Currently we mark dynamic dns updates as 'static' and rpc updates dynamic.
Hai, the texts on the site : https://wiki.samba.org/index.php/Samba_4.9_Features_added/changed Suggests that this bug exists in older version, which suggests if fixed in newer samba version but its unclear if this is fixed or not since the bug report is still open. A small update is very appriciated?
this bug is related to : https://bugzilla.samba.org/show_bug.cgi?id=13926 due to these mismatches, DDNS updates might go wrong.
This got fixed as part of bug #10812 for 4.9.0
Is there a dbcheck for this yet? On my installation I'm still seeing some static updates marked as dynamic and some dynamic ones as static.
(In reply to Alex MacCuish from comment #4) No not yet, that's the hard part :-( It's not clear how dbcheck could detect records which should be cleaned up. One idea would be looking at the owner in the ntSecurityDescriptor and if it's related to a computer account we could fix the timestamp to the value of the dnsRecord stamp in replPropertyMetaData.
(In reply to Stefan Metzmacher from comment #5) And all records not owned by a computer are static.
I'm reopening this for the missing dbcheck addition.
(In reply to Stefan Metzmacher from comment #5) My main use will be for Apple devices joined to AD. They have an annoying habit of never deleting their IPv6 addresses (they frequently create new ones, privacy extensions etc), so some of my machines end up having hundreds of AAAA records. Just checking through the ACLs on my DNS records, your idea of checking to see if the owner sid is a computer account looks pretty reasonable. Either that, or a command for samba-tool dns to allow an admin to manually correct the records :) The only question is the DC SRV records. Are these meant to be static or dyanmic? They seem to be owned by "SYSTEM" but I have a mix of dynamic and static there, a newly promoted DC has set it's records as static, but other DCs have timestamps.
(In reply to Alex MacCuish from comment #8) I think records owned by SYSTEM should be static, but we'd need to check in a Windows domain.
(In reply to Stefan Metzmacher from comment #9) Even if not in windows, I think it might get us out of the pickle.
metze, I want to fix this. Do you have work in progress that I should be aware of?
Can we fix this problem with `samba-tool dns zoneoptions --mark-old-records-static=...` introduced at Samba 4.15.0?
(In reply to SATOH Fumiyasu from comment #12) > Can we fix this problem with `samba-tool dns zoneoptions --mark-old-records-static=...` introduced at Samba 4.15.0? Yes, or at least, almost. That option (and --mark-records-dynamic-regex, --mark-records-static-regex) should work to fix up any existing domains, but it won't automatically fix damaged domains, as the hypothetical dbcheck rule would. The most likely outcome for this bug report is it will linger for a few years before being closed as WONTFIX.