hi,
i deleted the accounts with pdbdel.
I did a few spot checks, none of the pc accounts had the attribute dNSHostName
there are no dns-rcords concerning the account
we use bind9 for dns.
all pc have a bind9 configured as dns server, which is a dns slave of the bind9
on the samba server.
here the requested informations:
all DC are on samba
smb.conf
[global]
netbios name = DCX
realm = EXAMPLE.NET
server services = -dns
workgroup = EXAMPLE
server role = active directory domain controller
ad dc functional level = 2016
idmap_ldb:use rfc2307 = yes
comment template homedir = /home/%U
template shell = /bin/bash
ldap server require strong auth = No
ntlm auth = Yes
log level = auth_json_audit:0 auth_audit:3
logging = syslog
log file = /dev/null
password hash gpg key ids = "xxxxxxxxxxxxxxxxxxxxxxx"
dns forwarder = xxxxxx
dns update command = /usr/local/samba/sbin/samba_dnsupdate
--use-samba-tool
logon script = login.bat
dns zone transfer clients allow = xxxxxxxxxxxxxxxxxxx
prefork children = 4
prefork children:ldap = 1
server min protocol = SMB2_10
[netlogon]
path = /usr/local/samba/var/locks/sysvol/example.net/scripts
read only = No
guest ok = Yes
browseable = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Heinz
________________________________________
Von: samba <samba-bounces at lists.samba.org> im Auftrag von Rowland Penny
via samba <samba at lists.samba.org>
Gesendet: Mittwoch, 20. November 2024 16:17
An: samba at lists.samba.org
Cc: Rowland Penny
Betreff: Re: [Samba] samba-tool computer delete does not work
On Wed, 20 Nov 2024 10:34:39 +0000
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Wed, 20 Nov 2024 10:35:40 +1300
> Douglas Bagnall via samba <samba at lists.samba.org> wrote:
>
> > On 19/11/24 02:40, Heinz H?lzl via samba wrote:
> > > hi,
> > >
> > > I have to delete about 6000 old machine accounts.
> > >
> > > samba-tool computer delete RESERVE23 does not end.
> >
> > What this command does is delete the record itself, then tries to
> > delete related DNS records.
> >
> > I think what is happening is the initial delete is working, but DNS
> > is not, and samba-tool is left waiting for a response.
>
> From my reading of the code, the initial delete shouldn't happen
> unless the computer records are also deleted, they are both inside
> the same 'try'. If it is awaiting a response, then it must be a dns
> response, they isn't any other response requested.
>
> >
> > To verify this theory:
> > 1. check the account has a dNSHostName attribute
> > 2. look up that adress with `dig` or something.
> >
> > If it hangs, then DNS is not working.
> >
>
> This has 'DNS' written all over it. I think we need to know more
about
> the domain, what is the DC ? If it is a Samba DC, then seeing the
> smb.conf may help and is bind9 being used ?
>
> Rowland
After reading the code again and thinking about this (yes I know,
thinking is dangerous), I think this is what is happening:
The samba tool command is run and everything works okay until it gets
to the 'try', the first thing that the 'try' does is to delete
the
computers entire DN, it then attempts to delete all the computers dns
records, if this or deleting the computers DN fails, then, from my
understanding, the 'try' should fail and the computers DN deletion
should not happen and an error message 'Failed to remove computer
"%s"'
should be printed.
I 'think' that the computer DN is being deleted, but there is some
delay in the dns response and when 'CTL-C' is pressed, it kills the
'try', the computer DN has been deleted, but none of the further code is
run. It is quite possible, if you can wait long enough, the command
would error out or even complete successfully.
I feel this is all interconnected with the ldap errors the OP is
having.
So, I repeat, can we have the information, I asked for earlier.
Rowland
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba