[Samba] Strange DNS results

[Steve Thompson]

Samba 4.0.0, CentOS 6.4, bind 9.9 DLZ.

I could use some help debugging a strange DNS issue. I have two Samba4
domain controllers, dc-1.europa.icse.cornell.edu and
dc-2.europa.icse.cornell.edu. On either dc-1 or dc-2 or any client host:

# host dc-1.europa.icse.cornell.edu dc-2
dc-1.europa.icse.cornell.edu has address 192.168.15.250
dc-1.europa.icse.cornell.edu has address 192.168.3.250
dc-1.europa.icse.cornell.edu has address 192.168.7.250

which is correct. But:

# host dc-1.europa.icse.cornell.edu dc-1
dc-1.europa.icse.cornell.edu has address 192.168.7.241
dc-1.europa.icse.cornell.edu has address 192.168.3.250
dc-1.europa.icse.cornell.edu has address 192.168.7.250
dc-1.europa.icse.cornell.edu has address 192.168.15.250
dc-1.europa.icse.cornell.edu has address 192.168.15.241
dc-1.europa.icse.cornell.edu has address 192.168.3.241

The results for looking up dc-2 are correct on all client hosts. The
results for looking up dc-1 are incorrect on all client hosts.

The three IP addresses ending in .241 are phantoms; there has never been a
host or hosts on the network with these IP addresses. These suddenly
started showing up at about 11:00 this morning. I cannot work out where
the extra three IP's are coming from; they are not in any of my zone
tables, forward or reverse, and a DNS query using samba-tool does not show
them either:

dc-1# samba-tool dns query dc-1 europa.icse.cornell.edu dc-1 A
Name=, Records=3, Children=0
A: 192.168.3.250 (flags=f0, serial=1, ttl=900)
A: 192.168.7.250 (flags=f0, serial=2, ttl=900)
A: 192.168.15.250 (flags=f0, serial=17, ttl=900)

If I comment out Samba's private/named.conf from the bind configuration
and restart bind, the results are now correct, showing that it is coming
from samba somewhere. Rebooting dc-1 or restarting samba does not help.

Needless to say, this is causing havoc, and is an emergency situation.
Someone hit me with the clue stick; I need to find out where these are
coming from!

Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Marc Muehlfeld]

Hello Steve,

Am 23.04.2013 23:49, schrieb Steve Thompson:
> The results for looking up dc-2 are correct on all client hosts. The
> results for looking up dc-1 are incorrect on all client hosts.

I don't have an idea what could be wrong. But maybe you can find out
more, if you enable debugging for the bind DLZ module:

In .../private/named.conf, change the following line

database "dlopen .../bin/modules/bind9/dlz_bind9.so";

to

database "dlopen .../bin/modules/bind9/dlz_bind9.so -d 3"


Then run bind manually to capture logs:

/usr/sbin/named -u named -f -g 2>&1 | tee named.log



Regards,
Marc

[Steve Thompson]

On Wed, 24 Apr 2013, Marc Muehlfeld wrote:

> Am 23.04.2013 23:49, schrieb Steve Thompson:
>> The results for looking up dc-2 are correct on all client hosts. The
>> results for looking up dc-1 are incorrect on all client hosts.
>
> I don't have an idea what could be wrong. But maybe you can find out more, if
> you enable debugging for the bind DLZ module:

> [...]

Hi Marc,

Many thanks for your comments. I wasn't able to determine where the
phantom IP addresses were coming from in a reasonable amount of time, but
I was able to delete them via nsupdate. Fortunately, everything returned
to normal functioning. I currently have 176 machines, mostly Linux using
sssd, bound to the domain, and they were getting distinctly unhappy. I
have a separate test domain which I will experiment on as time allows.

One thing that I have discovered while debugging is that if additional IP
addresses are added to a DC, samba_dnsupdate happily consumes them and
they appear in DNS in short order. However, when the IP addresses are
removed, samba_dnsupdate does not remove them again, and clients continue
to try lookups to IP's that don't exist any more :-(

Steve