Jonathan Hunter
2016-Apr-11 20:23 UTC
[Samba] Previously extended schema not working in 4.4.0
Hi, About a year ago (I think I was using v4.2.x at the time), I extended the schema of my Samba AD. This worked just fine and since then I have been able to create and edit objects from my custom schema via ADSIEdit. This worked fine under 4.3.x as well - the last such object I successfully created was just over two months ago, at which point I was running some variant of 4.3.x (probably 4.3.5). However, last week I upgraded all my DCs to 4.4.0 (to take advantage of the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that can no longer create my custom objects in AD. ADSIEdit reports that "A constraint violation occurred"; I get the same error from Apache Directory Studio, too - details are as follows: Error while creating entry - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD: No rDN found in replPropertyMetaData for mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk I have checked using the 'Active Directory Schema' MMC snap-in, and my custom schema classes and attributes do still seem to be showing as present and correct, just as I originally added them many months ago - I can't spot any problems there. It behaves exactly the same when I try to create objects on all four of my DCs. I can create other (non-custom) objects with no problems at all, and replication seems to work just fine for everything else - if I create a regular user, or modify its description, that change propagates perfectly well across all DCs. I suspect that some Samba database (replPropertyMetaData?) has got corrupt or out of sync somehow - but I don't know how to investigate further. Is this database in any kind of ldb file that I could dump / look at / edit ? There's a chance that it broke in 4.3.6 (which was the version I used prior to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most recent object I can find in my AD - but I am now on 4.4.0 and it's definitely broken at the moment. If it's important, I could try to spin up an isolated VM and restore 4.3.6 from backups. Any pointers appreciated - I'm really not sure where to look next. Thanks :-) Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Marc Muehlfeld
2016-Apr-11 20:58 UTC
[Samba] Previously extended schema not working in 4.4.0
Hello Jonathan, Am 11.04.2016 um 22:23 schrieb Jonathan Hunter:> Error while creating entry > - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD: No > rDN found in replPropertyMetaData for > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=ukCan you post the ldif with the schema extension? Then I will import it in my test environment and try it. Regards, Marc
Rowland penny
2016-Apr-11 21:18 UTC
[Samba] Previously extended schema not working in 4.4.0
On 11/04/16 21:23, Jonathan Hunter wrote:> Hi, > > About a year ago (I think I was using v4.2.x at the time), I extended the > schema of my Samba AD. This worked just fine and since then I have been > able to create and edit objects from my custom schema via ADSIEdit. This > worked fine under 4.3.x as well - the last such object I successfully > created was just over two months ago, at which point I was running some > variant of 4.3.x (probably 4.3.5). > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage of > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that > can no longer create my custom objects in AD. ADSIEdit reports that "A > constraint violation occurred"; I get the same error from Apache Directory > Studio, too - details are as follows: > > Error while creating entry > - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD: No > rDN found in replPropertyMetaData for > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk > > I have checked using the 'Active Directory Schema' MMC snap-in, and my > custom schema classes and attributes do still seem to be showing as present > and correct, just as I originally added them many months ago - I can't spot > any problems there. > > It behaves exactly the same when I try to create objects on all four of my > DCs. I can create other (non-custom) objects with no problems at all, and > replication seems to work just fine for everything else - if I create a > regular user, or modify its description, that change propagates perfectly > well across all DCs. > > I suspect that some Samba database (replPropertyMetaData?) has got corrupt > or out of sync somehow - but I don't know how to investigate further. Is > this database in any kind of ldb file that I could dump / look at / edit ?Yes, AD is stored in sam.ldb, you can see this with: ldbedit -e nano -H /usr/local/samba/private/sam.ldb Replacing 'nano' with your favourite editor, 'usr/local/samba/private' with the path to your 'sam.ldb' if yours is in a different place. This will show most of your AD, if you want to see the DNS records, add '--cross-ncs' and if you want fully readable dns records, also add '--show-binary' There are other .ldb files, but I wouldn't try to edit those. Rowland> > There's a chance that it broke in 4.3.6 (which was the version I used prior > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most recent > object I can find in my AD - but I am now on 4.4.0 and it's definitely > broken at the moment. If it's important, I could try to spin up an isolated > VM and restore 4.3.6 from backups. > > Any pointers appreciated - I'm really not sure where to look next. > > Thanks :-) > > Jonathan >
