Niels Dettenbach
2016-May-26 09:44 UTC
[Samba] No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT
Hi colleagues, it seems i've hit a bug in SAMBA as follows: The local windows network admin of our local radio station filled / transferred some user account data into our new FreeNAS by the Win RSAT. We are setting up SAMBA as a PDC incl. directory service and use the current stable FreeNAS with its current SAMBA "4.3.6-GIT-UNKNOWN" One account name "produktion-a" resulted in some "weird" chars within the CN string: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local which seems to make further problems - i.e. the records inaccessible by samba-tool and ldbedit: ~# samba-tool dbcheck --fix Checking 448 objects ERROR: incorrect GUID component for member in object CN=redaktion,CN=Users,DC=srg2,DC=local - <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local unable to find object for DN CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local) Not removing dangling forward link ERROR: incorrect GUID component for member in object CN=freie,CN=Users,DC=srg2,DC=local - <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local unable to find object for DN CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local) Not removing dangling forward link ERROR: incorrect GUID component for member in object CN=radioclient,CN=Users,DC=srg2,DC=local - <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local unable to find object for DN CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local) Not removing dangling forward link Checked 448 objects (3 errors) Automatic fixing seems not possible so far.... I tried to recreate and delete the user "produktion-a" by samba-tool and clean / get it work with ldbedit (incl. "--relax" option) - i.e.: - changing all occurences of "Produktion A-Studio (alt?)" into "Produktion A-Studio alt" - deleting all existing occurences of this user (user record, membership records) and get errors like: ~#ldbedit --relax -e nano -H /var/db/system/samba4/private/sam.ldb failed to delete CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local - No such Base DN: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local ~# ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb --cross-ncs "CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local" no matching records - cannot edit For me it seems as the "?" or "()" in the identifier strings are breaking some kind of policies (if so they did not had to be accepted) and/or make it impossible to find / select the record and/or breaks references within the DB. How can i reach that orphan records to get them out / cleaned? Many thanks for any help / hint. Niels. i.A. StadtRadio Göttingen 107,1 MHz http://www.stadtradio-goettingen.de -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc --- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: This is a digitally signed message part. URL: <http://lists.samba.org/pipermail/samba/attachments/20160526/01dc5139/signature.sig>
mathias dufresne
2016-May-26 11:51 UTC
[Samba] No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT
Parenthesis are not yet a good idea with Samba. A colleague created users with parenthesis in CN field and we just can't use ldbsearch to look for them, as long as we set parenthesis in LDAP filter. We must use wildcard to avoid the bug (bug because we can use escaped parenthesis in filters with ldapsearch, I can be totally wrong but I do believe if ldapsearch permit parenthesis the protocol permit it. I insist: no idea who's right between Samba and ldapsearch). So I would try to remove parenthesis from CN=Produktion A-Studio (alt?). In fact I would also remove "?" as it is used as wildcard in lot of stuffs and could easily by source of issue(s). How to proceed as you can't delete it? First for convenience and if you like nano (nobody's perfect ;p ) you can "export EDITOR=/path/to/your/nano" to avoid "-e nano" on command line. Add that export to your .bashrc and others apps needed an editor would have a change to use nano too. Back to ldbedit: ldbedit -H $sam 'CN=Guest,CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' no matching records - cannot edit Damned! Why? ldbedit is not working with DN as do ldbdel but use searches as do most of tools. The right way to use is: ldbedit -H $sam 'CN=Guest' -b 'CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' # 0 adds 0 modifies 0 deletes What's the difference? I've added "-b" switch to tell ldbedit where to start its search: 'CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' And