Kacper Wirski
2018-Nov-20 22:56 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
Hello, I've posted about this issue some time ago, but I maybe didn't explain myself enough and/or didn't supply enough information. My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. I noticed that some windows clients stopped doing secure dns dynamic updates because of insufficient rights error. Upon further digging I realized that all of the entries, that were not able to be updated, are entries that existed some time in the past (used by other hosts - in forward or IP's -in reverse and later on were for whatever reason deleted. That doesn't seem right to me, that deleted DNS entry is - somewhere (where?) kept back and blocks new entry to be added, even though with same A record or PTR IP addr. Example: i added windows host to domain with hostname "PC-1", it created dynamic dns A record (PC-1 - <some-ip-address>). I deleted this entry (using windows dns management console), removed "PC-1" from domain, added another host with same name (PC-1). Obviously it was a new member so new SID was generated. Even though DNS entry was deleted, new "PC-1" host was nable to dynamically add entry, because - even though deleted - samba still "knew" about the deleted entry, which still had as owner previous "pc-1". How do I know this? I manually then re-added "PC-1 <-whatever IP> A record to forward zone. And upon inspecting security TAB it had as owner unresolved sid number - the exact SID of the deleted original PC-1 host. That completely blocked new host with PC-1 hostname to dynamically update it's DNS entry All DNS managing was done via windows DNS mmc - maybe it's the culprit? That overall doesn't sound right. Shouldn't removed DNS entries be just that - removed? I restarted named, samba, did tombstone expunge with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? Expected behaviour? How can I then fix this? I'd rather not have to add manually records and change owners. It's not the biggest deal in forward zone, but it's much worse for reverse zone. E.g. recently I replaced a lot of PC's, all of them got new host names, but they kept IP's that belong to old, so now my reverse zone is mostly empty, unless I start manually adding entries - which I'd rather not to. Regards, Kacper
Kacper Wirski
2018-Nov-21 18:20 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
Hello, Since noone answered, I'll add some more information - maybe I'm unclear about the nature of the issue? I re-read samba wiki, especially about DNS management and I didn't find any information pointing to such behaviour. I was deleting all entries using windows DNS management console (which is in the sama wiki, so I suppose it's supported) I don't have unfortunately another AD environment to see if it's a bug related to bind/samba or expected behaviour (a feature) and I'm really hoping, that someone could share if they ever ran into the same behaviour when using BIND as backend (deleted dns records not being fully deleted, retaining all windows ACL, including original entry-owner and therefore disallowing any dynamic updates for this record - throwing "insufficient rights" error). Regards, Kacper W dniu 20.11.2018 o 23:56, Kacper Wirski via samba pisze:> Hello, > > I've posted about this issue some time ago, but I maybe didn't explain > myself enough and/or didn't supply enough information. > > My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. > > I noticed that some windows clients stopped doing secure dns dynamic > updates because of insufficient rights error. > > Upon further digging I realized that all of the entries, that were not > able to be updated, are entries that existed some time in the past > (used by other hosts - in forward or IP's -in reverse and later on > were for whatever reason deleted. > > That doesn't seem right to me, that deleted DNS entry is - somewhere > (where?) kept back and blocks new entry to be added, even though with > same A record or PTR IP addr. > > Example: > > i added windows host to domain with hostname "PC-1", it created > dynamic dns A record (PC-1 - <some-ip-address>). > > I deleted this entry (using windows dns management console), removed > "PC-1" from domain, added another host with same name (PC-1). > Obviously it was a new member so new SID was generated. > > Even though DNS entry was deleted, new "PC-1" host was nable to > dynamically add entry, because - even though deleted - samba still > "knew" about the deleted entry, which