Jonathan Hunter
2016-Apr-11 22:02 UTC
[Samba] Previously extended schema not working in 4.4.0
Thanks Rowland. In here, I can see the objects I have created using my schema extensions, but I cannot see the schema classes or attributes themselves; I don't know if that is the problem. I'm not sure if by running ldbedit on sam.ldb, this does not include the contents of CN=Schema,CN=Configuration,DC=mydomain,DC=... or if it does include this part of the AD tree and these items are somehow missing in my case. The 'Active Directory Schema' MMC plug-in does show the classes and attributes, so that must be reading them from somewhere. On 11 April 2016 at 22:18, Rowland penny <rpenny at samba.org> wrote:> On 11/04/16 21:23, Jonathan Hunter wrote: > >> Hi, >> >> About a year ago (I think I was using v4.2.x at the time), I extended the >> schema of my Samba AD. This worked just fine and since then I have been >> able to create and edit objects from my custom schema via ADSIEdit. This >> worked fine under 4.3.x as well - the last such object I successfully >> created was just over two months ago, at which point I was running some >> variant of 4.3.x (probably 4.3.5). >> >> However, last week I upgraded all my DCs to 4.4.0 (to take advantage of >> the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that >> can no longer create my custom objects in AD. ADSIEdit reports that "A >> constraint violation occurred"; I get the same error from Apache Directory >> Studio, too - details are as follows: >> >> Error while creating entry >> - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD: >> No >> rDN found in replPropertyMetaData for >> mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk >> >> I have checked using the 'Active Directory Schema' MMC snap-in, and my >> custom schema classes and attributes do still seem to be showing as >> present >> and correct, just as I originally added them many months ago - I can't >> spot >> any problems there. >> >> It behaves exactly the same when I try to create objects on all four of my >> DCs. I can create other (non-custom) objects with no problems at all, and >> replication seems to work just fine for everything else - if I create a >> regular user, or modify its description, that change propagates perfectly >> well across all DCs. >> >> I suspect that some Samba database (replPropertyMetaData?) has got corrupt >> or out of sync somehow - but I don't know how to investigate further. Is >> this database in any kind of ldb file that I could dump / look at / edit ? >> > > Yes, AD is stored in sam.ldb, you can see this with: > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb > > Replacing 'nano' with your favourite editor, 'usr/local/samba/private' > with the path to your 'sam.ldb' if yours is in a different place. > > This will show most of your AD, if you want to see the DNS records, add > '--cross-ncs' and if you want fully readable dns records, also add > '--show-binary' > > There are other .ldb files, but I wouldn't try to edit those. > > Rowland > > >> There's a chance that it broke in 4.3.6 (which was the version I used >> prior >> to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most >> recent >> object I can find in my AD - but I am now on 4.4.0 and it's definitely >> broken at the moment. If it's important, I could try to spin up an >> isolated >> VM and restore 4.3.6 from backups. >> >> Any pointers appreciated - I'm really not sure where to look next. >> >> Thanks :-) >> >> Jonathan >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Andrew Bartlett
2016-Apr-14 10:28 UTC
[Samba] Previously extended schema not working in 4.4.0
On Mon, 2016-04-11 at 21:23 +0100, Jonathan Hunter wrote:> Hi, > > About a year ago (I think I was using v4.2.x at the time), I extended > the > schema of my Samba AD. This worked just fine and since then I have > been > able to create and edit objects from my custom schema via ADSIEdit. > This > worked fine under 4.3.x as well - the last such object I successfully > created was just over two months ago, at which point I was running > some > variant of 4.3.x (probably 4.3.5). > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage > of > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found > that > can no longer create my custom objects in AD. ADSIEdit reports that > "A > constraint violation occurred"; I get the same error from Apache > Directory > Studio, too - details are as follows: > > Error while creating entry > - [LDAP: error code 19 - 0000202F: replmd_add: error during direct > ADD: No > rDN found in replPropertyMetaData for > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk > > I have checked using the 'Active Directory Schema' MMC snap-in, and > my > custom schema classes and attributes do still seem to be showing as > present > and correct, just as I originally added them many months ago - I > can't spot > any problems there. > > It behaves exactly the same when I try to create objects on all four > of my > DCs. I can create other (non-custom) objects with no problems at all, > and > replication seems to work just fine for everything else - if I create > a > regular user, or modify its description, that change propagates > perfectly > well across all DCs. > > I suspect that some Samba database (replPropertyMetaData?) has got > corrupt > or out of sync somehow - but I don't know how to investigate further. > Is > this database in any kind of ldb file that I could dump / look at / > edit ? > > There's a chance that it broke in 4.3.6 (which was the version I used > prior > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most > recent > object I can find in my AD - but I am now on 4.4.0 and it's > definitely > broken at the moment. If it's important, I could try to spin up an > isolated > VM and restore 4.3.6 from backups. > > Any pointers appreciated - I'm really not sure where to look next.Have you run dbcheck? samba-tool dbcheck --cross-ncs Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Jonathan Hunter
