[Samba] samba4 AD DNS zone corrupted

Johannes Schmid smbml at rotfl.org
Thu Nov 29 16:02:22 MST 2012 

On 11/29/2012 03:26 AM, Stephen Jones wrote:

 > If you want to delete the TXT record my suggestion would be to use
 > nsupdate.  This tool is part of BIND.  My advice would be to avoid
 > samba-tool, or at least the dns part of it.  When I tried to use it I
 > just got errors.  I think it's still rather experimental.  But
 > nsupdate works.

Thanks for the hint. It raised my hopes for a few seconds, but it 
doesn't work, as the record I want to remove seems really really broken.

As suggested, I ran this command (while being kerberos-authenticated):

# nsupdate -g
 > update delete _kerberos.mitxp.com TXT
 > send

This is what bind logs when issuing the command:

Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: starting transaction on 
zone mydomain.local
Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: allowing update of 
signer=administrator\@MYDOMAIN.LOCAL name=_kerberos.mydomain.local 
tcpaddr=192.168.122.1 type=TXT 
key=3710301881.sig-sambapdc.mydomain.local/160/0
Nov 29 23:23:36 vmsrvr1 named[1701]: client 192.168.122.1#53087: 
updating zone 'mydomain.local/NONE': deleting rrset at 
'_kerberos.mydomain.local' TXT
Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: failed to parse 
dnsRecord for 
DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local
Nov 29 23:23:36 vmsrvr1 named[1701]: samba_dlz: committed transaction on 
zone mydomain.local

As you can see, it has problems deleting the DNS record because it 
cannot parse it. Extremely annoying. Even though the last log message 
says "committed transaction on zone", the DNS record is still there and 
is still causing problems with the complete zone.


But I found the solution! I just wanted to write it down in case someone 
else has the same problem:

You need to delete the record directly from the LDB-File. This is how 
it's done:

ldbdel -H /var/lib/samba/private/dns/sam.ldb 
"DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local"

After that, I restarted samba, just to be on the safe side. And after 
that, my DNS zone was OK. Thanks to everyone who helped me debugging this.



PS: Just in case a samba developer is interested in the LDB record, 
here's the result presented by ldbsearch before I deleted it:

# ldbsearch -H /var/lib/samba/private/dns/sam.ldb -b 
"DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local" 
"(objectclass=dnsNode)" --show-binary

# record 1
dn: 
DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20121119125920.0Z
whenChanged: 20121119125920.0Z
uSNCreated: 4082
uSNChanged: 4082
showInAdvancedViewOnly: TRUE
name: _kerberos
objectGUID: 0bbee647-94ac-4a9c-8c2a-90deca29cdfe
ndr_pull_error(11): Pull bytes 15 (../librpc/ndr/ndr_basic.c:420)
dnsRecord: <Unable to decode binary data>
objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=mydomain,DC=local
dc: _kerberos
distinguishedName: 
DC=_kerberos,DC=mydomain.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=mydomain,DC=local

Note: the 15 "pull bytes" are probably MYDOMAIN.LOCAL + a terminating 
character. At least that was what I assume because I created the TXT 
record with "MYDOMAIN.LOCAL" as content.

-- 
Best regards,
   -Johannes.
-- 
Best regards,
   -Johannes.

More information about the samba mailing list