Samba AD: огромные файлы DNS в /var/lib/samba/{bind-dns/dns,private}/sam.ldb.d/

У нас есть небольшой сервер Samba AD с примерно 20 пользователями и 70 машинами (включая телефоны, принтеры и т. д.).

DC=DOMAINDNSZONES... .ldb файлы в /var/lib/samba/private/sam.ldb.d/ и /var/lib/samba/bind-dns/dns/sam.ldb.d/являются более 600 МБ и продолжайте расти.

я пытался бежать samba-tool dbcheck --cross-ncs. В нем было перечислено 47 «надгробий с истекшим сроком действия» и заканчивалось «Проверено 122451 объект (0 ошибок)».

Бег samba-tool domain tombstones expunge удалил их, но в этом файле все еще 122400 «объектов» (для 70 машин в сети!?).

Итак, что может быть не так, и как я могу это исправить?

На сервере работает Debian 11.7 с Samba 4.13.13.

Ниже приведены некоторые выдержки из конфигурации.

# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC

# Global parameters
[global]
    dns forwarder = 8.8.8.8 8.8.4.4
    passdb backend = samba_dsdb
    realm = LAN.EXAMPLE.COM
    reset on zero vc = Yes
    server role = active directory domain controller
    server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
    template homedir = /home/users/%U
    workgroup = LAN
    rpc_server:tcpip = no
    rpc_daemon:spoolssd = embedded
    rpc_server:spoolss = embedded
    rpc_server:winreg = embedded
    rpc_server:ntsvcs = embedded
    rpc_server:eventlog = embedded
    rpc_server:srvsvc = embedded
    rpc_server:svcctl = embedded
    rpc_server:default = external
    winbindd:use external pipes = true
    idmap_ldb:use rfc2307 = yes
    idmap config * : backend = tdb
    csc policy = disable
    hide files = /._*/.DS_Store/.Spotlight-V100/desktop.ini/
    map acl inherit = Yes
    map archive = No
    vfs objects = dfs_samba4 acl_xattr
# cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
    # For BIND 9.11.x
     database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
# cat /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
include "/var/lib/samba/bind-dns/named.conf";
# dig -t AXFR lan.example.com | egrep '\s+A\s+' | wc -l
43

# dig -t AXFR lan.example.com | egrep '\s+A\s+'
lan.example.com.        900    IN    A    192.168.4.3
snom725-8B4089.lan.example.com. 900 IN    A    192.168.4.107
tel-2608.lan.example.com.    900    IN    A    192.168.4.107
[...etc.]
DomainDnsZones.lan.example.com. 900 IN    A    192.168.4.3
ForestDnsZones.lan.example.com. 900 IN    A    192.168.4.3

И в /etc/dhcp/dhcpd.confнастройки скопированы из https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9

on commit {
    set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientDHCID = concat (
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
    );
    set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
    log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
    execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}

on release {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    set ClientDHCID = concat (
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
        suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
    );
    log(concat("Release: IP: ", ClientIP));
    execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}

on expiry {
    set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
    # cannot get a ClientMac here, apparently this only works when actually receiving a packet
    log(concat("Expired: IP: ", ClientIP));
    # cannot get a ClientName here, for some reason that always fails
    execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}

Мивк

0

Добавить комментарий

Ваш адрес email не будет опубликован. Обязательные поля помечены *