http://samba.bigbird.es/doku.php?id=samba:fsmo-roles I use the script at the end for sanity checks and delete all others. Maybe it works for you and it deletes 14999 records. On 14 Jul 2025 at 12:31 +0100, Sami Hulkko via samba <samba at lists.samba.org>, wrote:> Hi, > > Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to > Samba. What I have done is: > > .... > > ? ? ? ? bind interfaces only = yes > ? ? ? ? interfaces = lo 192.168.1.0/24 > > .... > > Binding into one address only. Might help. > > SH > > On 14/07/2025 12.52, Nicolas Martinussen via samba wrote: > > Hello, > > > > I have a strange issue with my _msdcs zone. The PDC record (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it because the DNS that does the transfer of that zone complained about too many records. After checking, I in fact got a lot of records: > > ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr > > 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN. > > > > For the other records, I get only one instance for each, so it's just the PDC record. > > > > Here is my smb.conf > > [global] > > netbios name = DC-01 > > realm = MYDOMAIN > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = MYDOMAIN > > idmap_ldb:use rfc2307 = yes > > dns zone transfer clients allow = 192.168.102.102 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139 > > dns zone scavenging = yes > > > > # WINS > > wins support = yes > > dns proxy = yes > > # WINS > > > > # TLS > > tls enabled = yes > > tls keyfile = tls/dc-01.2023.key > > tls certfile = tls/dc-01.2023.crt > > tls cafile = tls/CA/joskin_AD_CA.2023.crt > > # TLS > > > > [sysvol] > > path = /data/sysvol > > read only = No > > > > [netlogon] > > path = /data/sysvol/MYDOMAIN/scripts > > read only = No > > > > And here is my named.conf > > options { > > listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; > > directory "/var/named"; > > dump-file "/var/named/data/cache_dump.db"; > > statistics-file "/var/named/data/named_stats.txt"; > > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > secroots-file "/var/named/data/named.secroots"; > > recursing-file "/var/named/data/named.recursing"; > > > > allow-query { 192.168.0.0/16; }; > > auth-nxdomain yes; > > notify no; > > empty-zones-enable no; > > recursion yes; > > allow-transfer { 192.168.YY.YY; }; > > tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > > minimal-responses yes; > > > > forwarders { 192.168.YY.YY; }; > > > > managed-keys-directory "/var/named/dynamic"; > > > > pid-file "/run/named/named.pid"; > > session-keyfile "/run/named/session.key"; > > }; > > > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > include "/usr/local/samba/bind-dns/named.conf"; > > > > I have absolutely no idea what can cause that and how to resolve that. Is there somebody that could maybe help me ? > > > > Thanks in advance, > > Nicolas Martinussen > > -- > Sami Hulkko > +358 45 8569 319 > sahulkko at gmail.com > sahulkko at icloud.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
Hi, It is more prevention in the generation phase. It do block re-registering the address.? Main culprit is: samba_dnsupdate command that is run periodically by AD-DC by the instructions set in:? dns_update_list that is in default install on Ubuntu: /var/lib/samba/private (root access only). SH On 14/07/2025 14.42, Luis Peromarta via samba wrote:> http://samba.bigbird.es/doku.php?id=samba:fsmo-roles > > I use the script at the end for sanity checks and delete all others. Maybe it works for you and it deletes 14999 records. > On 14 Jul 2025 at 12:31 +0100, Sami Hulkko via samba <samba at lists.samba.org>, wrote: >> Hi, >> >> Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to >> Samba. What I have done is: >> >> .... >> >> ? ? ? ? bind interfaces only = yes >> ? ? ? ? interfaces = lo 192.168.1.0/24 >> >> .... >> >> Binding into one address only. Might help. >> >> SH >> >> On 14/07/2025 12.52, Nicolas Martinussen via samba wrote: >>> Hello, >>> >>> I have a strange issue with my _msdcs zone. The PDC record (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it because the DNS that does the transfer of that zone complained about too many records. After checking, I in fact got a lot of records: >>> ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr >>> 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN. >>> >>> For the other records, I get only one instance for each, so it's just the PDC record. >>> >>> Here is my smb.conf >>> [global] >>> netbios name = DC-01 >>> realm = MYDOMAIN >>> server role = active directory domain controller >>> server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate >>> workgroup = MYDOMAIN >>> idmap_ldb:use rfc2307 = yes >>> dns zone transfer clients allow = 192.168.102.102 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139 >>> dns zone scavenging = yes >>> >>> # WINS >>> wins support = yes >>> dns proxy = yes >>> # WINS >>> >>> # TLS >>> tls enabled = yes >>> tls keyfile = tls/dc-01.2023.key >>> tls certfile = tls/dc-01.2023.crt >>> tls cafile = tls/CA/joskin_AD_CA.2023.crt >>> # TLS >>> >>> [sysvol] >>> path = /data/sysvol >>> read only = No >>> >>> [netlogon] >>> path = /data/sysvol/MYDOMAIN/scripts >>> read only = No >>> >>> And here is my named.conf >>> options { >>> listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; >>> directory "/var/named"; >>> dump-file "/var/named/data/cache_dump.db"; >>> statistics-file "/var/named/data/named_stats.txt"; >>> memstatistics-file "/var/named/data/named_mem_stats.txt"; >>> secroots-file "/var/named/data/named.secroots"; >>> recursing-file "/var/named/data/named.recursing"; >>> >>> allow-query { 192.168.0.0/16; }; >>> auth-nxdomain yes; >>> notify no; >>> empty-zones-enable no; >>> recursion yes; >>> allow-transfer { 192.168.YY.YY; }; >>> tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; >>> minimal-responses yes; >>> >>> forwarders { 192.168.YY.YY; }; >>> >>> managed-keys-directory "/var/named/dynamic"; >>> >>> pid-file "/run/named/named.pid"; >>> session-keyfile "/run/named/session.key"; >>> }; >>> >>> logging { >>> channel default_debug { >>> file "data/named.run"; >>> severity dynamic; >>> }; >>> }; >>> >>> include "/usr/local/samba/bind-dns/named.conf"; >>> >>> I have absolutely no idea what can cause that and how to resolve that. Is there somebody that could maybe help me ? >>> >>> Thanks in advance, >>> Nicolas Martinussen >> -- >> Sami Hulkko >> +358 45 8569 319 >> sahulkko at gmail.com >> sahulkko at icloud.com >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba-- Sami Hulkko +358 45 8569 319 sahulkko at gmail.com sahulkko at icloud.com
Hello, Thanks for the help. I still had to do a bash loop to delete each duplicate individually. But this script looks great, I'll include it in my upgrade steps. Nicolas Martinussen ________________________________ De : samba <samba-bounces at lists.samba.org> de la part de Luis Peromarta via samba <samba at lists.samba.org> Envoy? : lundi 14 juillet 2025 13:42 ? : Samba List <samba at lists.samba.org> Objet : Re: [Samba] Duplicate PDC records in _msdcs zone ATTENTION: Cet e-mail provient d'une personne externe ? votre organisation. Ne cliquez pas sur des liens ou n'ouvrez pas de pi?ces jointes, sauf si vous faites confiance ? l'exp?diteur et avez la certitude que le contenu est sans risque. http://samba.bigbird.es/doku.php?id=samba:fsmo-roles I use the script at the end for sanity checks and delete all others. Maybe it works for