Join Log in
Score:0
avatar Server

Samba AD: huge DNS files in /var/lib/samba/{bind-dns/dns,private}/sam.ldb.d/

au flag
mivk

We have a small Samba AD server with around 20 users and 70 machines (including phones, printers, etc.).

The DC=DOMAINDNSZONES... .ldb files under /var/lib/samba/private/sam.ldb.d/ and /var/lib/samba/bind-dns/dns/sam.ldb.d/, are over 600 MB and keep growing.

I tried to run samba-tool dbcheck --cross-ncs. It listed 47 "expired tombstones" and ended with "Checked 122451 objects (0 errors)".

Running samba-tool domain tombstones expunge removed these, but there are still 122400 "objects" in this file (for the 70 machines in the network!?).

So what could be wrong, and how could I fix it?

The server runs Debian 11.7 with Samba 4.13.13.

Below are some excerpts of the configuration.

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
    dns forwarder = 8.8.8.8 8.8.4.4
    passdb backend = samba_dsdb
    realm = LAN.EXAMPLE.COM
    reset on zero vc = Yes
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    template homedir = /home/users/%U
    workgroup = LAN
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    winbindd:use external pipes = true
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
    csc policy = disable
    hide files = /._*/.DS_Store/.Spotlight-V100/desktop.ini/
    map acl inherit = Yes
    map archive = No
    vfs objects = dfs_samba4 acl_xattr

# cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.11.x
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};

# cat /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
include "/var/lib/samba/bind-dns/named.conf";

# dig -t AXFR lan.example.com | egrep '\s+A\s+' | wc -l
43

# dig -t AXFR lan.example.com | egrep '\s+A\s+'
lan.example.com.        900    IN    A    192.168.4.3
snom725-8B4089.lan.example.com. 900 IN    A    192.168.4.107
tel-2608.lan.example.com.    900    IN    A    192.168.4.107
[...etc.]
DomainDnsZones.lan.example.com. 900 IN    A    192.168.4.3
ForestDnsZones.lan.example.com. 900 IN    A    192.168.4.3

And in /etc/dhcp/dhcpd.conf, the settings copied from https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

on commit {
    set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientDHCID = concat (
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
    );
    set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
    log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
    execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}

on release {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientDHCID = concat (
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
    );
    log(concat("Release: IP: ", ClientIP));
    execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    # cannot get a ClientMac here, apparently this only works when actually receiving a packet
    log(concat("Expired: IP: ", ClientIP));
    # cannot get a ClientName here, for some reason that always fails
    execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}
37
0 + 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.