I specified some filter to retrieve a bunch of objects into the branch I specified: 'CN=Guest' Your command would be: ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb -b "CN=Users,DC=srg2,DC=local" "CN=Produktion A-Studio (alt?)" Hoping this could help you to get a solution, mathias 2016-05-26 11:44 GMT+02:00 Niels Dettenbach <nd at syndicat.com>:> Hi colleagues, > > > it seems i've hit a bug in SAMBA as follows: > > The local windows network admin of our local radio station filled / > transferred some user account data into our new FreeNAS by the Win RSAT. > We are setting up SAMBA as a PDC incl. directory service and use the > current stable FreeNAS with its current SAMBA "4.3.6-GIT-UNKNOWN" > > One account name > > "produktion-a" > > resulted in some "weird" chars within the CN string: > > CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local > > which seems to make further problems - i.e. the records inaccessible by > samba-tool and ldbedit: > > > ~# samba-tool dbcheck --fix > Checking 448 objects > ERROR: incorrect GUID component for member in object > CN=redaktion,CN=Users,DC=srg2,DC=local - > <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion > A-Studio (alt?),CN=Users,DC=srg2,DC=local > unable to find object for DN CN=Produktion A-Studio > (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio > (alt?),CN=Users,DC=srg2,DC=local) > Not removing dangling forward link > ERROR: incorrect GUID component for member in object > CN=freie,CN=Users,DC=srg2,DC=local - > <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion > A-Studio (alt?),CN=Users,DC=srg2,DC=local > unable to find object for DN CN=Produktion A-Studio > (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio > (alt?),CN=Users,DC=srg2,DC=local) > Not removing dangling forward link > ERROR: incorrect GUID component for member in object > CN=radioclient,CN=Users,DC=srg2,DC=local - > <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion > A-Studio (alt?),CN=Users,DC=srg2,DC=local > unable to find object for DN CN=Produktion A-Studio > (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio > (alt?),CN=Users,DC=srg2,DC=local) > Not removing dangling forward link > Checked 448 objects (3 errors) > > Automatic fixing seems not possible so far.... > > I tried to recreate and delete the user "produktion-a" by samba-tool and > clean / get it work with ldbedit (incl. "--relax" option) - i.e.: > > - changing all occurences of "Produktion A-Studio (alt?)" into > "Produktion A-Studio alt" > - deleting all existing occurences of this user (user record, > membership records) > > and get errors like: > > ~#ldbedit --relax -e nano -H /var/db/system/samba4/private/sam.ldb > failed to delete CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local - > No such Base DN: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local > > ~# ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb --cross-ncs > "CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local" > no matching records - cannot edit > > For me it seems as the "?" or "()" in the identifier strings are breaking > some kind of policies (if so they did not had to be accepted) and/or make > it impossible to find / select the record and/or breaks references within > the DB. > > How can i reach that orphan records to get them out / cleaned? > > Many thanks for any help / hint. > > > > Niels. > > i.A. > StadtRadio Göttingen 107,1 MHz > http://www.stadtradio-goettingen.de > > -- > --- > Niels Dettenbach > Syndicat IT & Internet > http://www.syndicat.com > PGP: https://syndicat.com/pub_key.asc > --- > > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
mathias dufresne
2016-May-26 15:35 UTC
[Samba] No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT
2016-05-26 13:51 GMT+02:00 mathias dufresne <infractory at gmail.com>:> Parenthesis are not yet a good idea with Samba. A colleague created users > with parenthesis in CN field and we just can't use ldbsearch to look for > them, as long as we set parenthesis in LDAP filter. We must use wildcard to > avoid the bug (bug because we can use escaped parenthesis in filters with > ldapsearch, I can be totally wrong but I do believe if ldapsearch permit > parenthesis the protocol permit it. I insist: no idea who's right between > Samba and ldapsearch). >Stupid me! https://msdn.microsoft.com/en-us/library/aa746475%28v=vs.85%29.aspx So we can simply replace parenthesis and others special characters with necessary codes. Some MS behaviour well reproduced, not a bug, mea culpa : )> > So I would try