DNS scavenging, big DCDOMAINZONES ldb etc.

Wed Jul 29 16:20:24 UTC 2015

Hi Lykov,

Le 29/07/2015 15:27, Лыков Михаил a écrit :
> 29.07.2015 14:33, Stefan Metzmacher пишет:
>
>>> Is it true?
>> https://bugzilla.samba.org/show_bug.cgi?id=10749 was fixed in 4.1.12.
>> But https://bugzilla.samba.org/show_bug.cgi?id=10812 is still open,
>> but that's not as critical.
>
> Ok, thanks.
> On new version records not grow insanely, but old records will be still
> here until i delete it as below?

yes I fear, it was a quite common issue on samba AD before the fix.

>> Grep the objectGUID from all deleted objects on *one* dc
>
> I have a search result like
>
> # record 1
> dn: DC=SAMG62\0ADEL:c39c5d9f-2dca-437d-832e-f57830f02fa5,CN=Deleted
> Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru
> isDeleted: TRUE
>
> # record 2
> dn: DC=SAMG122\0ADEL:22f9115b-1ee2-4f56-9dd7-8b728c66b8e2,CN=Deleted
> Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru
> isDeleted: TRUE
>
> Where is I find that ObjectGUID-s?
>
>> and write a write that removes all of them by using
>> '<GUID=${objectGUID}>' as
>> dn, you'll need to use the show deleted and relax controlls.
>
> I'm not sure that I understand this part correctly, can you explain how
> to get that GUID list and what a command to remove its?

You can get the objectGUID running ldbsearch on both servers (be sure to 
write "objectGUID" at the end of the query):

ldbsearch --cross-ncs --show-deleted -H /usr/local/samba/private/sam.ldb 
-b "CN=Deleted Objects,DC=DomainDnsZones,DC=tranquilit,DC=local" objectGUID

Then you select the entries with same objectGUID on the two servers. If 
you have an entry which is not on the both servers, it means that the 
deletion process has not yet been replicated across all your DCs, and 
you should delete that entry.

 From those deleted entries that have been properly replicated, you take 
the DN and delete it with ldbdel on both servers.

ldbdel -H --cross-ncs --show-deleted <DN>

In don't think it is possible to directly pass an ldap filter to ldbdel. 
But you can script something quickly with bash or python.

Then compress your tdb files like metze wrote previously.

Cheers,

Denis

>
> If I have 2 DC's, may I run this online on one, that on two then?
>
>> The removing step needs to run on all servers (not at the same time),
>> but you need to use exactly the same list of objectGUIDs on all servers.
>>
>> Do that on one server at a time, maybe offline directly on the sam.ldb
>> The server will be busy a hours or days.... The 'TDB_NO_FSYNC=1' env var
>> might
>> speed it up but we lead to corruption on a hard reset of the box.
>
> Ok, it's clear.
>
>> If that's done you can do the following (OFFLINE! check with lsof -n
>> |grep ldb)
>>
>> cd /var/lib/samba/private/sam.ldb.d/
>> mv DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb
>> DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig
>> tdbbackup DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig
>> tdbbackup DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig.bak
>> rm DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig.bak
>> mv DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig.bak.bak
>> DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb
>>
>> tdbdump DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb | md5sum
>> and
>> tdbdump DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig
>>
>> should match now...
>
> maybe
> tdbdump DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb | md5sum
>   and
> tdbdump DC=DOMAINDNSZONES,DC=DC,DC=SAMGES,DC=RU.ldb.orig | md5sum
>
> ?
>
>>> And what about a sysvol replication (some offtopic), now it done by cron
>>> + rsync, it is realized internally?
>> No not yet.
>
> I got it.
>
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr