[Samba] samba AD - bind - deleted DNS entries are not removed completely
Kacper Wirski
kacper.wirski at gmail.com
Wed Nov 21 18:39:53 UTC 2018
To answer my own question:
Yes, it's seems like a feature.
I ran basic ldbsearch query:
ldbsearch -H /usr/local/samba/private/sam.ldb -b
"DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with:
dNSTombstoned: TRUE
Overall there are a couple hundred entries with as such. So now my
question is:
How can I safely remove them, any tips/guideliness? I thought that doing
tombstone expunge would get rid of them - but apparently not.
W dniu 21.11.2018 o 19:20, Kacper Wirski via samba pisze:
> Hello,
>
> Since noone answered, I'll add some more information - maybe I'm
> unclear about the nature of the issue?
>
> I re-read samba wiki, especially about DNS management and I didn't
> find any information pointing to such behaviour. I was deleting all
> entries using windows DNS management console (which is in the sama
> wiki, so I suppose it's supported)
>
> I don't have unfortunately another AD environment to see if it's a
> bug related to bind/samba or expected behaviour (a feature) and I'm
> really hoping, that someone could share if they ever ran into the same
> behaviour when using BIND as backend (deleted dns records not being
> fully deleted, retaining all windows ACL, including original
> entry-owner and therefore disallowing any dynamic updates for this
> record - throwing "insufficient rights" error).
>
> Regards,
>
> Kacper
>
> W dniu 20.11.2018 o 23:56, Kacper Wirski via samba pisze:
>> Hello,
>>
>> I've posted about this issue some time ago, but I maybe didn't
>> explain myself enough and/or didn't supply enough information.
>>
>> My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend.
>>
>> I noticed that some windows clients stopped doing secure dns dynamic
>> updates because of insufficient rights error.
>>
>> Upon further digging I realized that all of the entries, that were
>> not able to be updated, are entries that existed some time in the
>> past (used by other hosts - in forward or IP's -in reverse and later
>> on were for whatever reason deleted.
>>
>> That doesn't seem right to me, that deleted DNS entry is - somewhere
>> (where?) kept back and blocks new entry to be added, even though with
>> same A record or PTR IP addr.
>>
>> Example:
>>
>> i added windows host to domain with hostname "PC-1", it created
>> dynamic dns A record (PC-1 - <some-ip-address>).
>>
>> I deleted this entry (using windows dns management console), removed
>> "PC-1" from domain, added another host with same name (PC-1).
>> Obviously it was a new member so new SID was generated.
>>
>> Even though DNS entry was deleted, new "PC-1" host was nable to
>> dynamically add entry, because - even though deleted - samba still
>> "knew" about the deleted entry, which still had as owner previous
>> "pc-1". How do I know this?
>>
>> I manually then re-added "PC-1 <-whatever IP> A record to forward
>> zone. And upon inspecting security TAB it had as owner unresolved sid
>> number - the exact SID of the deleted original PC-1 host. That
>> completely blocked new host with PC-1 hostname to dynamically update
>> it's DNS entry
>>
>> All DNS managing was done via windows DNS mmc - maybe it's the culprit?
>>
>> That overall doesn't sound right. Shouldn't removed DNS entries be
>> just that - removed? I restarted named, samba, did tombstone expunge
>> with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug?
>> Expected behaviour? How can I then fix this? I'd rather not have to
>> add manually records and change owners. It's not the biggest deal in
>> forward zone, but it's much worse for reverse zone. E.g. recently I
>> replaced a lot of PC's, all of them got new host names, but they kept
>> IP's that belong to old, so now my reverse zone is mostly empty,
>> unless I start manually adding entries - which I'd rather not to.
>>
>> Regards,
>>
>> Kacper
>>
>>
>>
>
More information about the samba
mailing list