samba-domain icon indicating copy to clipboard operation
samba-domain copied to clipboard

Published 20 hours ago verified publisher icon Fmstrat

DNS sockets exhausting system

Open Merlin83b opened this issue 2 years ago • 5 comments

Using either this image or @burnbabyburn's image (as mentioned in #36), as soon as the container receives a DNS query, it opens enough listening sockets to overwhelm the system, resulting in any more giving the error message below:

$ dig @192.168.1.250 google.com a
dig: isc_socket_bind: address in use

They all look like this:

$ sudo netstat -nvuap|wc -l
28241
$ sudo netstat -nvuap|head -n 10
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 172.17.0.1:38860        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:47052        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:55244        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:38861        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:47053        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:55245        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:55246        172.17.0.2:53           ESTABLISHED 90721/docker-proxy
udp        0      0 172.17.0.1:38862        172.17.0.2:53           ESTABLISHED 90721/docker-proxy

In the above, 172.17.0.1 is the bridge address (docker0 on the host), 172.17.0.2 is the address of the container.

The server is set up using the command taken from the documentation:

docker volume create samba-data
docker volume create samba-config
docker run -t -i \
    -e "DOMAIN=OFFICE.COMPANY.COM" \
    -e "DOMAINPASS=Password1" \
    -e "DNSFORWARDER=192.168.1.1" \
    -e "HOSTIP=192.168.1.250" \
    -p 192.168.1.250:53:53 \
    -p 192.168.1.250:53:53/udp \
    -p 192.168.1.250:88:88 \
    -p 192.168.1.250:88:88/udp \
    -p 192.168.1.250:135:135 \
    -p 192.168.1.250:137-138:137-138/udp \
    -p 192.168.1.250:139:139 \
    -p 192.168.1.250:389:389 \
    -p 192.168.1.250:389:389/udp \
    -p 192.168.1.250:445:445 \
    -p 192.168.1.250:464:464 \
    -p 192.168.1.250:464:464/udp \
    -p 192.168.1.250:636:636 \
    -p 192.168.1.250:1024-1044:1024-1044 \
    -p 192.168.1.250:3268-3269:3268-3269 \
    -v /etc/localtime:/etc/localtime:ro \
    -v samba-data:/var/lib/samba \
    -v samba-config:/etc/samba/external \
    --dns-search office.company.com \
    --dns 192.168.1.250 \
    --dns 192.168.1.1 \
    --add-host localdc.office.company.com:192.168.1.250 \
    -h localdc \
    --name samba-bbb \
    --privileged \
    --restart unless-stopped \
    samba-domain

Has anyone seen this, or have any idea how to resolve it?

Merlin83b avatar May 12 '22 10:05 Merlin83b

Hi,

tried to replicate your problem with my version. I changed the naming of some config params and didn't updated the README examples. My bad.

Following command was run:

#build and cleanup
git clone https://github.com/burnbabyburn/docker-ubuntu-samba-dc
cd docker-ubuntu-samba-dc
docker build . -t samba-ad-dc
docker volume rm samba-data samba-config samba-etc

# create and run
docker volume create samba-data

docker volume create samba-config

docker run -t -i \
    -e "DOMAIN=OFFICE.COMPANY.COM" \
    -e "DOMAIN_PASS=Password1" \
    -e "ENABLE_DNSFORWARDER=192.168.1.1" \
    -e "HOSTIP=192.168.1.250" \
    -e "ENABLE_DYNAMIC_PORTRANGE=49152-49172" \ 
    -p 53:53 \
    -p 53:53/udp \
    -p 88:88 \
    -p 88:88/udp \
    -p 135:135 \
    -p 137-138:137-138/udp \
    -p 139:139 \
    -p 389:389 \
    -p 389:389/udp \
    -p 445:445 \
    -p 464:464 \
    -p 464:464/udp \
    -p 636:636 \
    -p 3268-3269:3268-3269 \
    -p 49152-49172 \
    -v /etc/localtime:/etc/localtime:ro \
    -v samba-data:/var/lib/samba \
    -v samba-config:/etc/samba/external \
    --dns-search office.company.com \
    --dns 127.0.0.1 \
    --add-host localdc.office.company.com:192.168.1.250\
    -h localdc \
    --name samba-bbb \
    --privileged \
    --restart unless-stopped \
    samba-ad-dc

complete output can be found here: https://pastebin.com/DKECUHAw

My docker Host with samba-ad-dc has 192.168.10 but i kept your IP address of 250 for localdc. so some output may look a little wierd

on win client

nslookup localdc.office.company.com 192.168.1.10
Server:  OdroidN2.samdom.example
Address:  192.168.1.10

Name:    localdc.office.company.com
Address:  192.168.1.250

on docker host

dig @192.168.1.10 localdc.office.company.com

; <<>> DiG 9.16.1-Ubuntu <<>> @192.168.1.10 localdc.office.company.com
; (1 server found)
;; ANSWER SECTION:
localdc.office.company.com. 900 IN      A       192.168.1.250
localdc.office.company.com. 900 IN      A       172.17.0.2

in container

root@localdc:/# dig localdc.office.company.com
;; QUESTION SECTION:
;localdc.office.company.com.    IN      A

