sbin.named if you need to reproduce since it also contains other lines according to Samba official Bind9_DLZ integration guide.

Any news on this bug ? Since it affects all versions and a tested patch exists I thought it would have been integrated sooner (at least -proposed)
It affects production (LTS) servers running Samba + Bind which is a quite rather common scenario on "real" environments for AD replacement. We also have identified indirect impact on integrated Ubuntu clients (with winbind and joined on AD domain) since it triggers sometimes DNS updates on server (along with dynamic DHCP updates to DNS Zone)
Restarting bind completely many times a day is not really a production-level solution to me ...

Sorry to bump again but there have been 6 minor updates to samba package in 16.04 LTS and since this patch is not included we still have the same problem (fixed since 2015 on Univention bug tracker ...)

Is there any mean to help getting it included soon ?

Do you know if this patch or bug report was ever submitted upstream?

I'm trying to update samba to 4.6.5 in artful (https://code.launchpad.net/~ahasenack/ubuntu/+source/samba/+git/samba/+merge/326418) and then I can look more closely at this issue.

Hm I looked at current samba git and bugtracker and did not find anything related to this bug. It seems noone ever submitted this upstream...
This is quite strange, I wonder how other people do. Maybe I missed something but this is reproducible and blocking for "real" production environements unless you never update your local DNS content ...

Do you want me to report upstream ?

Yes please, that would be very helpful

On Jul 18, 2017 04:55, "Stéphane Berthelot" <email address hidden> wrote:

> Hm I looked at current samba git and bugtracker and did not find anything
> related to this bug. It seems noone ever submitted this upstream...
> This is quite strange, I wonder how other people do. Maybe I missed
> something but this is reproducible and blocking for "real" production
> environements unless you never update your local DNS content ...
>
> Do you want me to report upstream ?
>
> --
> You received this bug notification because you are subscribed to samba
> in Ubuntu.
> https://bugs.launchpad.net/bugs/1670450
>
> Title:
> samba4 bind dlz module stops working on rndc reload
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/samba/+bug/1670450/+subscriptions
>

Reported upstream (univention is 3rd party)

Hello,

I've just installed bionic (18.04) beta2 with samba 4.7.6 and bind 9.11.3 and the problem is still present.

Is there any mean to get this bug fixed soon ? How do others avoid the problem with dlz zone deleted on rndc reload ?

I reproduced the bug using the procedure on #5 (if needed)

Is it also present in cosmic, which has samba 4.8.x?

I also see that the upstream bug has no further activity.

We would really prefer if upstream could comment on that patch, maybe its author could send it to samba-technical@? That's where discussions happen most often. Although, it would also be good if we could determine if this problem still happens in the latest samba, currently the 4.10 series, which is available in Ubuntu Disco.

This bug is still in our queue.

This was finally fixed properly upstream with this massive patch set https://bugzilla.samba.org/show_bug.cgi?id=14780 for Samba 4.16. A very good reason to upgrade to this release where possible.

Thank you for the update! We've been on samba 4.16 since Kinetic, so I'll mark this Fix Released on the assumption that it is fixed now. However, this means it is still unaddressed in 22.04 and 20.04, so I'll add separate tasks for those. 18.04 and earlier are beyond End of Standard Support, so I won't add tasks for them.