without dlopen support, bind can't load /usr/lib64/samba/bind9/dlz_bind9_18.so # named -V BIND 9.18.39 (Extended Support Version) <id:> running on Linux x86_64 6.16.5-200.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Sep 4 16:37:21 UTC 2025 built by make with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--program-prefix=' '--disable-dependency-tracking' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/bin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--runstatedir=/run' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--localstatedir=/var' '--with-pic' '--disable-static' '--includedir=/usr/include/bind9' '--with-tuning=large' '--with-libidn2' '--with-maxminddb' '--with-gssapi=yes' '--with-lmdb=yes' '--with-json-c' '--enable-dnstap' '--with-cmocka' '--without-jemalloc' '--enable-fixed-rrset' '--enable-full-report' 'CPPFLAGS= -DOPENSSL_NO_ENGINE=1' 'build_alias=x86_64-redhat-linux-gnu' 'host_alias=x86_64-redhat-linux-gnu' 'CC=gcc' 'CFLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 -Wp,-D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -fstack-protector-strong -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -mtls-dialect=gnu2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer ' 'LDFLAGS=-Wl,-z,relro -Wl,--as-needed -Wl,-z,pack-relative-relocs -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -Wl,--build-id=sha1 -specs=/usr/lib/rpm/redhat/redhat-package-notes ' 'LT_SYS_LIBRARY_PATH=/usr/lib64:' 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' compiled by GCC 15.2.1 20250808 (Red Hat 15.2.1-1) compiled with OpenSSL version: OpenSSL 3.2.4 11 Feb 2025 linked to OpenSSL version: OpenSSL 3.2.4 11 Feb 2025 compiled with libuv version: 1.51.0 linked to libuv version: 1.51.0 compiled with libnghttp2 version: 1.64.0 linked to libnghttp2 version: 1.64.0 compiled with libxml2 version: 2.12.10 linked to libxml2 version: 21210 compiled with json-c version: 0.18 linked to json-c version: 0.18 compiled with zlib version: 1.3.1.zlib-ng linked to zlib version: 1.3.1.zlib-ng linked to maxminddb version: 1.12.2 compiled with protobuf-c version: 1.5.1 linked to protobuf-c version: 1.5.1 threads support is enabled DNSSEC algorithms: RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512 ECDSAP256SHA256 ECDSAP384SHA384 ED25519 ED448 DS algorithms: SHA-1 SHA-256 SHA-384 HMAC algorithms: HMAC-MD5 HMAC-SHA1 HMAC-SHA224 HMAC-SHA256 HMAC-SHA384 HMAC-SHA512 TKEY mode 2 support (Diffie-Hellman): yes TKEY mode 3 support (GSS-API): yes default paths: named configuration: /etc/named.conf rndc configuration: /etc/rndc.conf DNSSEC root key: /etc/bind.keys nsupdate session key: /var/run/named/session.key named PID file: /var/run/named/named.pid named lock file: /var/run/named/named.lock geoip-directory: /usr/share/GeoIP Reproducible: Always Steps to Reproduce: 1. Install bind package 2. Install samba-dc-bind-dlz package 3. Marvel at how things don't work Actual Results: /usr/lib64/samba/bind9/dlz_bind9_18.so doesn't load, samba can't make DNS update, Domain controller is broken. Expected Results: bind loads /usr/lib64/samba/bind9/dlz_bind9_18.so, Samba makes dynamic DNS updates Additional Information: This seems be be a choice made: * Mon Feb 10 2025 Petr Menšík <pemensik> - 32:9.18.33-2 - Permanently remove DLZ parts build
The removal should have removed only outdated and AFAIK unused plugins shipped by bind itself. It should have not prevented support for loading other plugins, such as the plugin provided by samba-dc-bind-dlz package. Can you please share error message provided by named? What is the named.conf configuration and what does it print into journalctl -xeu named? please provide named-checkconf -px full output if possible. But at least share what dlz configuration in /etc/named.conf looks like. It should have stopped just providing bind-dlz-mysql, bind-dlz-sqlite3 and similar. Not prevent potentially still useful external plugins.
