samba - May 2016 - Fwd: Re: Invalid data for index DN=@INDEX:OBJECTCLASS:DNSNODE

> OK, could this just be a permissions problem i.e. user 'ash'
doesn't
> have the required rights to add a dns record, try again, but this time 
> use the 'Administrator' user.
I've repeated the "samba-tool dns add", and the "samba-tool
domain join"
commands with "-UAdministrator". I get the same errors with either
user.

(the error for domain join is now the following)

 >  samba-tool domain join chester-dc.comtek.co.uk DC -Uash 
--realm=CHESTER-DC.COMTEK.CO.UK
 > Finding a writeable DC for domain 'chester-dc.comtek.co.uk'
 > Found DC empire.chester-dc.comtek.co.uk
 > Password for [CHESTER-DC\ash]:
 > workgroup is CHESTER-DC
 > realm is chester-dc.comtek.co.uk
 > checking sAMAccountName
 > Adding CN=V-WARD,OU=Domain 
Controllers,DC=chester-dc,DC=comtek,DC=co,DC=uk
 > Join failed - cleaning up
 > checking sAMAccountName
 > ERROR(ldb): uncaught exception - LDAP error 68 
LDAP_ENTRY_ALREADY_EXISTS -  <00002071: ../ldb_tdb/ldb_index.c:1216: 
Failed to re-index objectSid in CN=V-WARD,OU=Domain 
Controllers,DC=chester-dc,DC=comtek,DC=co,DC=uk - 
../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in 
CN=V-WARD,OU=Domain Controllers,DC=chester-dc,DC=comtek,DC=co,DC=uk> <>
 >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
 >     return self.run(*args, **kwargs)
 >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line 555, in run
 >     machinepass=machinepass, use_ntvfs=use_ntvfs, 
dns_backend=dns_backend)
 >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1172,
in join_DC
 >     ctx.do_join()
 >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
1075,
in do_join
 >     ctx.join_add_objects()
 >   File "/usr/lib/python2.7/dist-packages/samba/join.py", line
515, in
join_add_objects
 >     ctx.samdb.add(rec)


Could permissions account for the " Invalid data for index 
DN=@INDEX:OBJECTCLASS:DNSNODE", anyway?

Ash

-- 
/---------------------------------------------------------------------\
|Ashley Griffiths                     Phone: +44 (0)1244 280 390      |
|IT manager                           Web:   http://www.comtek.co.uk/ |
|Comtek Group                                                         |
\---------------------------------------------------------------------/

On 13/05/16 18:42, ash-samba at comtek.co.uk wrote:
>> OK, could this just be a permissions problem i.e. user 'ash'
doesn't
>> have the required rights to add a dns record, try again, but this 
>> time use the 'Administrator' user.
> I've repeated the "samba-tool dns add", and the
"samba-tool domain
> join" commands with "-UAdministrator". I get the same errors
with
> either user.
>
> (the error for domain join is now the following)
>
> >  samba-tool domain join chester-dc.comtek.co.uk DC -Uash 
> --realm=CHESTER-DC.COMTEK.CO.UK
> > Finding a writeable DC for domain 'chester-dc.comtek.co.uk'
> > Found DC empire.chester-dc.comtek.co.uk
> > Password for [CHESTER-DC\ash]:
> > workgroup is CHESTER-DC
> > realm is chester-dc.comtek.co.uk
> > checking sAMAccountName
> > Adding CN=V-WARD,OU=Domain 
> Controllers,DC=chester-dc,DC=comtek,DC=co,DC=uk
> > Join failed - cleaning up
> > checking sAMAccountName
> > ERROR(ldb): uncaught exception - LDAP error 68 
> LDAP_ENTRY_ALREADY_EXISTS -  <00002071: ../ldb_tdb/ldb_index.c:1216: 
> Failed to re-index objectSid in CN=V-WARD,OU=Domain 
> Controllers,DC=chester-dc,DC=comtek,DC=co,DC=uk - 
> ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in 
> CN=V-WARD,OU=Domain Controllers,DC=chester-dc,DC=comtek,DC=co,DC=uk>
<>
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
> line 175, in _run
> >     return self.run(*args, **kwargs)
> >   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
> line 555, in run
> >     machinepass=machinepass, use_ntvfs=use_ntvfs, 
> dns_backend=dns_backend)
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1172,
> in join_DC
> >     ctx.do_join()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 1075,
> in do_join
> >     ctx.join_add_objects()
> >   File "/usr/lib/python2.7/dist-packages/samba/join.py",
line 515,
> in join_add_objects
> >     ctx.samdb.add(rec)
>
>
> Could permissions account for the " Invalid data for index 
> DN=@INDEX:OBJECTCLASS:DNSNODE", anyway?
>
> Ash
>
Possibly, if your user doesn't have the correct rights, then the command 
could error, the full command that failed was this:

dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, 0, 
server, zone, name, add_rec_buf, None)

This relies on:

dns_conn = dns_connect(server, self.lp, self.creds)

The relevant part is this: 'self.creds'

This means the entire command would fail if the supplied user didn't 
have the required rights

The above 'join' error seems to show that 'chester-dc' already
exists in
AD (if only partially), you could try checking if this is possible. If 
it does, you will need to find a way of removing it, but we will come to 
that only if it does.

Rowland

> Possibly, if your user doesn't have the correct rights, then the 
> command could error, the full command that failed was this:
>
> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN, 0, 
> server, zone, name, add_rec_buf, None)
>
> This relies on:
>
> dns_conn = dns_connect(server, self.lp, self.creds)
>
> The relevant part is this: 'self.creds'
>
> This means the entire command would fail if the supplied user didn't 
> have the required rights
>
> The above 'join' error seems to show that 'chester-dc'
already exists
> in AD (if only partially), you could try checking if this is possible. 
> If it does, you will need to find a way of removing it, but we will 
> come to that only if it does.
>
Sorry for the delay in responding. It seems that upgrading empire caused 
"drs replicate" to fail on the other two machines, 
(LDAP_STRONG_AUTH_REQUIRED -  <SASL:[GSS-SPNEGO]: Sign or Seal are 
required), so we've had to find a way to quickly upgrade them.

We have noticed a new symptom since the 4.2 upgrade. We have a periodic 
script which creates users. It now appears to be doing:

ERROR(ldb): Failed to add user 'john.smith':  - 
../ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in 
CN=john.smith,CN=Users,DC=chester-dc,DC=example,DC=com - 
../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in 
CN=john.smith,CN=Users,DC=chester-dc,DC=example,DC=com