[Samba] samba AD - bind - deleted DNS entries are not removed completely

Kacper Wirski kacper.wirski at gmail.com
Tue Nov 20 22:56:16 UTC 2018


I've posted about this issue some time ago, but I maybe didn't explain 
myself enough and/or didn't supply enough information.

My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend.

I noticed that some windows clients stopped doing secure dns dynamic 
updates because of insufficient rights error.

Upon further digging I realized that all of the entries, that were not 
able to be updated, are entries that existed some time in the past (used 
by other hosts - in forward or IP's  -in reverse and later on were for 
whatever reason deleted.

That doesn't seem right to me, that deleted DNS entry is - somewhere 
(where?) kept back and blocks new entry to be added, even though with 
same A record or PTR IP addr.


i added windows host to domain with hostname "PC-1", it created dynamic 
dns A record (PC-1 - <some-ip-address>).

I deleted this entry (using windows dns management console), removed 
"PC-1" from domain, added another host with same name (PC-1). Obviously 
it was a new member so new SID was generated.

Even though DNS entry was deleted, new "PC-1" host was nable to 
dynamically add entry, because - even though deleted - samba still 
"knew" about the deleted entry, which still had as owner previous 
"pc-1". How do I know this?

I manually then re-added "PC-1 <-whatever IP> A record to forward zone. 
And upon inspecting security TAB it had as owner unresolved sid number - 
the exact SID of the deleted original PC-1 host. That completely blocked 
new host with PC-1 hostname to dynamically update it's DNS entry

All DNS managing was done via windows DNS mmc - maybe it's the culprit?

That overall doesn't sound right. Shouldn't removed DNS entries be just 
that - removed? I restarted named, samba, did tombstone expunge with 
lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? 
Expected behaviour? How can I then fix this? I'd rather not have to add 
manually records and change owners. It's not the biggest deal in forward 
zone, but it's much worse for reverse zone. E.g. recently I replaced a 
lot of PC's, all of them got new host names, but they kept IP's that 
belong to old, so now my reverse zone is mostly empty, unless I start 
manually adding entries - which I'd rather not to.



More information about the samba mailing list