still had as owner previous > "pc-1". How do I know this? > > I manually then re-added "PC-1 <-whatever IP> A record to forward > zone. And upon inspecting security TAB it had as owner unresolved sid > number - the exact SID of the deleted original PC-1 host. That > completely blocked new host with PC-1 hostname to dynamically update > it's DNS entry > > All DNS managing was done via windows DNS mmc - maybe it's the culprit? > > That overall doesn't sound right. Shouldn't removed DNS entries be > just that - removed? I restarted named, samba, did tombstone expunge > with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? > Expected behaviour? How can I then fix this? I'd rather not have to > add manually records and change owners. It's not the biggest deal in > forward zone, but it's much worse for reverse zone. E.g. recently I > replaced a lot of PC's, all of them got new host names, but they kept > IP's that belong to old, so now my reverse zone is mostly empty, > unless I start manually adding entries - which I'd rather not to. > > Regards, > > Kacper > > >
Kacper Wirski
2018-Nov-21 18:39 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
To answer my own question: Yes, it's seems like a feature. I ran basic ldbsearch query: ldbsearch -H /usr/local/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: dNSTombstoned: TRUE Overall there are a couple hundred entries with as such. So now my question is: How can I safely remove them, any tips/guideliness? I thought that doing tombstone expunge would get rid of them - but apparently not. W dniu 21.11.2018 o 19:20, Kacper Wirski via samba pisze:> Hello, > > Since noone answered, I'll add some more information - maybe I'm > unclear about the nature of the issue? > > I re-read samba wiki, especially about DNS management and I didn't > find any information pointing to such behaviour. I was deleting all > entries using windows DNS management console (which is in the sama > wiki, so I suppose it's supported) > > I don't have unfortunately another AD environment to see if it's a > bug related to bind/samba or expected behaviour (a feature) and I'm > really hoping, that someone could share if they ever ran into the same > behaviour when using BIND as backend (deleted dns records not being > fully deleted, retaining all windows ACL, including original > entry-owner and therefore disallowing any dynamic updates for this > record - throwing "insufficient rights" error). > > Regards, > > Kacper > > W dniu 20.11.2018 o 23:56, Kacper Wirski via samba pisze: >> Hello, >> >> I've posted about this issue some time ago, but I maybe didn't >> explain myself enough and/or didn't supply enough information. >> >> My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. >> >> I noticed that some windows clients stopped doing secure dns dynamic >> updates because of insufficient rights error. >> >> Upon further digging I realized that all of the entries, that were >> not able to be updated, are entries that existed some time in the >> past (used by other hosts - in forward or IP's -in reverse and later >> on were for whatever reason deleted. >> >> That doesn't seem right to me, that deleted DNS entry is - somewhere >> (where?) kept back and blocks new entry to be added, even though with >> same A record or PTR IP addr. >> >> Example: >> >> i added windows host to domain with hostname "PC-1", it created >> dynamic dns A record (PC-1 - <some-ip-address>). >> >> I deleted this entry (using windows dns management console), removed >> "PC-1" from domain, added another host with same name (PC-1). >> Obviously it was a new member so new SID was generated. >> >> Even though DNS entry was deleted, new "PC-1" host was nable to >> dynamically add entry, because - even though deleted - samba still >> "knew" about the deleted entry, which still had as owner previous >> "pc-1". How do I know this? >> >> I manually then re-added "PC-1 <-whatever IP> A record to forward >> zone. And upon inspecting security TAB it had as owner unresolved sid >> number - the exact SID of the deleted original PC-1 host. That >> completely blocked new host with PC-1 hostname to dynamically update >> it's DNS entry >> >> All DNS managing was done via windows DNS mmc - maybe it's the culprit? >> >> That overall doesn't sound right. Shouldn't removed DNS entries be >> just that - removed? I restarted named, samba, did tombstone expunge >> with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? >> Expected behaviour? How can I then fix this? I'd rather not have to >> add manually records and change owners. It's not the biggest deal in >> forward zone, but it's much worse for reverse zone. E.g. recently I >> replaced a lot of PC's, all of them got new host names, but they kept >> IP's that belong to old, so now my reverse zone is mostly empty, >> unless I start manually adding entries - which I'd rather not to. >> >> Regards, >> >> Kacper >> >> >> >
