samba - Sep 2016 - Phantom DNS records visible with dig, but not samba-tool dns

We appear to have some phantom DNS records on both our domain controllers.

We can see the records using "dig", but not with samba-tool. We
can't remove the records either.

(v-ward and v-fief are the DCs, Hawaii and Alaska are old DCs which were demoted
without errors, I'm trying to clean up some DNS records which don't seem
to have been cleaned).

All machines are 4.2.10-Debian

Can anybody advise how I can fix this? Ideally in this case there would only be
two records.

Console output follows

Thanks,



root at v-ward# samba-tool dns query v-ward _msdcs.chester-dc.example.com
_ldap._tcp.dc srv
Password for [ash at CHESTER-DC.EXAMPLE.COM]:
   Name=, Records=3, Children=0
     SRV: HAWAII.chester-dc.example.com. (389, 0, 100) (flags=f0, serial=110,
ttl=900)
     SRV: ALASKA.chester-dc.example.com. (389, 0, 100) (flags=f0, serial=110,
ttl=900)
     SRV: v-fief.chester-dc.example.com. (389, 0, 100) (flags=f0, serial=110,
ttl=0)

root at v-ward# samba-tool dns delete v-ward _msdcs.chester-dc.example.com
_ldap._tcp.dc srv "v-ward.chester-dc. 389 0 100"
Password for [ash at CHESTER-DC.EXAMPLE.COM]:
ERROR: Record does not exist

#(10.4.4.155 is samba on v-ward)
# dig _ldap._tcp.dc._msdcs.chester-dc.example.com srv @10.4.4.155

; <<>> DiG 9.9.5-9+deb8u4-Debian <<>>
_ldap._tcp.dc._msdcs.chester-dc.example.com srv @10.4.4.155
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14081
;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.chester-dc.example.com. IN SRV

;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.chester-dc.example.com. 900 IN SRV 0 100 389
HAWAII.chester-dc.example.com.
_ldap._tcp.dc._msdcs.chester-dc.example.com. 900 IN SRV 0 100 389
ALASKA.chester-dc.example.com.
_ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389
v-fief.chester-dc.example.com.
_ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389
v-ward.chester-dc.example.com.
_ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389
v-ward.chester-dc.co.uk.
_ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389
v-ward.chester-dc.

;; Query time: 0 msec
;; SERVER: 10.4.4.155#53(10.4.4.155)
;; WHEN: Fri Sep 09 15:38:48 BST 2016
;; MSG SIZE  rcvd: 245

# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[sysvol]"
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

# Global parameters
[global]
         workgroup = CHESTER-DC
         realm = CHESTER-DC.EXAMPLE.COM
         server role = active directory domain controller
         passdb backend = samba_dsdb
         log file = /var/log/samba/log.%m
         max log size = 1000
         client ldap sasl wrapping = plain
         ldap server require strong auth = No
         load printers = No
         cups server = printers.example.com
         panic action = /usr/share/samba/panic-action %d
         dns forwarder = 10.4.4.10
         rpc_server:tcpip = no
         rpc_server:winreg = embedded
         rpc_server:ntsvcs = embedded
         rpc_server:eventlog = embedded
         rpc_server:srvsvc = embedded
         rpc_server:svcctl = embedded
         rpc_server:default = external
         winbindd:use external pipes = true
         acl:read = false
         rpc_daemon:spoolssd = embedded
         rpc_server:spoolss = embedded
         idmap config chester-dc : range = 1000-999999
         idmap config chester-dc : backend = ad
         idmap config * : range = 1000000-1999999
         idmap_ldb:use rfc2307 = yes
         idmap config * : backend = tdb
         map archive = No
         map readonly = no
         store dos attributes = Yes
         include = /etc/samba/smb.common
         vfs objects = dfs_samba4 acl_xattr

