[Samba] samba-tool computer delete does not work

Heinz Hölzl heinz.hoelzl at gvcc.net
Wed Nov 20 15:45:29 UTC 2024


hi,
i deleted the accounts with pdbdel.

I did a few spot checks, none of the pc accounts had the attribute dNSHostName
there are no dns-rcords concerning the account

we use bind9 for dns.
all pc have a bind9 configured as dns server, which is a dns slave of the bind9 on the samba server.

here the requested informations:

all DC are on samba

smb.conf

[global]
        netbios name = DCX
        realm = EXAMPLE.NET
        server services = -dns
        workgroup = EXAMPLE
        server role = active directory domain controller
        ad dc functional level = 2016
        idmap_ldb:use rfc2307 = yes
        comment =
        template homedir = /home/%U
        template shell = /bin/bash
        ldap server require strong auth = No
        ntlm auth = Yes

        log level = auth_json_audit:0 auth_audit:3
        logging = syslog
        log file = /dev/null

        password hash gpg key ids = "xxxxxxxxxxxxxxxxxxxxxxx"
        dns forwarder = xxxxxx
        dns update command = /usr/local/samba/sbin/samba_dnsupdate --use-samba-tool
        logon script = login.bat
        dns zone transfer clients allow = xxxxxxxxxxxxxxxxxxx
        prefork children = 4
        prefork children:ldap = 1
        server min protocol = SMB2_10


[netlogon]
        path = /usr/local/samba/var/locks/sysvol/example.net/scripts
        read only = No
        guest ok = Yes
        browseable = No


[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No



Heinz

________________________________________
Von: samba <samba-bounces at lists.samba.org> im Auftrag von Rowland Penny via samba <samba at lists.samba.org>
Gesendet: Mittwoch, 20. November 2024 16:17
An: samba at lists.samba.org
Cc: Rowland Penny
Betreff: Re: [Samba] samba-tool computer delete does not work

On Wed, 20 Nov 2024 10:34:39 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:

> On Wed, 20 Nov 2024 10:35:40 +1300
> Douglas Bagnall via samba <samba at lists.samba.org> wrote:
>
> > On 19/11/24 02:40, Heinz Hölzl via samba wrote:
> > > hi,
> > >
> > > I have to delete about 6000 old machine accounts.
> > >
> > > samba-tool computer delete RESERVE23 does not end.
> >
> > What this command does is delete the record itself, then tries to
> > delete related DNS records.
> >
> > I think what is happening is the initial delete is working, but DNS
> > is not, and samba-tool is left waiting for a response.
>
> From my reading of the code, the initial delete shouldn't happen
> unless the computer records are also deleted, they are both inside
> the same 'try'. If it is awaiting a response, then it must be a dns
> response, they isn't any other response requested.
>
> >
> > To verify this theory:
> > 1. check the account has a dNSHostName attribute
> > 2. look up that adress with `dig` or something.
> >
> > If it hangs, then DNS is not working.
> >
>
> This has 'DNS' written all over it. I think we need to know more about
> the domain, what is the DC ? If it is a Samba DC, then seeing the
> smb.conf may help and is bind9 being used ?
>
> Rowland

After reading the code again and thinking about this (yes I know,
thinking is dangerous), I think this is what is happening:

The samba tool command is run and everything works okay until it gets
to the 'try', the first thing that the 'try' does is to delete the
computers entire DN, it then attempts to delete all the computers dns
records, if this or deleting the computers DN fails, then, from my
understanding, the 'try' should fail and the computers DN deletion
should not happen and an error message 'Failed to remove computer "%s"'
should be printed.
I 'think' that the computer DN is being deleted, but there is some
delay in the dns response and when 'CTL-C' is pressed, it kills the
'try', the computer DN has been deleted, but none of the further code is
run. It is quite possible, if you can wait long enough, the command
would error out or even complete successfully.
I feel this is all interconnected with the ldap errors the OP is
having.

So, I repeat, can we have the information, I asked for earlier.

Rowland


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list