Recently, another weird problem happened to my customer dns server using Bind 9 and running on top of SLES10 server. At very first, the SLES10 machine serve as a slave dns server for Primary dns (WIN2K) server and both machine perform very well for a month without any problem. But when my customer gave a green light to poweroff the Primary DNS and convert the SLES10 to become a master dns server, the nightmare is come. Why? Because every 5-10 minutes the bind services will go down without any reason. Can you imagine the pressure when the DNS server is not running on customer production environment? No internet, email & other server domain & hostname also can’t be resolved.

At the very first, I thought this is because of the Active Directory conflicting the linux dns and but, we already totally shutdown then remove the AD from my customer environment. Same goes to dns services on the WIN2K. Okay, time to analyze the log messages and from the log files I noticed something :

client 192.168.x.xx (old Primary DNS / WIN2K) update failed : permission denied

gss_initialize fatal error: no mechanisms loaded!

When google around I found out that few people having the same problem. But I’m more interested on the problem related to Novell SLES10 and I’m lucky enough because this problem already known to Novell and they treat this problem as a bug on their SLES10 SP1. Even though Novell already included related patch (libgss—) to solve this problem, but hey! it’s didn’t work for me. So, what’s the problem actually?

Okay now forgetting about Novell SLES10 bug. Lets get back on log messages and I grep anything related to named/bind services. Hey! I found something more interesting here:

client 192.168.x.xx (old Primary DNS / WIN2K) update failed : permission denied

gss_initialize fatal error: no mechanisms loaded!

client 192.168.x.xx (another windows / WIN2K) update failed : permission denied

gss_initialize fatal error: no mechanisms loaded!

client 192.168.x.xx (another windows / WIN2K) update failed : permission denied

gss_initialize fatal error: no mechanisms loaded!

If you see the above error messages, not only the old AD server causing the linux bind services going down. There are 3 (three) servers actually and all windows servers. So, I narrow search the problem on windows server. Why only windows servers and why not client’s workstation which using windows XP? Finally I got the answer from www.bind9.net:

Someone is trying to update your DNS data using the RFC2136 Dynamic Update

protocol. Windows 2000 machines have a habit of sending dynamic update

requests to DNS servers without being specifically configured to do so. If

the update requests are coming from a Windows 2000 machine, see

http://support.microsoft.com/support/kb/articles/q246/8/04.asp for

information about how to turn them off.

By default, dynamic dns update on WIN2K server will set to “enable”. Just turn it off via registry or tcp/ip advance config on WIN2K server and the problem solved. Now, the bind services on my customer SLES10 server running awesome without problem anymore.

ariyossss

athlon_crazy 4:26am 21/09/2008