you and it deletes 14999 records. On 14 Jul 2025 at 12:31 +0100, Sami Hulkko via samba <samba at lists.samba.org>, wrote:> Hi, > > Atleast in tcp6 the auto-dns-update seems to duplicate ip6 address to > Samba. What I have done is: > > .... > > bind interfaces only = yes > interfaces = lo 192.168.1.0/24 > > .... > > Binding into one address only. Might help. > > SH > > On 14/07/2025 12.52, Nicolas Martinussen via samba wrote: > > Hello, > > > > I have a strange issue with my _msdcs zone. The PDC record (_ldap._tcp.pdc._msdcs) is duplicated 15.000 times... I've discovered it because the DNS that does the transfer of that zone complained about too many records. After checking, I in fact got a lot of records: > > ~# dig @192.168.XX.XX _msdcs.MYDOMAIN AXFR | sort | uniq -c | sort -nr > > 15120 _ldap._tcp.pdc._msdcs.MYDOMAIN. 900 IN SRV 0 100 389 dc-01.MYDOMAIN. > > > > For the other records, I get only one instance for each, so it's just the PDC record. > > > > Here is my smb.conf > > [global] > > netbios name = DC-01 > > realm = MYDOMAIN > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate > > workgroup = MYDOMAIN > > idmap_ldb:use rfc2307 = yes > > dns zone transfer clients allow = 192.168.102.102 192.168.102.103 192.168.102.98 192.168.102.99 192.168.103.138 192.168.103.139 > > dns zone scavenging = yes > > > > # WINS > > wins support = yes > > dns proxy = yes > > # WINS > > > > # TLS > > tls enabled = yes > > tls keyfile = tls/dc-01.2023.key > > tls certfile = tls/dc-01.2023.crt > > tls cafile = tls/CA/joskin_AD_CA.2023.crt > > # TLS > > > > [sysvol] > > path = /data/sysvol > > read only = No > > > > [netlogon] > > path = /data/sysvol/MYDOMAIN/scripts > > read only = No > > > > And here is my named.conf > > options { > > listen-on port 53 { 127.0.0.1; 192.168.XX.XX; }; > > directory "/var/named"; > > dump-file "/var/named/data/cache_dump.db"; > > statistics-file "/var/named/data/named_stats.txt"; > > memstatistics-file "/var/named/data/named_mem_stats.txt"; > > secroots-file "/var/named/data/named.secroots"; > > recursing-file "/var/named/data/named.recursing"; > > > > allow-query { 192.168.0.0/16; }; > > auth-nxdomain yes; > > notify no; > > empty-zones-enable no; > > recursion yes; > > allow-transfer { 192.168.YY.YY; }; > > tkey-gssapi-keytab "/usr/local/samba/bind-dns/dns.keytab"; > > minimal-responses yes; > > > > forwarders { 192.168.YY.YY; }; > > > > managed-keys-directory "/var/named/dynamic"; > > > > pid-file "/run/named/named.pid"; > > session-keyfile "/run/named/session.key"; > > }; > > > > logging { > > channel default_debug { > > file "data/named.run"; > > severity dynamic; > > }; > > }; > > > > include "/usr/local/samba/bind-dns/named.conf"; > > > > I have absolutely no idea what can cause that and how to resolve that. Is there somebody that could maybe help me ? > > > > Thanks in advance, > > Nicolas Martinussen > > -- > Sami Hulkko > +358 45 8569 319 > sahulkko at gmail.com > sahulkko at icloud.com > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
On Mon, 14 Jul 2025 12:42:07 +0100 Luis Peromarta via samba <samba at lists.samba.org> wrote:> http://samba.bigbird.es/doku.php?id=samba:fsmo-roles > > I use the script at the end for sanity checks and delete all others. > Maybe it works for you and it deletes 14999 records.The problem isn't so much that there are 14,999 incorrect records, it is how did they get there ? I personally do not believe that anyone would transfer the PDC_Emulator FSMO role that many times and moving the FSMO role is the only way (that I know of) to get multiple _ldap._tcp.pdc._msdcs.${DNSDOMAIN} records. The other question is, why is the OP still using wins ? I would love to know just how the OP has set up their DNS. Rowland