I have tried this snippet: dlz example { database "dlopen /usr/lib64/samba/bind9/dlz_bind9_18.so"; search no; }; That crashes, but at least tries to load the plugin. I am not sure how exactly it should be configured in samba. Is it possible SELinux is blocking permissions perhaps? In my case, it could not find /var/lib/samba/bind-dns/dns/sam.ldb and crashed when trying to log it. dlz_bind9_state were NULL at that point. (gdb) bt #0 0x00007ffff5292f03 in dlz_create (dlzname=<optimized out>, argc=1, argv=0x7ffff007d688, dbdata=0x7ffff007fe08) at ../../source4/dns_server/dlz_bind9.c:730 #1 0x0000555555560fb5 in dlopen_dlz_create (dlzname=0x7ffff0053140 "example", argc=2, argv=0x7ffff007d680, driverarg=<optimized out>, dbdata=<optimized out>) at ../../../bin/named/dlz_dlopen_driver.c:314 #2 0x00007ffff7d315c9 in dns_sdlzcreate (mctx=<optimized out>, dlzname=0x7ffff0053140 "example", argc=2, argv=0x7ffff007d680, driverarg=0x555555645c30, dbdata=0x7ffff007dc68) at ../../../lib/dns/sdlz.c:1627 #3 0x00007ffff7c380cb in dns_dlzcreate (mctx=mctx@entry=0x55555563c860, dlzname=0x7ffff0053140 "example", drivername=drivername@entry=0x7ffff007dbf0 "dlopen", argc=argc@entry=2, argv=argv@entry=0x7ffff007d680, dbp=dbp@entry=0x7ffff6c4c4a0) at ../../../lib/dns/dlz.c:212 #4 0x0000555555576861 in configure_view (view=0x7ffff000f3b0, viewlist=<optimized out>, config=0x7ffff004e560, vconfig=0x0, cachelist=0x7ffff6c4d550, kasplist=<optimized out>, bindkeys=0x0, mctx=0x55555563c860, actx=0x7ffff00052f0, need_hints=true) at ../../../bin/named/server.c:4485 #5 0x00005555555848bf in load_configuration (filename=<optimized out>, server=server@entry=0x555555645d10, first_time=first_time@entry=true) at ../../../bin/named/server.c:9569 #6 0x0000555555586ff7 in run_server (task=<optimized out>, event=<optimized out>) at ../../../bin/named/server.c:10306 #7 0x00007ffff7f64120 in task_run (task=0x555555692990) at ../../../lib/isc/task.c:832 #8 isc_task_run (task=0x555555692990) at ../../../lib/isc/task.c:913 #9 0x00007ffff7f237ec in isc__nm_async_task (worker=0x555555644f30, ev0=0x55555569ce70) at ../../../lib/isc/netmgr/netmgr.c:867 #10 0x00007ffff7f2b74d in process_netievent (worker=worker@entry=0x555555644f30, ievent=0x55555569ce70) at ../../../lib/isc/netmgr/netmgr.c:949 #11 0x00007ffff7f2be6f in process_queue (worker=worker@entry=0x555555644f30, type=type@entry=NETIEVENT_TASK) at ../../../lib/isc/netmgr/netmgr.c:1044 #12 0x00007ffff7f2c088 in process_all_queues (worker=0x555555644f30) at ../../../lib/isc/netmgr/netmgr.c:780 #13 async_cb (handle=0x555555645290) at ../../../lib/isc/netmgr/netmgr.c:809 #14 0x00007ffff7bac60e in uv__async_io (loop=0x555555644f40, w=<optimized out>, events=<optimized out>) at /usr/src/debug/libuv-1.51.0-2.fc43.x86_64/src/unix/async.c:208 #15 0x00007ffff7bcb71e in uv__io_poll (loop=0x555555644f40, timeout=<optimized out>) at /usr/src/debug/libuv-1.51.0-2.fc43.x86_64/src/unix/linux.c:1565 #16 0x00007ffff7bb69e2 in uv_run (loop=loop@entry=0x555555644f40, mode=mode@entry=UV_RUN_DEFAULT) at /usr/src/debug/libuv-1.51.0-2.fc43.x86_64/src/unix/core.c:460 #17 0x00007ffff7f2c57d in nm_thread (worker0=0x555555644f30) at ../../../lib/isc/netmgr/netmgr.c:711 #18 0x00007ffff7f6826c in isc__trampoline_run (arg=0x55555563f620) at ../../../lib/isc/trampoline.c:190 #19 0x00007ffff72f738b in start_thread (arg=<optimized out>) at pthread_create.c:448 #20 0x00007ffff737a46c in __GI___clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 But it proves bind tried to load something from it.
