[Samba] samba AD - bind - deleted DNS entries are not removed completely
Kacper Wirski
kacper.wirski at gmail.com
Tue Nov 20 22:56:16 UTC 2018
Hello,
I've posted about this issue some time ago, but I maybe didn't explain
myself enough and/or didn't supply enough information.
My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend.
I noticed that some windows clients stopped doing secure dns dynamic
updates because of insufficient rights error.
Upon further digging I realized that all of the entries, that were not
able to be updated, are entries that existed some time in the past (used
by other hosts - in forward or IP's -in reverse and later on were for
whatever reason deleted.
That doesn't seem right to me, that deleted DNS entry is - somewhere
(where?) kept back and blocks new entry to be added, even though with
same A record or PTR IP addr.
Example:
i added windows host to domain with hostname "PC-1", it created dynamic
dns A record (PC-1 - <some-ip-address>).
I deleted this entry (using windows dns management console), removed
"PC-1" from domain, added another host with same name (PC-1). Obviously
it was a new member so new SID was generated.
Even though DNS entry was deleted, new "PC-1" host was nable to
dynamically add entry, because - even though deleted - samba still
"knew" about the deleted entry, which still had as owner previous
"pc-1". How do I know this?
I manually then re-added "PC-1 <-whatever IP> A record to forward zone.
And upon inspecting security TAB it had as owner unresolved sid number -
the exact SID of the deleted original PC-1 host. That completely blocked
new host with PC-1 hostname to dynamically update it's DNS entry
All DNS managing was done via windows DNS mmc - maybe it's the culprit?
That overall doesn't sound right. Shouldn't removed DNS entries be just
that - removed? I restarted named, samba, did tombstone expunge with
lifetime =0 etc.. I'm not sure how to treat this? Is this a bug?
Expected behaviour? How can I then fix this? I'd rather not have to add
manually records and change owners. It's not the biggest deal in forward
zone, but it's much worse for reverse zone. E.g. recently I replaced a
lot of PC's, all of them got new host names, but they kept IP's that
belong to old, so now my reverse zone is mostly empty, unless I start
manually adding entries - which I'd rather not to.
Regards,
Kacper
More information about the samba
mailing list