On 9/9/2016 10:59 AM, ash-samba--- via samba wrote:
> We appear to have some phantom DNS records on both our domain 
> controllers.
>
> We can see the records using "dig", but not with samba-tool. We
can't
> remove the records either.
>
> (v-ward and v-fief are the DCs, Hawaii and Alaska are old DCs which 
> were demoted without errors, I'm trying to clean up some DNS records 
> which don't seem to have been cleaned).
>
> All machines are 4.2.10-Debian
>
> Can anybody advise how I can fix this? Ideally in this case there 
> would only be two records.
>
> Console output follows
>
> Thanks,
>
>
>
> root at v-ward# samba-tool dns query v-ward _msdcs.chester-dc.example.com 
> _ldap._tcp.dc srv
> Password for [ash at CHESTER-DC.EXAMPLE.COM]:
>   Name=, Records=3, Children=0
>     SRV: HAWAII.chester-dc.example.com. (389, 0, 100) (flags=f0, 
> serial=110, ttl=900)
>     SRV: ALASKA.chester-dc.example.com. (389, 0, 100) (flags=f0, 
> serial=110, ttl=900)
>     SRV: v-fief.chester-dc.example.com. (389, 0, 100) (flags=f0, 
> serial=110, ttl=0)
>
> root at v-ward# samba-tool dns delete v-ward 
> _msdcs.chester-dc.example.com _ldap._tcp.dc srv "v-ward.chester-dc. 
> 389 0 100"
> Password for [ash at CHESTER-DC.EXAMPLE.COM]:
> ERROR: Record does not exist
>
> #(10.4.4.155 is samba on v-ward)
> # dig _ldap._tcp.dc._msdcs.chester-dc.example.com srv @10.4.4.155
>
> ; <<>> DiG 9.9.5-9+deb8u4-Debian <<>> 
> _ldap._tcp.dc._msdcs.chester-dc.example.com srv @10.4.4.155
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14081
> ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 6, AUTHORITY: 0, 
> ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;_ldap._tcp.dc._msdcs.chester-dc.example.com. IN SRV
>
> ;; ANSWER SECTION:
> _ldap._tcp.dc._msdcs.chester-dc.example.com. 900 IN SRV 0 100 389 
> HAWAII.chester-dc.example.com.
> _ldap._tcp.dc._msdcs.chester-dc.example.com. 900 IN SRV 0 100 389 
> ALASKA.chester-dc.example.com.
> _ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389 
> v-fief.chester-dc.example.com.
> _ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389 
> v-ward.chester-dc.example.com.
> _ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389 
> v-ward.chester-dc.co.uk.
> _ldap._tcp.dc._msdcs.chester-dc.example.com. 0 IN SRV 0 100 389 
> v-ward.chester-dc.
>
> ;; Query time: 0 msec
> ;; SERVER: 10.4.4.155#53(10.4.4.155)
> ;; WHEN: Fri Sep 09 15:38:48 BST 2016
> ;; MSG SIZE  rcvd: 245
>
> # testparm
> Load smb config files from /etc/samba/smb.conf
> Processing section "[netlogon]"
> Processing section "[sysvol]"
> Loaded services file OK.
> Server role: ROLE_ACTIVE_DIRECTORY_DC
>
> Press enter to see a dump of your service definitions
>
> # Global parameters
> [global]
>         workgroup = CHESTER-DC
>         realm = CHESTER-DC.EXAMPLE.COM
>         server role = active directory domain controller
>         passdb backend = samba_dsdb
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         client ldap sasl wrapping = plain
>         ldap server require strong auth = No
>         load printers = No
>         cups server = printers.example.com
>         panic action = /usr/share/samba/panic-action %d
>         dns forwarder = 10.4.4.10
>         rpc_server:tcpip = no
>         rpc_server:winreg = embedded
>         rpc_server:ntsvcs = embedded
>         rpc_server:eventlog = embedded
>         rpc_server:srvsvc = embedded
>         rpc_server:svcctl = embedded
>         rpc_server:default = external
>         winbindd:use external pipes = true
>         acl:read = false
>         rpc_daemon:spoolssd = embedded
>         rpc_server:spoolss = embedded
>         idmap config chester-dc : range = 1000-999999
>         idmap config chester-dc : backend = ad
>         idmap config * : range = 1000000-1999999
>         idmap_ldb:use rfc2307 = yes
>         idmap config * : backend = tdb
>         map archive = No
>         map readonly = no
>         store dos attributes = Yes
>         include = /etc/samba/smb.common
>         vfs objects = dfs_samba4 acl_xattr
>
>
>
For me I had to use ADSI edit to remove the entries.

-- 
-James