[Samba] samba4: cleaning up deleted DNS objects

Sat Jan 31 12:15:08 MST 2015

Hi Bram,

Am 31.01.2015 um 10:39 schrieb Bram Matthys:
> Hi,
>
> First of all, apologies in advance to email you off-list. Hope it's ok.
> I work at a high school and we use Samba4 for ~250 seats and I'm having the
> same issue as you: a DNS .ldb file of 600MB.
> I was searching for a way to clean these up and was wondering if you could
> share your experience (what you did, and if you had any issues).
>
> I found it a pitty that 'ldbdel' does not allow you to search by attributes,
> so now I'm doing:
>
> # ldbsearch -H
> /root/DC\=DOMAINDNSZONES\,DC\=JNET\,DC\=HERMANJORDAN\,DC\=NL.ldb
> 'isDeleted=TRUE'|grep dn:|/root/massdelhelper >/root/killthese
>
> # ldbmodify -H
> /root/DC\=DOMAINDNSZONES\,DC\=JNET\,DC\=HERMANJORDAN\,DC\=NL.ldb /root/killthese
> Modified 107156 records successfully
>
> Where the '/root/massdelhelper' script is:
> **
> #!/bin/bash
> while true
> do
> read -r x || exit
> if [ "$x" != "dn: CN=Deleted Objects,DC=DomainDnsZones,.etc.,DC=nl" ]; then
>          echo "$x"
>          echo "changetype: delete"
>          echo ""
> fi
> done
> **
>
> (As you can see this is a test on a copy, not in the samba directory)
>
> When I do an ldapsearch I can indeed confirm the bad entries are gone, as
> only 307 are left over.
>
> Strange thing is now I have:
> # ls -alh DC*
> -rw------- 1 root root 1.7G Jan 31 10:26
> DC=DOMAINDNSZONES,DC=JNET,DC=HERMANJORDAN,DC=NL.ldb
> -rw------- 1 root root 656M Jan 31 09:53
> DC=DOMAINDNSZONES,DC=JNET,DC=HERMANJORDAN,DC=NL.ldb.before
>
> So it actually doubled in size (huh?)
>
> Did you do something like that? Did it work out or create all kinds of issues?
>
> Did you use ldbtools or ldaptools? Any (other) tips?
>
> Thanks a lot in advance,
>
> Bram Matthys
> System-/Network administrator
> Montessori Lyceum Herman Jordan
>
> PS: In case you wonder why I haven't updated Samba. I will soon. I already
> did a test upgrade and it did not delete these objects.. or at least not the
> first hour.. and had a few critical (DNS-unrelated) issues. So hence wanting
> to clean this up first, before the upgrade.
First thing you need to do is update samba, there was an issue with 
Deleted Objects causing these huge DNS database files.
Active Directory keeps Deleted Objects around for "tombstonde 
lifeteime", which is 180 days by default. What i did back the after 
upgrading samba was reducing tombstone lifetime in small steps (1o days) 
down to 30 day.
I always waited till the number of deleted objects did no longer shrink. 
The whole process can take a few hours.
After that was done i stopped samba and made an backup of the sam.ldb.d 
files. This results in much smaller ldb files ending in ldb.bak. I 
copied these to their origin .ldp files, started samba again and after i 
did this on all dc's i increased tombstone lifetime back to 180 days.
See here how to change the tombstone lifetime attribute.

Hope that helps.

achim~