[Samba] samba4: cleaning up deleted DNS objects

Achim Gottinger achim at ag-web.biz
Sat Jan 31 13:38:16 MST 2015


Am 31.01.2015 um 20:15 schrieb Achim Gottinger:
> Hi Bram,
>
> Am 31.01.2015 um 10:39 schrieb Bram Matthys:
>> Hi,
>>
>> First of all, apologies in advance to email you off-list. Hope it's ok.
>> I work at a high school and we use Samba4 for ~250 seats and I'm 
>> having the
>> same issue as you: a DNS .ldb file of 600MB.
>> I was searching for a way to clean these up and was wondering if you 
>> could
>> share your experience (what you did, and if you had any issues).
>>
>> I found it a pitty that 'ldbdel' does not allow you to search by 
>> attributes,
>> so now I'm doing:
>>
>> # ldbsearch -H
>> /root/DC\=DOMAINDNSZONES\,DC\=JNET\,DC\=HERMANJORDAN\,DC\=NL.ldb
>> 'isDeleted=TRUE'|grep dn:|/root/massdelhelper >/root/killthese
>>
>> # ldbmodify -H
>> /root/DC\=DOMAINDNSZONES\,DC\=JNET\,DC\=HERMANJORDAN\,DC\=NL.ldb 
>> /root/killthese
>> Modified 107156 records successfully
>>
>> Where the '/root/massdelhelper' script is:
>> **
>> #!/bin/bash
>> while true
>> do
>> read -r x || exit
>> if [ "$x" != "dn: CN=Deleted Objects,DC=DomainDnsZones,.etc.,DC=nl" 
>> ]; then
>>          echo "$x"
>>          echo "changetype: delete"
>>          echo ""
>> fi
>> done
>> **
>>
>> (As you can see this is a test on a copy, not in the samba directory)
>>
>> When I do an ldapsearch I can indeed confirm the bad entries are 
>> gone, as
>> only 307 are left over.
>>
>> Strange thing is now I have:
>> # ls -alh DC*
>> -rw------- 1 root root 1.7G Jan 31 10:26
>> DC=DOMAINDNSZONES,DC=JNET,DC=HERMANJORDAN,DC=NL.ldb
>> -rw------- 1 root root 656M Jan 31 09:53
>> DC=DOMAINDNSZONES,DC=JNET,DC=HERMANJORDAN,DC=NL.ldb.before
>>
>> So it actually doubled in size (huh?)
>>
>> Did you do something like that? Did it work out or create all kinds 
>> of issues?
>>
>> Did you use ldbtools or ldaptools? Any (other) tips?
>>
>> Thanks a lot in advance,
>>
>> Bram Matthys
>> System-/Network administrator
>> Montessori Lyceum Herman Jordan
>>
>> PS: In case you wonder why I haven't updated Samba. I will soon. I 
>> already
>> did a test upgrade and it did not delete these objects.. or at least 
>> not the
>> first hour.. and had a few critical (DNS-unrelated) issues. So hence 
>> wanting
>> to clean this up first, before the upgrade.
> First thing you need to do is update samba, there was an issue with 
> Deleted Objects causing these huge DNS database files.
> Active Directory keeps Deleted Objects around for "tombstonde 
> lifeteime", which is 180 days by default. What i did back the after 
> upgrading samba was reducing tombstone lifetime in small steps (1o 
> days) down to 30 day.
> I always waited till the number of deleted objects did no longer 
> shrink. The whole process can take a few hours.
> After that was done i stopped samba and made an backup of the 
> sam.ldb.d files. This results in much smaller ldb files ending in 
> ldb.bak. I copied these to their origin .ldp files, started samba 
> again and after i did this on all dc's i increased tombstone lifetime 
> back to 180 days.
> See here how to change the tombstone lifetime attribute.
https://wiki.samba.org/index.php/Restoring_deleted_AD_objects
>
> Hope that helps.
>
> achim~
>



More information about the samba mailing list