samba - Nov 2025 - Stray DC A record in DNS

On Thu, 27 Nov 2025 12:59:01 +0100
martin f krafft via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> We had a small configuration glitch it seems and for a few seconds,
> the same Samba Domain Controller was online with two different IPs:
> 192.168.231.34 and .35.
> 
> Since then, bind9 answers for `dc01.samba-ad.example.org` with both
> IPs, and this is causing problems in various parts of our
> infrastructure:
No it doesn't, your Samba AD DC does.
> 
> ```
> # dig @127.0.0.1 dc01.samba-ad.toni.immo +short
> 192.168.231.34
> 192.168.231.35
> ```
> 
> The thing is: we **cannot** figure out where it gets that .35 from.
It is in AD.
> We've removed it:
> 
> ```
> # samba-tool dns delete 127.0.0.1 samba-ad.toni.immo dc01 A
> 192.168.231.35 -U Administrator Record deleted successfully
> # samba-tool dns query 127.0.0.1 samba-ad.toni.immo @ ALL -U
> Administrator | grep 192.168.231.35 || echo not present anymore not
> present anymore ```
> 
> but `dig` still returns it.
> 
> ```
> # for i in /var/lib/samba/**/*.ldb; do ldbsearch -H $i | grep
> 192.168.231.35 && echo $i; done (no output)
That search probably will not work, for two reasons, you really
shouldn't search in sam.ldb.d and your search terms are
insufficient.

You should be doing something like this:

ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb >
full.ldif

Then search in full.ldif for your ipaddress, it may be there multiple
times.
> ```
> 
> We've tried `rndc flushname` and `rndc flushtree`, restarting bind9,
> even the whole machine. We've stopped bind9 and removed the lines from
> /var/cache/bind/named_dump.db and restarted the nameserver.
If you did find the ipaddress in the bind9 config files, I would then
suggest you correct the files. Samba uses bind_dlz to connect Bind9 to
the dns records in AD, there shouldn't be any AD dns records in the
bind9 files.
 
Rowland

Hi Rowland,

Thank you for your response and help!

Regarding the following, written by "Rowland Penny via samba" on
2025-11-27 at 13:10 Uhr +0000:
>ldbsearch --cross-ncs --show-binary -H /var/lib/samba/private/sam.ldb >
full.ldif
>
>Then search in full.ldif for your ipaddress, it may be there multiple
>times.
I've run this command, but the
result does *not* contain the sought IP address at all, not one single
time.
>If you did find the ipaddress in the bind9 config files, I would then
>suggest you correct the files. Samba uses bind_dlz to connect Bind9 to
>the dns records in AD, there shouldn't be any AD dns records in the
>bind9 files.
Right, I understand and there is nothing AD-related in `/etc/bind`.

So it's not in `/etc/bind` and apparently not in `/var/lib/samba`. It's
not in `/var/cache/bind` and not in `/var/lib/bind`.

Where else can I look and remove this IP address from DNS?

I've run `named -d 255` in the hope to get some more information, but
all that is logged for a `dig` request is:

```
client @0x770b8e77c898 192.168.235.1#52095: UDP request
client @0x770b8e77c898 192.168.235.1#52095: using view '_default'
client @0x770b8e77c898 192.168.235.1#52095: request is not signed
client @0x770b8e77c898 192.168.235.1#52095: recursion available
client @0x770b8e77c898 192.168.235.1#52095 (dc01.samba-ad.example.org): query
'dc01.samba-ad.example.org/A/IN' approved
client @0x770b8e77c898 192.168.235.1#52095 (dc01.samba-ad.example.org):
rrl=(nil), HAVECOOKIE=0, result=ISC_R_SUCCESS, fname=0x770b9366e780(1),
is_zone=1, RECURSIONOK=1, query.rpz_st=0x770b8e748800(0), RRL_CHECKED=0
client @0x770b8e77c898 192.168.235.1#52095 (dc01.samba-ad.example.org): reset
client
```

I remain quite puzzled.

-- 
martin krafft | https://matrix.to/#/#madduck:madduck.net
  
don't hate yourself in the morning -- sleep till noon.
{: .blockquote }
  
spamtraps: madduck.bogus at madduck.net
{: .hidden }