Multi DC domain issues

Chris Alavoine chrisa at acs-info.co.uk
Wed Oct 1 16:30:18 MDT 2014


Hi Stefan,

I've written a simple shell script which automatically find the GUID
numbers and puts them into the ldbdel statement:

#!/bin/sh
# cja/20141001
# deleteobjects.sh
# extracts GUID from deleted.ldif and runs ldbdel command

# get list of GUID and perform ldbdel on them

GUIDlist=`cat /usr/local/samba/private/sam.ldb.d/deleted.ldif | grep GUID |
sed -n 's/[^$]*\://p'`

for GUID in $GUIDlist

do

ldbdel -H /usr/local/samba/private/sam.ldb --show-recycled --relax
'<GUID='$GUID'>'

done

# end

Of course this assumes your Samba is installed at /usr/local/samba/ (I use
Ubuntu), but can be easily modified.

I am testing this on my test rig at present and it seems to work well (if a
little slowly).

Cheers,
c:)




On 1 October 2014 12:34, Chris Alavoine <chrisa at acs-info.co.uk> wrote:

> Hi Stefan,
>
> Thanks for this very interesting info.
>
> Unfortunately, I cannot at present get beyond version 4.1.8 on Ubuntu
> 12.04. When I restart samba after compiling it refuses to start. I haven't
> had time to fully debug this yet, but am going to attempt a clean build /
> compile in my test lab and see how far I can get.
>
> I am using Samba Internal DNS, and my attempts at moving to Bind DLZ on my
> test setup have so far proven fruitless.
>
> Can you see any danger in me attempted to delete the isDeleted records
> using the above method (even on Samba Internal DNS)? At moment I have
> lowered my tombstoneLifetime on all DC's to 15 and the number of records is
> slowly reducing on a number of them. Some of them appear to broken as they
> are stuck and not reducing at all.
>
> Thanks,
> Chris.
>
>
> On 1 October 2014 12:23, Stefan (metze) Metzmacher <metze at samba.org>
> wrote:
>
>> Hi Chris,
>>
>> your problem was fixed via
>> https://bugzilla.samba.org/show_bug.cgi?id=10749
>> in 4.1.12.
>>
>> Am 23.09.2014 um 14:58 schrieb Chris Alavoine:
>> > Some extra info.
>> >
>> > When I try a join (via a working DC) I get this:
>> >
>> > Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>> > objects[63919/322492] linked_values[0/0]
>> > Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>> > objects[64321/322492] linked_values[0/0]
>> > Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>> > objects[64723/322492] linked_values[0/0]
>> > Partition[DC=DomainDnsZones,DC=essence,DC=internal,DC=com]
>> > objects[65125/322492] linked_values[0/0]
>> >
>> > As you can see there are 322492 objects in DomainDnsZones which takes a
>> > long time to complete. Have checked here:
>> >
>> > /usr/local/samba/private/sam.ldb.d/
>> >
>> > And this is the contents:
>> >
>> > /usr/local/samba/private/sam.ldb.d# ls -ltrh
>> > total 4.1G
>> > -rw-r----- 1 root root 812K Sep 23 08:38 metadata.tdb
>> > -rw------- 1 root root  10M Sep 23 08:44
>> > CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root 4.1M Sep 23 08:48
>> > DC=FORESTDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root 4.0G Sep 23 08:50
>> > DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root  10M Sep 23 08:50
>> > CN=SCHEMA,CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root  38M Sep 23 08:51
>> DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> >
>> > On my broken FSMO DC this is the same folder:
>> >
>> > /usr/local/samba/private/sam.ldb.d# ls -ltrh
>> > total 3.1G
>> > -rw-r----- 1 root root 412K Sep 23 13:00 metadata.tdb
>> > -rw------- 1 root root  16M Sep 23 13:03
>> > CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root 4.1M Sep 23 13:48
>> > DC=FORESTDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root  10M Sep 23 13:50
>> > CN=SCHEMA,CN=CONFIGURATION,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root  86M Sep 23 13:50
>> DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> > -rw------- 1 root root 3.0G Sep 23 13:50
>> > DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> >
>> > Also, when I try and join another DC via the FSMO DC there are only
>> 88,000
>> > objects in DomainDnsZones.
>> >
>> > I know that I don't have that many entries in my DNS, is there any way I
>> > can reduce the overhead on this? Safely?
>>
>> The trick is to remove all deleted objects
>>
>> ldbsearch -H /var/lib/samba/private/sam.ldb -s one -b 'CN=Deleted
>> Objects,DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM' --show-recycled
>> objectGUID > deleted.ldif
>>
>> for each objectGUID value you get out of 'grep objectGUID deleted.ldif'
>> you need to run something like this:
>>
>> ldbdel -H /var/lib/samba/private/sam.ldb --show-recycled --relax
>> '<GUID=4fdf6aab-344d-42b8-8d09-c6bc45765953>'
>>
>> You need do that on every DC and can be run online.
>> (better not on all DCs at the same time...)
>>
>> This will take a few days to complete.
>>
>> Take a look at 'tdbtool
>> DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb info'
>> from time to time to see much records are still in the file.
>> Note that the filesize on disk stays that large.
>>
>> At the end need to run the following OFFLINE, making sure
>> no samba/smbd related process is running anymore!!!
>> And make sure you have enough diskspace the
>> DC=DOMAINDNSZONES,DC=EXAMPLE,DC=INTERNAL,DC=COM.ldb
>> needs to fit 2 additional times.
>>
>> OFFLINE!!!
>>
>>
>> tdbbackup DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb
>> tdbbackup DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb.bak
>>
>> tdbdump DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb | md5sum
>> tdbdump DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb.bak.bak | md5sum
>>
>> If the md5sums are the same go on:
>>
>> mv DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb
>> DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb.orig
>> mv DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb.bak.bak
>> DC\=DOMAINDNSZONES\,DC\=EXAMPLE\,DC\=COM.ldb
>>
>> Keep backups!
>>
>> metze
>>
>>
>
>
> --
> ACS (Alavoine Computer Services Ltd)
> Chris Alavoine
> mob +44 (0)7724 710 730
> www.alavoinecs.co.uk
> http://twitter.com/#!/alavoinecs
> http://www.linkedin.com/pub/chris-alavoine/39/606/192
>



-- 
ACS (Alavoine Computer Services Ltd)
Chris Alavoine
mob +44 (0)7724 710 730
www.alavoinecs.co.uk
http://twitter.com/#!/alavoinecs
http://www.linkedin.com/pub/chris-alavoine/39/606/192


More information about the samba-technical mailing list