Hi, Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to Samba. What I have done is: .... ? ? ? ? bind interfaces only = yes ? ? ? ? interfaces = lo 192.168.1.0/24 .... Binding into one address only. Might help. SH On 14/07/2025 12.52, Nicolas Martinussen via samba wrote:> Hello, > > I have a strange issue with my _msdcs zone. The PDC record (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it because the DNS that does the transfer of that zone complained about too many records. After checking, I in fact got a lot of records: > ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr > 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN. > > For the other records, I get only one instance for each, so it's just the PDC record. > > Here is my smb.conf > [global] > netbios name = DC-01 > realm = MYDOMAIN > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > workgroup = MYDOMAIN > idmap_ldb:use rfc2307 = yes > dns zone transfer clients allow = 192.168.102.102 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139 > dns zone scavenging = yes > > # WINS > wins support = yes > dns proxy = yes > # WINS > > # TLS > tls enabled = yes > tls keyfile = tls/dc-01.2023.key > tls certfile = tls/dc-01.2023.crt > tls cafile = tls/CA/joskin_AD_CA.2023.crt > # TLS > > [sysvol] > path = /data/sysvol > read only = No > > [netlogon] > path = /data/sysvol/MYDOMAIN/scripts > read only = No > > And here is my named.conf > options { > listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; > directory "/var/named"; > dump-file "/var/named/data/cache_dump.db"; > statistics-file "/var/named/data/named_stats.txt"; > memstatistics-file "/var/named/data/named_mem_stats.txt"; > secroots-file "/var/named/data/named.secroots"; > recursing-file "/var/named/data/named.recursing"; > > allow-query { 192.168.0.0/16; }; > auth-nxdomain yes; > notify no; > empty-zones-enable no; > recursion yes; > allow-transfer { 192.168.YY.YY; }; > tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > minimal-responses yes; > > forwarders { 192.168.YY.YY; }; > > managed-keys-directory "/var/named/dynamic"; > > pid-file "/run/named/named.pid"; > session-keyfile "/run/named/session.key"; > }; > > logging { > channel default_debug { > file "data/named.run"; > severity dynamic; > }; > }; > > include "/usr/local/samba/bind-dns/named.conf"; > > I have absolutely no idea what can cause that and how to resolve that. Is there somebody that could maybe help me ? > > Thanks in advance, > Nicolas Martinussen-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com
http://samba.bigbird.es/doku.php?id=samba:fsmo-roles I use the script at the end for sanity checks and delete all others. Maybe it works for you and it deletes 14999 records. On 14 Jul 2025 at 12:31 +0100, Sami Hulkko via samba <samba at lists.samba.org>, wrote:> Hi, > > Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to > Samba. What I have done is: > > .... > > ? ? ? ? bind interfaces only = yes > ? ? ? ? interfaces = lo 192.168.1.0/24 > > .... > > Binding into one address only. Might help. > > SH > > On 14/07/2025 12.52, Nicolas Martinussen via samba wrote: > > Hello, > > > > I have a strange issue with my _msdcs zone. The PDC record (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it because the DNS that does the transfer of that zone complained about too many records. After checking, I in fact got a lot of records: > > ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr > > 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN. > > > > For the other records, I get only one instance for each, so it's just the PDC record. > > > > Here is my smb.conf > > [global] > > netbios name = DC-01 > > realm = MYDOMAIN > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = MYDOMAIN > > idmap_ldb:use rfc2307 = yes > > dns zone transfer clients allow = 192.168.102.102 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139 > > dns zone scavenging = yes > > > > # WINS > > wins support = yes > > dns proxy = yes > > # WINS > > > > # TLS > > tls enabled = yes > > tls keyfile = tls/dc-01.2023.key > > tls certfile = tls/dc-01.2023.crt > > tls cafile = tls/CA/joskin_AD_CA.2023.crt > > # TLS > > > > [sysvol] > > path = /data/sysvol > > read only = No > > > > [netlogon] > > path = /data/sysvol/MYDOMAIN/scripts > > read only = No > > > > And here is my named.conf > > options { > > listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; > > directory "/var/named"; > > dump-file "/var/named/data/cache_dump.db"; > > statistics-file "/var/named/data/named_stats.txt"; > > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > secroots-file "/var/named/data/named.secroots"; > > recursing-file "/var/named/data/named.recursing"; > > > > allow-query { 192.168.0.0/16; }; > > auth-nxdomain yes; > > notify no; > > empty-zones-enable no; > > recursion yes; > > allow-transfer { 192.168.YY.YY; }; > > tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > > minimal-responses yes; > > > > forwarders { 192.168.YY.YY; }; > > > > managed-keys-directory "/var/named/dynamic"; > > > > pid-file "/run/named/named.pid"; > > session-keyfile "/run/named/session.key"; > > }; > > > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > include "/usr/local/samba/bind-dns/named.conf"; > > > > I have absolutely no idea what can cause that and how to resolve that. Is there somebody that could maybe help me ? > > > > Thanks in advance, > > Nicolas Martinussen > > -- > Sami Hulkko > +358 45 8569 319 > sahulkko at gmail.com > sahulkko at icloud.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hello,
Thanks for your help.
