[Samba] samba-tool computer delete does not work

Heinz Hölzl heinz.hoelzl at gvcc.net
Wed Nov 20 17:24:32 UTC 2024


> Every Samba DC should use itself for its nameserver.
We configured it like this


bind9 on a DC:

/etc/bind/named.conf:

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.samba";

cat /etc/bind/named.conf.options
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow
multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses
replacing 
	// the all-0's placeholder.

	forwarders {
	 	172.27.2.12; 172.27.2.11; <--- Primary DNS (used by
clients)
	};
        recursion yes;
        allow-query     { any; };
        allow-recursion { any; };
        allow-query-cache { any; };
        allow-transfer  { any; };
        #keep-response-order { any; };


	//============================================================
============
	// If BIND logs error messages about the root key being
expired,
	// you will need to update your keys.  See
https://www.isc.org/bind-keys
	//============================================================
============
	//dnssec-validation auto;
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };

	tkey-gssapi-keytab "/usr/local/samba/private/dns.keytab";
	minimal-responses yes;
};



cat /etc/bind/named.conf.samba
dlz "AD DNS Zone" {
    # For BIND 9.16
    database "dlopen /usr/local/samba/lib/bind9/dlz_bind9_16.so";
};


cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
	type hint;
	file "/usr/share/dns/root.hints";
};

// be authoritative for the localhost forward and reverse zones, and
for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};


=============================================

bind9 on DNS server:

named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.conditional_forwarders";
include "/etc/bind/named.conf.slaves";

include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.local.forwarders";

cat named.conf.options 
options {
	directory "/var/cache/bind";
       forward only;
	forwarders {
		103.247.36.36;
		103.247.37.37;
	};
	recursion yes;
        dnssec-validation no;
	empty-zones-enable   yes;
	disable-empty-zone "16.172.in-addr.arpa";
	disable-empty-zone "17.172.in-addr.arpa";
	disable-empty-zone "18.172.in-addr.arpa";
	disable-empty-zone "19.172.in-addr.arpa";
	disable-empty-zone "20.172.in-addr.arpa";
	disable-empty-zone "21.172.in-addr.arpa";
	disable-empty-zone "22.172.in-addr.arpa";
	disable-empty-zone "23.172.in-addr.arpa";
	disable-empty-zone "24.172.in-addr.arpa";
	disable-empty-zone "25.172.in-addr.arpa";
	disable-empty-zone "26.172.in-addr.arpa";
	disable-empty-zone "27.172.in-addr.arpa";
	disable-empty-zone "28.172.in-addr.arpa";
	disable-empty-zone "29.172.in-addr.arpa";
	disable-empty-zone "30.172.in-addr.arpa";
	disable-empty-zone "31.172.in-addr.arpa";
	disable-empty-zone "10.in-addr.arpa";
	disable-empty-zone "168.192.in-addr.arpa";

	auth-nxdomain no;    # conform to RFC1035
	listen-on-v6 { any; };
	listen-on port 53 { any; };
	allow-query     { any; };
	allow-recursion { any; };
	allow-query-cache { any; };
       querylog yes;
        //enable response policy zone.
        response-policy {
          zone "rpz.local";
        };

};

cat named.conf.conditional_forwarders 

zone "interno.gov.it" IN {
        type forward;
        forwarders {217.199.1.1; 217.199.0.250; };
};
zone "interno.gov.it.edgekey.net" IN {
        type forward;
        forwarders {217.199.1.1; 217.199.0.250; };
};

cat named.conf.slaves
include "/etc/bind/named.conf.slaves.d/klingons.example.net.zone";
include "/etc/bind/named.conf.slaves.d/example.net.zone";
include "/etc/bind/named.conf.slaves.d/_msdcs.example.net.zone";
include "/etc/bind/named.conf.slaves.d/subdomain2.example.net.zone";
include "/etc/bind/named.conf.slaves.d/subdomain1.example.net.zone";
.... ecc.


cat /etc/bind/named.conf.slaves.d/example.net.zone
zone "example.net" IN {
        	type slave;
        	file "example.net.zone";
        	masters { IP-OF-DC;  };
};

cat /etc/bind/named.conf.slaves.d/klingons.example.net.zone 
zone "klingons.example.net" IN {
        	type slave;
        	file "klingons.example.net.zone";
        	masters { IP-OF-DC; };
};


Am Mittwoch, dem 20.11.2024 um 16:13 +0000 schrieb Rowland Penny via
samba:
> On Wed, 20 Nov 2024 15:45:29 +0000
> Heinz Hölzl <heinz.hoelzl at gvcc.net> wrote:
> 
> See inline comments:
> 
> > hi,
> > i deleted the accounts with pdbdel.
> > 
> > I did a few spot checks, none of the pc accounts had the attribute
> > dNSHostName there are no dns-rcords concerning the account
> 
> The computer accounts should have the dNSHostName attribute set.
> This seems to explain why it hangs though, the code is this:
> 
>             if "dNSHostName" in res[0]:
>                 computer_dns_host_name =
> str(res[0]["dNSHostName"][0])
>             else:
>                 computer_dns_host_name = None
> 
> Which means that 'computer_dns_host_name' is being set to 'None'
> 
> Then, a bit lower down, in the 'try' there is this:
> 
>         try:
>             samdb.delete(computer_dn)
>             if computer_dns_host_name:
>                 remove_dns_references(
> 
> This means that the 'if' is always run and the subsequent code tries
> to
> remove the dns records for a computer called 'None', that is the way
> I
> read it.
> 
> > 
> > we use bind9 for dns.
> > all pc have a bind9 configured as dns server, which is a dns slave
> > of
> > the bind9 on the samba server.
> 
> I think we need to know more about your dns server setup, it could be
> the cause of your entire problems.
> 
> This is how Samba AD DNS works:
> Every DC is authoritative for the DNS domain, it is known as multi
> master.
> Every Samba DC should use itself for its nameserver.
> Anything outside the AD DNS domain should be forwarded to an external
> nameserver.
> Clients should use the DCs as their nameservers, though this could be
> via a caching DNS server, never a slave.
> 
> Please post your named.conf files (from the DCs and the clients)
> 
> > 
> > here the requested informations:
> > 
> > all DC are on samba
> > 
> > smb.conf
> > 
> > [global]
> >         netbios name = DCX
> >         realm = EXAMPLE.NET
> >         server services = -dns
> >         workgroup = EXAMPLE
> >         server role = active directory domain controller
> >         ad dc functional level = 2016
> >         idmap_ldb:use rfc2307 = yes
> >         comment =
> >         template homedir = /home/%U
> >         template shell = /bin/bash
> >         ldap server require strong auth = No
> >         ntlm auth = Yes
> > 
> >         log level = auth_json_audit:0 auth_audit:3
> >         logging = syslog
> >         log file = /dev/null
> > 
> >         password hash gpg key ids = "xxxxxxxxxxxxxxxxxxxxxxx"
> >         dns forwarder = xxxxxx
> 
> As you are using bind9, the forwarder(s) should be set in bind9 conf
> file.
> 
> >         dns update command = /usr/local/samba/sbin/samba_dnsupdate
> > --use-samba-tool logon script = login.bat
> >         dns zone transfer clients allow = xxxxxxxxxxxxxxxxxxx
> >         prefork children = 4
> >         prefork children:ldap = 1
> >         server min protocol = SMB2_10
> > 
> > 
> > [netlogon]
> >         path =
> > /usr/local/samba/var/locks/sysvol/example.net/scripts
> >         read only = No
> >         guest ok = Yes
> 
> As you do not have 'map to guest = bad user' set in global, you will
> not get any guest access.
> 
> >         browseable = No
> > 
> > 
> > [sysvol]
> >         path = /usr/local/samba/var/locks/sysvol
> >         read only = No
> > 
> 
> Rowland
> 



More information about the samba mailing list