Kacper Wirski
2018-Nov-21 18:39 UTC
[Samba] samba AD - bind - deleted DNS entries are not removed completely
To answer my own question: Yes, it's seems like a feature. I ran basic ldbsearch query: ldbsearch -H /usr/local/samba/private/sam.ldb -b "DC=DomainDnsZones,DC=mydomain,DC=com" and saw in output entries with: dNSTombstoned: TRUE Overall there are a couple hundred entries with as such. So now my question is: How can I safely remove them, any tips/guideliness? I thought that doing tombstone expunge would get rid of them - but apparently not. W dniu 21.11.2018 o 19:20, Kacper Wirski via samba pisze:> Hello, > > Since noone answered, I'll add some more information - maybe I'm > unclear about the nature of the issue? > > I re-read samba wiki, especially about DNS management and I didn't > find any information pointing to such behaviour. I was deleting all > entries using windows DNS management console (which is in the sama > wiki, so I suppose it's supported) > > I don't have unfortunately another AD environment to see if it's a > bug related to bind/samba or expected behaviour (a feature) and I'm > really hoping, that someone could share if they ever ran into the same > behaviour when using BIND as backend (deleted dns records not being > fully deleted, retaining all windows ACL, including original > entry-owner and therefore disallowing any dynamic updates for this > record - throwing "insufficient rights" error). > > Regards, > > Kacper > > W dniu 20.11.2018 o 23:56, Kacper Wirski via samba pisze: >> Hello, >> >> I've posted about this issue some time ago, but I maybe didn't >> explain myself enough and/or didn't supply enough information. >> >> My setup is centos 7.5 samba 4.8.4 AD DCwith BIND as dns backend. >> >> I noticed that some windows clients stopped doing secure dns dynamic >> updates because of insufficient rights error. >> >> Upon further digging I realized that all of the entries, that were >> not able to be updated, are entries that existed some time in the >> past (used by other hosts - in forward or IP's -in reverse and later >> on were for whatever reason deleted. >> >> That doesn't seem right to me, that deleted DNS entry is - somewhere >> (where?) kept back and blocks new entry to be added, even though with >> same A record or PTR IP addr. >> >> Example: >> >> i added windows host to domain with hostname "PC-1", it created >> dynamic dns A record (PC-1 - <some-ip-address>). >> >> I deleted this entry (using windows dns management console), removed >> "PC-1" from domain, added another host with same name (PC-1). >> Obviously it was a new member so new SID was generated. >> >> Even though DNS entry was deleted, new "PC-1" host was nable to >> dynamically add entry, because - even though deleted - samba still >> "knew" about the deleted entry, which still had as owner previous >> "pc-1". How do I know this? >> >> I manually then re-added "PC-1 <-whatever IP> A record to forward >> zone. And upon inspecting security TAB it had as owner unresolved sid >> number - the exact SID of the deleted original PC-1 host. That >> completely blocked new host with PC-1 hostname to dynamically update >> it's DNS entry >> >> All DNS managing was done via windows DNS mmc - maybe it's the culprit? >> >> That overall doesn't sound right. Shouldn't removed DNS entries be >> just that - removed? I restarted named, samba, did tombstone expunge >> with lifetime =0 etc.. I'm not sure how to treat this? Is this a bug? >> Expected behaviour? How can I then fix this? I'd rather not have to >> add manually records and change owners. It's not the biggest deal in >> forward zone, but it's much worse for reverse zone. E.g. recently I >> replaced a lot of PC's, all of them got new host names, but they kept >> IP's that belong to old, so now my reverse zone is mostly empty, >> unless I start manually adding entries - which I'd rather not to. >> >> Regards, >> >> Kacper >> >> >> >
Apparently Analagous Threads
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely
- samba AD - bind - deleted DNS entries are not removed completely