Andrey Cherepanov
2015-Jun-19 13:21 UTC
[Samba] Database errors after join to DC as part of AD Forest
Stand contains two DC with Windows 2003 Std SP2 En: - root domain company.local - child domain filial1.company.local I have Linux (ALT Linux) with Samba AD DC 4.2.2. After join to filial1.company.local by command samba-tool domain join filial1.company.local DC \ -Uadministrator%P at ssw0rd --realm=filial1.company.local \ --parent-domain=filial1.company.local -d 10 (verbose log is stored) I get 4 error: Checking 296 objects ERROR: description not present on Deleted Objects container CN=Deleted Objects,DC=DomainDnsZones,DC=filial1,DC=company,DC=local Not fixing missing/incorrect attributes on CN=Deleted Objects,DC=DomainDnsZones,DC=filial1,DC=company,DC=local ERROR: wrong instanceType 13 on DC=filial1,DC=company,DC=local, should be 5 Not changing instanceType from 13 to 5 on DC=filial1,DC=company,DC=local DC=filial1,DC=company,DC=local == DC=company,DC=local ERROR: parent object not found for DC=filial1,DC=company,DC=local Not moving object DC=filial1,DC=company,DC=local into LostAndFound ERROR: incorrect GUID component for member in object CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local - <GUID=ee583875-40b5-49dc-ab6a-e5528efd47c8>;<SID=S-1-5-21-1917456030-2356434423-194994843-519>;CN=Enterprise Admins,CN=Users,DC=company,DC=local unable to find object for DN CN=Enterprise Admins,CN=Users,DC=company,DC=local - (No such Base DN: CN=Enterprise Admins,CN=Users,DC=company,DC=local) Not removing dangling forward link Please use --fix to fix these errors Checked 296 objects (4 errors) First two errors are fixed if --fix is used. But last two error if fatal. 1. 'parent object not found' because sam.ldb contains rootDomainNamingContext 'DC=company,DC=local', but this dn is not available during join. 2. 'incorrect GUID component for member' external object 'CN=Enterprise Admins,CN=Users,DC=company,DC=local'. Reason is same: database is not replicated. I see # ls -1 /var/lib/samba/private/sam.ldb.d/ CN=CONFIGURATION,DC=COMPANY,DC=LOCAL.ldb CN=SCHEMA,CN=CONFIGURATION,DC=COMPANY,DC=LOCAL.ldb DC=DOMAINDNSZONES,DC=FILIAL1,DC=COMPANY,DC=LOCAL.ldb DC=FILIAL1,DC=COMPANY,DC=LOCAL.ldb DC=FORESTDNSZONES,DC=COMPANY,DC=LOCAL.ldb metadata.tdb Look at record with second fatal error: dn: CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local ... member: CN=Enterprise Admins,CN=Users,DC=company,DC=local I think while retrieving suffix from "external" databases (outside joined domain filial1.company.local) is not work with dn in attributes member. If I try to remove attribute with unresolved dn: # ldbmodify -H sam.ldb dn: CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local changetype: modify delete: member member: CN=Enterprise Admins,CN=Users,DC=company,DC=local ERR: (Unwilling to perform) "Unable to find GUID for DN CN=Enterprise Admins,CN=Users,DC=company,DC=local " on DN CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local at block before line 5 Modify failed after processing 0 records This is new error: why GUID for _removed_ attribute is checked? BTW ldbedit is allows to remove this attribute. Anyone knows how to fix this errors? I try to prepare patch for second fatal error at least, but I'm newbie for Samba code. -- Andrey Cherepanov ALT Linux cas at altlinux.ru -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150619/bcc77aaa/attachment.pgp>
Marc Muehlfeld
2015-Jun-19 18:55 UTC
[Samba] Database errors after join to DC as part of AD Forest
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello Andrey, Am 19.06.2015 um 15:21 schrieb Andrey Cherepanov:> Stand contains two DC with Windows 2003 Std SP2 En: - root domain > company.local - child domain filial1.company.local > > I have Linux (ALT Linux) with Samba AD DC 4.2.2. After join to > filial1.company.local by command > > samba-tool domain join filial1.company.local DC \ > -Uadministrator%P at ssw0rd --realm=filial1.company.local \ > --parent-domain=filial1.company.local -d 10 (verbose log is > stored)Your problem is surely caused by the (currently) missing subdomain support of Samba DCs. Regards, Marc
Andrey Cherepanov
2015-Jun-21 20:41 UTC
[Samba] Database errors after join to DC as part of AD Forest
19.06.2015 21:55, Marc Muehlfeld wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Hello Andrey, > > Am 19.06.2015 um 15:21 schrieb Andrey Cherepanov: >> Stand contains two DC with Windows 2003 Std SP2 En: - root domain >> company.local - child domain filial1.company.local >> >> I have Linux (ALT Linux) with Samba AD DC 4.2.2. After join to >> filial1.company.local by command >> >> samba-tool domain join filial1.company.local DC \ >> -Uadministrator%P at ssw0rd --realm=filial1.company.local \ >> --parent-domain=filial1.company.local -d 10 (verbose log is >> stored) > > > Your problem is surely caused by the (currently) missing subdomain > support of Samba DCs.Thanks, Marc. Is there workaround to retrieve two record (base dn from top-level domain and group record from top-level domain) to make ldb consistent? I think, this workaround will allow to make subdomain ready for replication and authentication. I'll test this assumption tomorrow. -- Andrey Cherepanov ALT Linux cas at altlinux.ru