;; ANSWER SECTION:
localdc.office.company.com. 900 IN      A       192.168.1.250
localdc.office.company.com. 900 IN      A       172.17.0.2

ports used in docker container

root@localdc:/# netstat -nvuap|wc -l
23

looks good to me. if the error persist, could you provide a log?

burnbabyburn avatar May 12 '22 12:05 burnbabyburn

Yep, that's done the trick thank you. I have a couple of errors during the run from ntpd:

Attempting to autogenerate TLS self-signed keys for https for hostname 'LOCALDC.office.company.com'
12 May 14:57:28 ntpd[706]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): good hash signature
12 May 14:57:28 ntpd[706]: leapsecond file ('/usr/share/zoneinfo/leap-seconds.list'): loaded, expire=2022-12-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
12 May 14:57:28 ntpd[706]: switching logging to file /var/log/ntp
12 May 14:57:28 ntpd[706]: Listen and drop on 0 v6wildcard [::]:123
12 May 14:57:28 ntpd[706]: Listen and drop on 1 v4wildcard 0.0.0.0:123
12 May 14:57:28 ntpd[706]: Listen normally on 2 lo 127.0.0.1:123
12 May 14:57:28 ntpd[706]: Listen normally on 3 eth0 172.17.0.2:123
12 May 14:57:28 ntpd[706]: Listening on routing socket on fd #20 for interface updates
12 May 14:57:28 ntpd[706]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
12 May 14:57:28 ntpd[706]: kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized
TLS self-signed keys generated OK
2022-05-12 14:57:29,254 INFO success: ntpd entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
2022-05-12 14:57:29,254 INFO success: samba entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
/usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
/usr/sbin/samba_dnsupdate: ; TSIG error with server: tsig verify failure
dnsupdate_nameupdate_done: Failed DNS update with exit code 5

but after the sleep 300s expires, everything seems to run normally then. I also tried adding in --dns 192.168.1.1 to the run command but it made no difference. The server is remote so I haven't had a chance to try really using it yet, but the DNS queries seems to work properly now.

Merlin83b avatar May 12 '22 14:05 Merlin83b

Can this be closed?

Fmstrat avatar May 12 '23 01:05 Fmstrat

Actually not. It is still a problem.

docker version Version: 20.10.24+dfsg1

uname -r 6.1.0-10-amd64

docker pull nowsci/samba-domain:latest

So with latest version, with exact configuration template , using docker-compose up -d (samba-ad-dc runs on 192.168.100.252, docker-compose.yml is below)

from a PC in LAN: host google.com 192.168.100.252

then on docker host: ss -4pn | grep 53| wc -l 28231

and in htop process samba: task[dns] pre-fork master shows 100% CPU occupation

cat docker-compose.yml samba: image: nowsci/samba-domain container_name: samba volumes: - /etc/localtime:/etc/localtime:ro - samba-data:/var/lib/samba - samba-config:/etc/samba/external environment: - DOMAIN=VRBA.LAN - DOMAIN_DC=dc=vrba,dc=lan - DOMAIN_EMAIL=i - DOMAINPASS=123Qwer - DNSFORWARDER=192.168.100.254 - HOSTIP=192.168.100.252 ports: - 192.168.100.252:53:53 - 192.168.100.252:53:53/udp - 192.168.100.252:88:88 - 192.168.100.252:88:88/udp - 192.168.100.252:123:123 - 192.168.100.252:123:123/udp - 192.168.100.252:135:135 - 192.168.100.252:137-138:137-138/udp - 192.168.100.252:139:139 - 192.168.100.252:389:389 - 192.168.100.252:389:389/udp - 192.168.100.252:445:445 - 192.168.100.252:464:464 - 192.168.100.252:464:464/udp - 192.168.100.252:636:636 - 192.168.100.252:1024-1044:1024-1044 - 192.168.100.252:3268-3269:3268-3269 dns_search: - vrba.lan dns: - 192.168.100.252 - 192.168.100.254 extra_hosts: - dc1.vrba.lan:192.168.100.252 hostname: dc1 cap_add: - NET_ADMIN - SYS_NICE - SYS_TIME devices: - /dev/net/tun privileged: true restart: always

frasou avatar Aug 19 '23 08:08 frasou

I have found the issue. The problem is that init.sh puts the dns forwarder at the top of the [global] section in smb.conf, however, the "samba-tool domain provision" (and maybe also join) command adds already a dns forwarder (the one from /etc/resolv.conf) far more down already, overriding the desired one (see my screenshot). Samba will use the second one, which is the docker internal DNS server (127.0.0.11). Since the container is configured to have itself as its DNS server, this will cause a loop for every DNS lookup outside of the AD zone itself. I fixed the issue and created a pull request. dnsbug

aczwink avatar Oct 30 '23 20:10 aczwink