2016-Apr-14 12:37 UTC
[Samba] Previously extended schema not working in 4.4.0
Thank you, Andrew - I hadn't done so. (In a good way, I haven't yet had problems with samba that have caused me to delve quite so deeply into the DB :) so I'm not as familiar with the range of tools as I could be, sorry!) This has flagged up quite a few errors, all along the lines of: # samba-tool dbcheck --cross-ncs Checking 4079 objects MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290001 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0029000a MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290004 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0009030e MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00090001 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020119 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020002 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020001 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00000000 ERROR: incorrect attributeID values in replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk Not fixing incorrect value 0x00290004 with 0xbd27f4d3 for myAttr in replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk [this is repeated many times, for multiple objects] [ sometimes ERROR: duplicate attributeID values ] Please use --fix to fix these errors Checked 4083 objects (110 errors) Before I run again with --fix... - I will take a dump (using ldapsearch) of this OU before I do anything - I don't know what the different codes e.g. 0x00290001, represent - or even why there are multiple of these per object. The actual numbers vary from one to the next; there is some overlap but also different values given - I'm not sure what --fix will do if it finds an "incorrect" values; where will it get the right value from? I guess, as long as I have a dump of the OU, at worst I could drop the entire contents and re-create it, should --fix not do what I expect.. I don't know why this happened; perhaps it was something to do with my upgrade method from 4.3.x to 4.4.0 (compile 4.4.0; make install; restart samba). I've used that same recipe many times to go from 4.1.x - 4.2.x - 4.3.x and that has always worked fine, but maybe I have been lucky (or unlucky?) in some way.. . Many thanks! Jonathan On 14 April 2016 at 11:28, Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2016-04-11 at 21:23 +0100, Jonathan Hunter wrote: > > Hi, > > > > About a year ago (I think I was using v4.2.x at the time), I extended > > the > > schema of my Samba AD. This worked just fine and since then I have > > been > > able to create and edit objects from my custom schema via ADSIEdit. > > This > > worked fine under 4.3.x as well - the last such object I successfully > > created was just over two months ago, at which point I was running > > some > > variant of 4.3.x (probably 4.3.5). > > > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage > > of > > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found > > that > > can no longer create my custom objects in AD. ADSIEdit reports that > > "A > > constraint violation occurred"; I get the same error from Apache > > Directory > > Studio, too - details are as follows: > > > > Error while creating entry > > - [LDAP: error code 19 - 0000202F: replmd_add: error during direct > > ADD: No > > rDN found in replPropertyMetaData for > > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk > > > > I have checked using the 'Active Directory Schema' MMC snap-in, and > > my > > custom schema classes and attributes do still seem to be showing as > > present > > and correct, just as I originally added them many months ago - I > > can't spot > > any problems there. > > > > It behaves exactly the same when I try to create objects on all four > > of my > > DCs. I can create other (non-custom) objects with no problems at all, > > and > > replication seems to work just fine for everything else - if I create > > a > > regular user, or modify its description, that change propagates > > perfectly > > well across all DCs. > > > > I suspect that some Samba database (replPropertyMetaData?) has got > > corrupt > > or out of sync somehow - but I don't know how to investigate further. > > Is > > this database in any kind of ldb file that I could dump / look at / > > edit ? > > > > There's a chance that it broke in 4.3.6 (which was the version I used > > prior > > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most > > recent > > object I can find in my AD - but I am now on 4.4.0 and it's > > definitely > > broken at the moment. If it's important, I could try to spin up an > > isolated > > VM and restore 4.3.6 from backups. > > > > Any pointers appreciated - I'm really not sure where to look next. > > Have you run dbcheck? > > samba-tool dbcheck --cross-ncs > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein