我们有一个小型 Samba AD 服务器,大约有 20 个用户和 70 台机器(包括电话、打印机等)。
和DC=DOMAINDNSZONES...下的 .ldb文件是/var/lib/samba/private/sam.ldb.d//var/lib/samba/bind-dns/dns/sam.ldb.d/超过 600 MB并持续增长。
我尝试运行samba-tool dbcheck --cross-ncs。它列出了 47 个“过期的墓碑”,并以“已检查 122451 个对象(0 个错误)”结尾。
运行samba-tool domain tombstones expunge删除了这些,但此文件中仍然有 122400 个“对象”(对于网络中的 70 台机器!?)。
那么可能是什么问题?我该如何解决?
该服务器运行带有 Samba 4.13.13 的 Debian 11.7。
以下是一些配置的摘录。
# testparm -s
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed
Server role: ROLE_ACTIVE_DIRECTORY_DC
# Global parameters
[global]
dns forwarder = 8.8.8.8 8.8.4.4
passdb backend = samba_dsdb
realm = LAN.EXAMPLE.COM
reset on zero vc = Yes
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate
template homedir = /home/users/%U
workgroup = LAN
rpc_server:tcpip = no
rpc_daemon:spoolssd = embedded
rpc_server:spoolss = embedded
rpc_server:winreg = embedded
rpc_server:ntsvcs = embedded
rpc_server:eventlog = embedded
rpc_server:srvsvc = embedded
rpc_server:svcctl = embedded
rpc_server:default = external
winbindd:use external pipes = true
idmap_ldb:use rfc2307 = yes
idmap config * : backend = tdb
csc policy = disable
hide files = /._*/.DS_Store/.Spotlight-V100/desktop.ini/
map acl inherit = Yes
map archive = No
vfs objects = dfs_samba4 acl_xattr
# cat /var/lib/samba/bind-dns/named.conf
dlz "AD DNS Zone" {
# For BIND 9.11.x
database "dlopen /usr/lib/x86_64-linux-gnu/samba/bind9/dlz_bind9_11.so";
};
# cat /etc/bind/named.conf.local
include "/etc/bind/rndc.key";
include "/var/lib/samba/bind-dns/named.conf";
# dig -t AXFR lan.example.com | egrep '\s+A\s+' | wc -l
43
# dig -t AXFR lan.example.com | egrep '\s+A\s+'
lan.example.com. 900 IN A 192.168.4.3
snom725-8B4089.lan.example.com. 900 IN A 192.168.4.107
tel-2608.lan.example.com. 900 IN A 192.168.4.107
[...etc.]
DomainDnsZones.lan.example.com. 900 IN A 192.168.4.3
ForestDnsZones.lan.example.com. 900 IN A 192.168.4.3
并且/etc/dhcp/dhcpd.conf,从中复制的设置https://wiki.samba.org/index.php/Configure_DHCP_to_update_DNS_records_with_BIND9
on commit {
set noname = concat("dhcp-", binary-to-ascii(10, 8, "-", leased-address));
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = concat (
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
);
set ClientName = pick-first-value(option host-name, config-option-host-name, client-name, noname);
log(concat("Commit: IP: ", ClientIP, " DHCID: ", ClientDHCID, " Name: ", ClientName));
execute("/usr/local/bin/dhcp-dyndns.sh", "add", ClientIP, ClientDHCID, ClientName);
}
on release {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
set ClientDHCID = concat (
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,1,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,2,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,3,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,4,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,5,1))),2), ":",
suffix (concat ("0", binary-to-ascii (16, 8, "", substring(hardware,6,1))),2)
);
log(concat("Release: IP: ", ClientIP));
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
}
on expiry {
set ClientIP = binary-to-ascii(10, 8, ".", leased-address);
# cannot get a ClientMac here, apparently this only works when actually receiving a packet
log(concat("Expired: IP: ", ClientIP));
# cannot get a ClientName here, for some reason that always fails
execute("/usr/local/bin/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
}