samba - Nov 2024 - samba-tool computer delete does not work

On Wed, 20 Nov 2024 10:35:40 +1300
Douglas Bagnall via samba <samba at lists.samba.org> wrote:
> On 19/11/24 02:40, Heinz H?lzl via samba wrote:
> > hi,
> > 
> > I have to delete about 6000 old machine accounts.
> > 
> > samba-tool computer delete RESERVE23 does not end.
> 
> What this command does is delete the record itself, then tries to
> delete related DNS records.
> 
> I think what is happening is the initial delete is working, but DNS
> is not, and samba-tool is left waiting for a response.
From my reading of the code, the initial delete shouldn't happen unless
the computer records are also deleted, they are both inside the same
'try'. If it is awaiting a response, then it must be a dns response,
they isn't any other response requested.
> 
> To verify this theory:
> 1. check the account has a dNSHostName attribute
> 2. look up that adress with `dig` or something.
> 
> If it hangs, then DNS is not working.
> 
This has 'DNS' written all over it. I think we need to know more about
the domain, what is the DC ? If it is a Samba DC, then seeing the
smb.conf may help and is bind9 being used ?

Rowland

On Wed, 20 Nov 2024 10:34:39 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 20 Nov 2024 10:35:40 +1300
> Douglas Bagnall via samba <samba at lists.samba.org> wrote:
> 
> > On 19/11/24 02:40, Heinz H?lzl via samba wrote:
> > > hi,
> > > 
> > > I have to delete about 6000 old machine accounts.
> > > 
> > > samba-tool computer delete RESERVE23 does not end.
> > 
> > What this command does is delete the record itself, then tries to
> > delete related DNS records.
> > 
> > I think what is happening is the initial delete is working, but DNS
> > is not, and samba-tool is left waiting for a response.
> 
> From my reading of the code, the initial delete shouldn't happen
> unless the computer records are also deleted, they are both inside
> the same 'try'. If it is awaiting a response, then it must be a dns
> response, they isn't any other response requested.
> 
> > 
> > To verify this theory:
> > 1. check the account has a dNSHostName attribute
> > 2. look up that adress with `dig` or something.
> > 
> > If it hangs, then DNS is not working.
> > 
> 
> This has 'DNS' written all over it. I think we need to know more
about
> the domain, what is the DC ? If it is a Samba DC, then seeing the
> smb.conf may help and is bind9 being used ?
> 
> Rowland
After reading the code again and thinking about this (yes I know,
thinking is dangerous), I think this is what is happening:

The samba tool command is run and everything works okay until it gets
to the 'try', the first thing that the 'try' does is to delete
the
computers entire DN, it then attempts to delete all the computers dns
records, if this or deleting the computers DN fails, then, from my
understanding, the 'try' should fail and the computers DN deletion
should not happen and an error message 'Failed to remove computer
"%s"'
should be printed.
I 'think' that the computer DN is being deleted, but there is some
delay in the dns response and when 'CTL-C' is pressed, it kills the
'try', the computer DN has been deleted, but none of the further code is
run. It is quite possible, if you can wait long enough, the command
would error out or even complete successfully.
I feel this is all interconnected with the ldap errors the OP is
having.

So, I repeat, can we have the information, I asked for earlier.
 
Rowland