DLZ plugin adds broken records?

Amitay Isaacs amitay at gmail.com
Tue May 22 01:20:25 MDT 2012 

Hi Andrey,

On Tue, May 22, 2012 at 5:34 AM, Andriy Syrovenko <andriys at gmail.com> wrote:
> Hi,
>
> We are using Samba4a20 with BIND 9.9.0 + DLZ plugin as a DNS server.
> While playing with DNS I occasionally run 'samba-tool dbcheck
> --cross-ncs' and found there are many errors like following:
>
> ERROR: missing GUID component for objectCategory in object
> DC=pc,DC=example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=example,DC=com
> - CN=Dns-Node,CN=Schema,CN=Configuration,DC=example,DC=com

Any modifications to SAM database are done using DSDB ldb modules. So
there should not be any difference between the updates to DNS records
done via BIND9 DLZ module or via RPC interface. The only reason why
the entries might get created without a GUID component is if DSDB ldb
modules were not loaded while doing the modifications. Please check
the output of following commands:

 # /path/to/ldbsearch -H /path/to/private/sam.ldb -s base -b @MODULES
 # /path/to/ldbsearch -H /path/to/private/dns/sam.ldb -s base -b @MODULES

The output should be like this:

# record 1
dn: @MODULES
@LIST: samba_dsdb
distinguishedName: @MODULES

# returned 1 records
# 1 entries
# 0 referrals


> As far as I can see all records in the forward zone that arrived
> through dynamic DNS updates are affected. At the same time just a few
> (but not all) records in the reverse zone are affected as well. None
> of the records that were added manually (using Microsoft DNS console)
> are affected.
>
> Meanwhile I've fixed these errors using 'samba-tool dbcheck
> --cross-ncs --fix', but will check periodically if the appear again.

The other thing you can check is the actual records which are missing GUIDs.

  # /path/to/ldbsearch -H /path/to/private/sam.ldb -b
"DC=DomainDnsZones,DC=example,DC=com" --extended-dn dn
  # /path/to/ldbsearch -H /path/to/private/dns/sam.ldb -b
"DC=DomainDnsZones,DC=example,DC=com" --extended-dn dn

These commands should list all DNs in the database with "<GUID=...>
prefix and the output of the above commands should be identical. If
there is any discrepancy in the output, please let me know.

Amitay.

More information about the samba-technical mailing list