Problem: Handle conflicting Objects in samba4

scheinig · May 8, 2026, 1:37pm

Problem: There are a lot of conflicts with all the DNS entries.

A conflict arise when a Samba/AD DC receives a change via DRS and the object already exists locally. This is essentially the “proper” way to prevent two different objects from existing under the same DN. --The question is how this happens. It could occur if DCs haven’t synced with each other for a long time and an object with the same name is created on two DCs. There may be other cases involving modify operations, but the DRS algorithm for conflict resolution is actually quite advanced.

Investigation:

root@dc01:~# univention-s4search --cross-ncs --show-binary --show-deleted DC=meinhost*
# record 1   
dn: DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20260428133606.0Z
whenChanged: 20260428133606.0Z
uSNCreated: 5302
uSNChanged: 5302
showInAdvancedViewOnly: TRUE
name: meinhost
objectGUID: 5b1dc832-0222-4ce7-b587-390c7c67d5e9
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0004 (4)
        wType                    : DNS_TYPE_A (1)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000001 (1)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 1)
        ipv4                     : 10.200.43.234

objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=schein,DC=cat
dc: meinhost
CNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9
distinguishedName: DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat

# record 2   
dn: DC=meinhost,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20260428133559.0Z
whenChanged: 20260428133559.0Z
uSNCreated: 5301
uSNChanged: 5301
showInAdvancedViewOnly: TRUE
name:  meinhost
objectGUID: ac3620fd-b525-4a48-a9db-ceacba17c16f
dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        wDataLength              : 0x0004 (4)
        wType                    : DNS_TYPE_A (1)
        version                  : 0x05 (5)
        rank                     : DNS_RANK_ZONE (240)
        flags                    : 0x0000 (0)
        dwSerial                 : 0x00000051 (81)
        dwTtlSeconds             : 0x00000384 (900)
        dwReserved               : 0x00000000 (0)
        dwTimeStamp              : 0x00000000 (0)
        data                     : union dnsRecordData(case 1)
        ipv4                     : 10.200.43.234

objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=schein,DC=cat
dc:  meinhost
distinguishedName: DC=meinhost,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat

# returned 2 records
# 2 entries  
# 0 referrals

Check which entry is really used:

samba-tool dns query localhost schein.cat meinhost A -P
Cannot do GSSAPI to an IP address
  Name=, Records=1, Children=0
    A: 10.200.43.234 (flags=f0, serial=312256, ttl=1200)

Tools to remove the conflicting objects

Finding the entries and be able to compare

samba-tool dbcheck --cross-ncs DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat --check-for-conflicts

Multiple choice to handle the conflicting objects

samba-tool dbcheck --cross-ncs DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat --check-for-conflicts --fix

Delete the conflict object or rename it to DC=meinhost,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat?
[1] delete the conflict object DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat
[2] rename the conflict object DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat to DC=meinhost,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat
[3] none
What do you want to do ['1', '2', '3']? 2
Renamed object DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat into DC=meinhost,DC=schein.cat,CN=MicrosoftDNS,DC=DomainDnsZones,DC=schein,DC=cat

 root@dc01:~/univention-support# ldbdel -H /var/lib/samba/private/sam.ldb 'DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9\0ADEL:ce9a360a-f052-4673-8ce3-a419c6f
cbf49,CN=Deleted Objects,DC=DomainDnsZones,DC=schein,DC=cat '

delete of 'DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9\0ADEL:ce9a360a-f052-4673-8ce3-a419c6f
cbf49,CN=Deleted Objects,DC=DomainDnsZones,DC=schein,DC=cat ' failed - (Unwilling to perform) Refusing to delete tombstone object DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9\0ADEL:ce9a360a-f052-4673-8ce3-a419c6f
cbf49,CN=Deleted Objects,DC=DomainDnsZones,DC=schein,DC=cat .  This check is to prevent corruption of the replicated state.

root@dc01:~/univention-support# ldbdel -H /var/lib/samba/private/sam.ldb 'DC=meinhost\0ACNF:5b1dc832-0222-4ce7-b587-390c7c67d5e9\0ADEL:ce9a360a-f052-4673-8ce3-a419c6f
cbf49,CN=Deleted Objects,DC=DomainDnsZones,DC=schein,DC=cat' --relax
Deleted 1 record

How could this come from:

To me, it looks like a DC change occurred when the record was created.
It looks a bit as if the clients are switching their DNS server, for example, during a DDNS update. Do all the clients have a fixed IP address, or are they assigned an address via static DHCP? If they’re using dynamic DHCP, there could be issues. The clients might also be seeing multiple IP addresses in the respective zone as name servers and performing a round-robin.