Hello you all, with the new samba version out that fixes some problems with dns scavenging I have decided to try this feature. I was specifically interested for our reverse zone (PTR records) We have one zone for VPN clients 8.0.10.in-addr.arpa. I activated the feature in the smb.conf as well as in the Windows DNS manager. Entries are deleted (not visible in DNS manager) after a while. You can still see them in ADSI-Edit. Those that are invisible have "dNSTombstoned: TRUE" set the others have either FALSE or the attribute is not there at all. My problem is this if an entry was deleted and has "dNSTombstoned: TRUE" it still has the same owner and therefore a new computer that got the same IP from our VPN gateway can not set this entry to point to itself. Shouldn't the code that deletes (or marks as deleted/tombstoned) unset the owner? or is this by design? Also "samba-tool domain tombstones expunge --tombstone-lifetime=0" does not delete the records with "dNSTombstoned: TRUE". Is this a different tombstone? Until now what I do is delete the entries manually in ADSI. This works as expected. Any hint how to get this working? Regards Christian -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
On Wed, 2020-03-18 at 20:48 +0100, Christian Naumer via samba wrote:> Hello you all, > with the new samba version out that fixes some problems with dns > scavenging I have decided to try this feature. > I was specifically interested for our reverse zone (PTR records) > > We have one zone for VPN clients 8.0.10.in-addr.arpa. I activated the > feature in the smb.conf as well as in the Windows DNS manager. > Entries are deleted (not visible in DNS manager) after a while. > > You can still see them in ADSI-Edit. Those that are invisible have > "dNSTombstoned: TRUE" set the others have either FALSE or the > attribute > is not there at all. > > My problem is this if an entry was deleted and has "dNSTombstoned: > TRUE" > it still has the same owner and therefore a new computer that got the > same IP from our VPN gateway can not set this entry to point to > itself. > > Shouldn't the code that deletes (or marks as deleted/tombstoned) > unset > the owner? or is this by design?Honestly, I'm not sure. The whole dNSTombstoned thing is designed to avoid churn of actual deleted records, which would pile up for 6 months and overwhelm replication. But it means they remain real records with a real owner, and the normal ACL rules apply. This makes sense for forward records, but less sense for reverse records if the IP allocated isn't mostly constant.> Also "samba-tool domain tombstones expunge --tombstone-lifetime=0" > does > not delete the records with "dNSTombstoned: TRUE". Is this a > different > tombstone?That would be a different tombstone, yes.> Until now what I do is delete the entries manually in ADSI. This > works > as expected. > > Any hint how to get this working?I'm not sure right now. Sorry! Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT - Expert Open Source Solutions https://catalyst.net.nz/services/samba
Am 18.03.20 um 22:26 schrieb Andrew Bartlett:>> Also "samba-tool domain tombstones expunge --tombstone-lifetime=0" >> does >> not delete the records with "dNSTombstoned: TRUE". Is this a >> different >> tombstone? > > That would be a different tombstone, yes.Can someone help me out with the ldap/ldb syntax to delte those by cron?> >> Until now what I do is delete the entries manually in ADSI. This >> works >> as expected. >> >> Any hint how to get this working? > > I'm not sure right now. > > Sorry!No problem. We all just try to help each other. Regards Christian -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.com fon +49-6251-9331-30 / fax +49-6251-9331-11 Sitz der Gesellschaft: Zwingenberg/Bergstrasse Registergericht AG Darmstadt, HRB 24758 Vorstand: Adriaan Moelker (Vorstandsvorsitzender), Manfred Bender, Ludger Roedder Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen