[Samba] samba-tool computer delete does not work

Rowland Penny rpenny at samba.org
Wed Nov 20 16:13:35 UTC 2024


On Wed, 20 Nov 2024 15:45:29 +0000
Heinz Hölzl <heinz.hoelzl at gvcc.net> wrote:

See inline comments:

> hi,
> i deleted the accounts with pdbdel.
> 
> I did a few spot checks, none of the pc accounts had the attribute
> dNSHostName there are no dns-rcords concerning the account

The computer accounts should have the dNSHostName attribute set.
This seems to explain why it hangs though, the code is this:

            if "dNSHostName" in res[0]:
                computer_dns_host_name = str(res[0]["dNSHostName"][0])
            else:
                computer_dns_host_name = None

Which means that 'computer_dns_host_name' is being set to 'None'

Then, a bit lower down, in the 'try' there is this:

        try:
            samdb.delete(computer_dn)
            if computer_dns_host_name:
                remove_dns_references(

This means that the 'if' is always run and the subsequent code tries to
remove the dns records for a computer called 'None', that is the way I
read it.

> 
> we use bind9 for dns.
> all pc have a bind9 configured as dns server, which is a dns slave of
> the bind9 on the samba server.

I think we need to know more about your dns server setup, it could be
the cause of your entire problems.

This is how Samba AD DNS works:
Every DC is authoritative for the DNS domain, it is known as multi
master.
Every Samba DC should use itself for its nameserver.
Anything outside the AD DNS domain should be forwarded to an external
nameserver.
Clients should use the DCs as their nameservers, though this could be
via a caching DNS server, never a slave.

Please post your named.conf files (from the DCs and the clients)

> 
> here the requested informations:
> 
> all DC are on samba
> 
> smb.conf
> 
> [global]
>         netbios name = DCX
>         realm = EXAMPLE.NET
>         server services = -dns
>         workgroup = EXAMPLE
>         server role = active directory domain controller
>         ad dc functional level = 2016
>         idmap_ldb:use rfc2307 = yes
>         comment =
>         template homedir = /home/%U
>         template shell = /bin/bash
>         ldap server require strong auth = No
>         ntlm auth = Yes
> 
>         log level = auth_json_audit:0 auth_audit:3
>         logging = syslog
>         log file = /dev/null
> 
>         password hash gpg key ids = "xxxxxxxxxxxxxxxxxxxxxxx"
>         dns forwarder = xxxxxx

As you are using bind9, the forwarder(s) should be set in bind9 conf
file.

>         dns update command = /usr/local/samba/sbin/samba_dnsupdate
> --use-samba-tool logon script = login.bat
>         dns zone transfer clients allow = xxxxxxxxxxxxxxxxxxx
>         prefork children = 4
>         prefork children:ldap = 1
>         server min protocol = SMB2_10
> 
> 
> [netlogon]
>         path = /usr/local/samba/var/locks/sysvol/example.net/scripts
>         read only = No
>         guest ok = Yes

As you do not have 'map to guest = bad user' set in global, you will
not get any guest access.

>         browseable = No
> 
> 
> [sysvol]
>         path = /usr/local/samba/var/locks/sysvol
>         read only = No
> 

Rowland



More information about the samba mailing list