Please share what named logs. It it does not, please try running named as root from gdb. Using sudo gdb --args -g -u named start the debugger, enable debuginfod and type run. If it crashes, type bt and paste it here. Type quit to exit debugger. From my short test, it seems DLZ it still possible, just not shipped in bind component anymore.
(gdb) p state->lp $12 = (struct loadparm_context *) 0x7ffff00dd980 (gdb) p dlz_bind9_state->log Cannot access memory at address 0x60 (gdb) p state->log $13 = (log_t *) 0x5555555609c0 <dlopen_log> It seems the plugin is trying wrong state->log function and crashes. But that is not problem on bind side, but samba.
Moving back to samba for fixing the load on not fully prepared samba system. It attempted to load with versions: bind-9.18.39-3.fc44.x86_64 samba-4.23.0-13.fc44.x86_64 Removal of bind-dlz-* subpackages should not affect ability to load samba plugin.
I think it should also stop building DLZ plugins for versions long gone in Fedora. /usr/lib64/samba/bind9/dlz_bind9_10.so /usr/lib64/samba/bind9/dlz_bind9_11.so /usr/lib64/samba/bind9/dlz_bind9_12.so /usr/lib64/samba/bind9/dlz_bind9_14.so /usr/lib64/samba/bind9/dlz_bind9_16.so /usr/lib64/samba/bind9/dlz_bind9_18.so Only 9.18 is supported in any Fedora releases. 9.16 is still present in CentOS 9, but anything older should not be built anymore. Especially anything for 9.10. Would it make sense to maybe symlink older versions to the latest one, unless they differ in something specific. I think there were no important changes on bind side in these interfaces in couple of major releases.
Tested also bind9-next alternative 9.21, that still loads the DLZ plugin and crashes the same way.
Debugging information here: https://wiki.samba.org/index.php/BIND9_DLZ_DNS_Back_End Tell Samba to use the Bind backend: # samba_upgradedns --dns-backend=BIND9_DLZ I believe I have solved this non-issue. I added my include directive at the start of named.conf and it had no effect - no log, no loading dlz modules, no debug info, nothing. Moving the include directive within a view causes the module to load and I ahve forward progress. Thanks for taking a look!
Reverting the bug to ASSIGNED. We fixed this issue upstream to prevent a crash, even with incorrect config file, I'll do a backport.
FEDORA-2025-90533b236f (samba-4.23.0-14.fc44) has been submitted as an update to Fedora 44. https://bodhi.fedoraproject.org/updates/FEDORA-2025-90533b236f
FEDORA-2025-1b1f27e000 (samba-4.23.0-0.7.rc3.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-1b1f27e000
FEDORA-2025-90533b236f (samba-4.23.0-14.fc44) has been pushed to the Fedora 44 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-1b1f27e000 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-1b1f27e000` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-1b1f27e000 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-1b1f27e000 (samba-4.23.0-13.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.