I've updated my config to specify the interfaces, I hope it will help. At
least, I don't think it will do any harm.
Nicolas Martinussen
________________________________
De : samba <samba-bounces at lists.samba.org> de la part de Sami Hulkko
via samba <samba at lists.samba.org>
Envoy? : lundi 14 juillet 2025 13:31
? : samba at lists.samba.org <samba at lists.samba.org>
Objet : Re: [Samba] Duplicate PDC records in _msdcs zone
ATTENTION: Cet e-mail provient d'une personne externe ? votre organisation.
Ne cliquez pas sur des liens ou n'ouvrez pas de pi?ces jointes, sauf si vous
faites confiance ? l'exp?diteur et avez la certitude que le contenu est sans
risque.
Hi,
Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to
Samba. What I have done is:
....
bind interfaces only = yes
interfaces = lo 192.168.1.0/24
....
Binding into one address only. Might help.
SH
On 14/07/2025 12.52, Nicolas Martinussen via samba
wrote:> Hello,
>
> I have a strange issue with my _msdcs zone. The PDC record
(_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it
because the DNS that does the transfer of that zone complained about too many
records. After checking, I in fact got a lot of records:
> ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr
> 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389
dc-01.MYDOMAIN.
>
> For the other records, I get only one instance for each, so it's just
the PDC record.
>
> Here is my smb.conf
> [global]
> netbios name = DC-01
> realm = MYDOMAIN
> server role = active directory domain controller
> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
> workgroup = MYDOMAIN
> idmap_ldb:use rfc2307 = yes
> dns zone transfer clients allow = 192.168.102.102 192.168.102.103
192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139
> dns zone scavenging = yes
>
> # WINS
> wins support = yes
> dns proxy = yes
> # WINS
>
> # TLS
> tls enabled = yes
> tls keyfile = tls/dc-01.2023.key
> tls certfile = tls/dc-01.2023.crt
> tls cafile = tls/CA/joskin_AD_CA.2023.crt
> # TLS
>
> [sysvol]
> path = /data/sysvol
> read only = No
>
> [netlogon]
> path = /data/sysvol/MYDOMAIN/scripts
> read only = No
>
> And here is my named.conf
> options {
> listen-on port 53 { 127.0.0.1; 192.168.XX.XX; };
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file
"/var/named/data/named_mem_stats.txt";
> secroots-file "/var/named/data/named.secroots";
> recursing-file "/var/named/data/named.recursing";
>
> allow-query { 192.168.0.0/16; };
> auth-nxdomain yes;
> notify no;
> empty-zones-enable no;
> recursion yes;
> allow-transfer { 192.168.YY.YY; };
> tkey-gssapi-keytab
"/usr/local/samba/bind-dns/dns.keytab";
> minimal-responses yes;
>
> forwarders { 192.168.YY.YY; };
>
> managed-keys-directory "/var/named/dynamic";
>
> pid-file "/run/named/named.pid";
> session-keyfile "/run/named/session.key";
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> include "/usr/local/samba/bind-dns/named.conf";
>
> I have absolutely no idea what can cause that and how to resolve that. Is
there somebody that could maybe help me ?
>
> Thanks in advance,
> Nicolas Martinussen
--
Sami Hulkko
+358 45 8569 319
sahulkko at gmail.com
sahulkko at icloud.com
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba