Kacper Wirski
2018-Nov-21 18:39 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
To answer my own question: Yes, it's seems like a feature. I ran basic ldbsearch query: ldbsearch -H /usr/local/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: dNSTombstoned: TRUE Overall there are a couple hundred entries with as such. So now my question is: How can I safely remove them, any tips/guideliness? I thought that doing tombstone expunge would get rid of them - but apparently not. W dniu 21.11.2018 o 19:20, Kacper Wirski via samba pisze:> Hello, > > Since noone answered, I'll add some more information - maybe I'm > unclear about the nature of the issue? > > I re-read samba wiki, especially about DNS management and I didn't > find any information pointing to such behaviour. I was deleting all > entries using windows DNS management console (which is in the sama > wiki, so I suppose it's supported) > > I don't have unfortunately another AD environment to see if it's a > bug related to bind/samba or expected behaviour (a feature) and I'm > really hoping, that someone could share if they ever ran into the same > behaviour when using BIND as backend (deleted dns records not being > fully deleted, retaining all windows ACL, including original > entry-owner and therefore disallowing any dynamic updates for this > record - throwing "insufficient rights" error). > > Regards, > > Kacper > > W dniu 20.11.2018 o 23:56, Kacper Wirski via samba pisze: >> Hello, >> >> I've posted about this issue some time ago, but I maybe didn't >> explain myself enough and/or didn't supply enough information. >> >> My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. >> >> I noticed that some windows clients stopped doing secure dns dynamic >> updates because of insufficient rights error. >> >> Upon further digging I realized that all of the entries, that were >> not able to be updated, are entries that existed some time in the >> past (used by other hosts - in forward or IP's -in reverse and later >> on were for whatever reason deleted. >> >> That doesn't seem right to me, that deleted DNS entry is - somewhere >> (where?) kept back and blocks new entry to be added, even though with >> same A record or PTR IP addr. >> >> Example: >> >> i added windows host to domain with hostname "PC-1", it created >> dynamic dns A record (PC-1 - <some-ip-address>). >> >> I deleted this entry (using windows dns management console), removed >> "PC-1" from domain, added another host with same name (PC-1). >> Obviously it was a new member so new SID was generated. >> >> Even though DNS entry was deleted, new "PC-1" host was nable to >> dynamically add entry, because - even though deleted - samba still >> "knew" about the deleted entry, which still had as owner previous >> "pc-1". How do I know this? >> >> I manually then re-added "PC-1 <-whatever IP> A record to forward >> zone. And upon inspecting security TAB it had as owner unresolved sid >> number - the exact SID of the deleted original PC-1 host. That >> completely blocked new host with PC-1 hostname to dynamically update >> it's DNS entry >> >> All DNS managing was done via windows DNS mmc - maybe it's the culprit? >> >> That overall doesn't sound right. Shouldn't removed DNS entries be >> just that - removed? I restarted named, samba, did tombstone expunge >> with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? >> Expected behaviour? How can I then fix this? I'd rather not have to >> add manually records and change owners. It's not the biggest deal in >> forward zone, but it's much worse for reverse zone. E.g. recently I >> replaced a lot of PC's, all of them got new host names, but they kept >> IP's that belong to old, so now my reverse zone is mostly empty, >> unless I start manually adding entries - which I'd rather not to. >> >> Regards, >> >> Kacper >> >> >> >
Rowland Penny
2018-Nov-21 19:27 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
On Wed, 21 Nov 2018 19:39:53 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote:> To answer my own question: > > Yes, it's seems like a feature.Yes, it is a feature, an AD feature ;-)> > I ran basic ldbsearch query: > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: > > dNSTombstoned: TRUE > > Overall there are a couple hundred entries with as such. So now my > question is: > > How can I safely remove them, any tips/guideliness? I thought that > doing tombstone expunge would get rid of them - but apparently not. >Have a look here: https://blogs.technet.microsoft.com/isrpfeplat/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones/ It seems that the DC is supposed to scavenge the stale dns records after a certain period, usually 7 days, but it looks like Samba doesn't have the code, unless someone knows different. Rowland
Kacper Wirski
2018-Nov-21 19:48 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
So in my case - is it safe to delete directly using ldbdel or using windows ADSI gui ldap editor? Or is there another way? What is the right way to do it? something like: ldbdel -H /usr/local/samba/private/sam.ldb -b"DC=DomainDnsZones,DC=mydomain,DC=com '(dNSTombstoned: TRUE)' ? I read in samba 4.9 new features release notes about scavenging but I'm not sure if it's the same thing as in the posted link and anyway - this feature only supposedly works only in new zones. W dniu 21.11.2018 o 20:27, Rowland Penny via samba pisze:> On Wed, 21 Nov 2018 19:39:53 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > >> To answer my own question: >> >> Yes, it's seems like a feature. > Yes, it is a feature, an AD feature ;-) > >> I ran basic ldbsearch query: >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: >> >> dNSTombstoned: TRUE >> >> Overall there are a couple hundred entries with as such. So now my >> question is: >> >> How can I safely remove them, any tips/guideliness? I thought that >> doing tombstone expunge would get rid of them - but apparently not. >> > Have a look here: > > https://blogs.technet.microsoft.com/isrpfeplat/2010/09/23/dns-scavenging-internals-or-what-is-the-dnstombstoned-attribute-for-ad-integrated-zones/ > > It seems that the DC is supposed to scavenge the stale dns records > after a certain period, usually 7 days, but it looks like Samba doesn't > have the code, unless someone knows different. > > Rowland >
Possibly Parallel Threads
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely
- samba 4.8 with bind - bugged dns entry in reverse lookup zone