[Samba] samba AD - bind - deleted DNS entries are not removed completely

Wed Nov 21 18:39:53 UTC 2018

To answer my own question:

Yes, it's seems like a feature.

I ran basic ldbsearch query:

ldbsearch -H /usr/local/samba/private/sam.ldb -b 
"DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with:

dNSTombstoned: TRUE

Overall there are a couple hundred entries with as such. So now my 
question is:

How can I safely remove them, any tips/guideliness? I thought that doing 
tombstone expunge would get rid of them - but apparently not.

W dniu 21.11.2018 o 19:20, Kacper Wirski via samba pisze:
> Hello,
>
> Since noone answered, I'll add some more information - maybe I'm 
> unclear about the nature of the issue?
>
> I re-read samba wiki, especially about DNS management and I didn't 
> find any information pointing to such behaviour. I was deleting all 
> entries using windows DNS management console (which is in the sama 
> wiki, so I suppose it's supported)
>
> I don't have unfortunately another  AD environment  to see if it's a 
> bug related to bind/samba or expected behaviour (a feature) and I'm 
> really hoping, that someone could share if they ever ran into the same 
> behaviour when using BIND as backend (deleted dns records not being 
> fully deleted, retaining all windows ACL, including original 
> entry-owner and therefore disallowing any dynamic updates for this 
> record - throwing "insufficient rights" error).
>
> Regards,
>
> Kacper
>
> W dniu 20.11.2018 o 23:56, Kacper Wirski via samba pisze:
>> Hello,
>>
>> I've posted about this issue some time ago, but I maybe didn't 
>> explain myself enough and/or didn't supply enough information.
>>
>> My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend.
>>
>> I noticed that some windows clients stopped doing secure dns dynamic 
>> updates because of insufficient rights error.
>>
>> Upon further digging I realized that all of the entries, that were 
>> not able to be updated, are entries that existed some time in the 
>> past (used by other hosts - in forward or IP's  -in reverse and later 
>> on were for whatever reason deleted.
>>
>> That doesn't seem right to me, that deleted DNS entry is - somewhere 
>> (where?) kept back and blocks new entry to be added, even though with 
>> same A record or PTR IP addr.
>>
>> Example:
>>
>> i added windows host to domain with hostname "PC-1", it created 
>> dynamic dns A record (PC-1 - <some-ip-address>).
>>
>> I deleted this entry (using windows dns management console), removed 
>> "PC-1" from domain, added another host with same name (PC-1). 
>> Obviously it was a new member so new SID was generated.
>>
>> Even though DNS entry was deleted, new "PC-1" host was nable to 
>> dynamically add entry, because - even though deleted - samba still 
>> "knew" about the deleted entry, which still had as owner previous 
>> "pc-1". How do I know this?
>>
>> I manually then re-added "PC-1 <-whatever IP> A record to forward 
>> zone. And upon inspecting security TAB it had as owner unresolved sid 
>> number - the exact SID of the deleted original PC-1 host. That 
>> completely blocked new host with PC-1 hostname to dynamically update 
>> it's DNS entry
>>
>> All DNS managing was done via windows DNS mmc - maybe it's the culprit?
>>
>> That overall doesn't sound right. Shouldn't removed DNS entries be 
>> just that - removed? I restarted named, samba, did tombstone expunge 
>> with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? 
>> Expected behaviour? How can I then fix this? I'd rather not have to 
>> add manually records and change owners. It's not the biggest deal in 
>> forward zone, but it's much worse for reverse zone. E.g. recently I 
>> replaced a lot of PC's, all of them got new host names, but they kept 
>> IP's that belong to old, so now my reverse zone is mostly empty, 
>> unless I start manually adding entries - which I'd rather not to.
>>
>> Regards,
>>
>> Kacper
>>
>>
>>
>