0

We have a small Samba AD server with around 20 users and 70 machines (including phones, printers, etc.).

The DC=DOMAINDNSZONES... .ldb files under /var/lib/samba/private/sam.ldb.d/ and /var/lib/samba/bind-dns/dns/sam.ldb.d/, are over 600 MB and keep growing.

I tried to run samba-tool dbcheck --cross-ncs. It listed 47 "expired tombstones" and ended with "Checked 122451 objects (0 errors)".

Running samba-tool domain tombstones expunge removed these, but there are still 122400 "objects" in this file (for the 70 machines in the network!?).

So what could be wrong, and how could I fix it?

The server runs Debian 11.7 with Samba 4.13.13.

Below are some excerpts of the configuration.

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
    dns forwarder = 8.8.8.8 8.8.4.4
    passdb backend = samba_dsdb
    realm = LAN.EXAMPLE.COM
    reset on zero vc = Yes
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    template homedir = /home/users/%U
    workgroup = LAN
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    winbindd:use external pipes = true
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
    csc policy = disable
    hide files = /._*/.DS_Store/.Spotlight-V100/desktop.ini/
    map acl inherit = Yes
    map archive = No
    vfs objects = dfs_samba4 acl_xattr

# cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.11.x
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};

# cat /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
include "/var/lib/samba/bind-dns/named.conf";

# dig -t AXFR lan.example.com | egrep '\s+A\s+' | wc -l
43

# dig -t AXFR lan.example.com | egrep '\s+A\s+'
lan.example.com.        900    IN    A    192.168.4.3
snom725-8B4089.lan.example.com. 900 IN    A    192.168.4.107
tel-2608.lan.example.com.    900    IN    A    192.168.4.107
[...etc.]
DomainDnsZones.lan.example.com. 900 IN    A    192.168.4.3
ForestDnsZones.lan.example.com. 900 IN    A    192.168.4.3

And in /etc/dhcp/dhcpd.conf, the settings copied from https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

on commit {
    set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientDHCID = concat (
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
    );
    set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
    log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
    execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}

on release {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientDHCID = concat (
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
    );
    log(concat("Release: IP: ", ClientIP));
    execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    # cannot get a ClientMac here, apparently this only works when actually receiving a packet
    log(concat("Expired: IP: ", ClientIP));
    # cannot get a ClientName here, for some reason that always fails
    execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}
mivk
  • 4,004
  • 3
  • 37
  • 32

0 Answers0