to remove parenthesis from CN=Produktion A-Studio (alt?). > In fact I would also remove "?" as it is used as wildcard in lot of stuffs > and could easily by source of issue(s). > > How to proceed as you can't delete it? > First for convenience and if you like nano (nobody's perfect ;p ) you can > "export EDITOR=/path/to/your/nano" to avoid "-e nano" on command line. Add > that export to your .bashrc and others apps needed an editor would have a > change to use nano too. > > Back to ldbedit: > ldbedit -H $sam > 'CN=Guest,CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' > no matching records - cannot edit > > Damned! Why? ldbedit is not working with DN as do ldbdel but use searches > as do most of tools. The right way to use is: > ldbedit -H $sam 'CN=Guest' -b > 'CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' > # 0 adds 0 modifies 0 deletes > > What's the difference? > I've added "-b" switch to tell ldbedit where to start its search: > 'CN=Users,DC=ad,DC=dgfip,DC=finances,DC=gouv,DC=fr' > And I specified some filter to retrieve a bunch of objects into the branch > I specified: > 'CN=Guest' > > Your command would be: > ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb -b > "CN=Users,DC=srg2,DC=local" "CN=Produktion A-Studio (alt?)" > > Hoping this could help you to get a solution, > > mathias > > 2016-05-26 11:44 GMT+02:00 Niels Dettenbach <nd at syndicat.com>: > >> Hi colleagues, >> >> >> it seems i've hit a bug in SAMBA as follows: >> >> The local windows network admin of our local radio station filled / >> transferred some user account data into our new FreeNAS by the Win RSAT. >> We are setting up SAMBA as a PDC incl. directory service and use the >> current stable FreeNAS with its current SAMBA "4.3.6-GIT-UNKNOWN" >> >> One account name >> >> "produktion-a" >> >> resulted in some "weird" chars within the CN string: >> >> CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local >> >> which seems to make further problems - i.e. the records inaccessible by >> samba-tool and ldbedit: >> >> >> ~# samba-tool dbcheck --fix >> Checking 448 objects >> ERROR: incorrect GUID component for member in object >> CN=redaktion,CN=Users,DC=srg2,DC=local - >> <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion >> A-Studio (alt?),CN=Users,DC=srg2,DC=local >> unable to find object for DN CN=Produktion A-Studio >> (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio >> (alt?),CN=Users,DC=srg2,DC=local) >> Not removing dangling forward link >> ERROR: incorrect GUID component for member in object >> CN=freie,CN=Users,DC=srg2,DC=local - >> <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion >> A-Studio (alt?),CN=Users,DC=srg2,DC=local >> unable to find object for DN CN=Produktion A-Studio >> (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio >> (alt?),CN=Users,DC=srg2,DC=local) >> Not removing dangling forward link >> ERROR: incorrect GUID component for member in object >> CN=radioclient,CN=Users,DC=srg2,DC=local - >> <GUID=35115b3b-264b-431f-a8a0-e2812d434fde>;<SID=S-1-5-21-3768878909-3194017282-2874830551-1170>;CN=Produktion >> A-Studio (alt?),CN=Users,DC=srg2,DC=local >> unable to find object for DN CN=Produktion A-Studio >> (alt?),CN=Users,DC=srg2,DC=local - (No such Base DN: CN=Produktion A-Studio >> (alt?),CN=Users,DC=srg2,DC=local) >> Not removing dangling forward link >> Checked 448 objects (3 errors) >> >> Automatic fixing seems not possible so far.... >> >> I tried to recreate and delete the user "produktion-a" by samba-tool and >> clean / get it work with ldbedit (incl. "--relax" option) - i.e.: >> >> - changing all occurences of "Produktion A-Studio (alt?)" into >> "Produktion A-Studio alt" >> - deleting all existing occurences of this user (user record, >> membership records) >> >> and get errors like: >> >> ~#ldbedit --relax -e nano -H /var/db/system/samba4/private/sam.ldb >> failed to delete CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local >> - No such Base DN: CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local >> >> ~# ldbedit -e nano -H /var/db/system/samba4/private/sam.ldb --cross-ncs >> "CN=Produktion A-Studio (alt?),CN=Users,DC=srg2,DC=local" >> no matching records - cannot edit >> >> For me it seems as the "?" or "()" in the identifier strings are breaking >> some kind of policies (if so they did not had to be accepted) and/or make >> it impossible to find / select the record and/or breaks references within >> the DB. >> >> How can i reach that orphan records to get them out / cleaned? >> >> Many thanks for any help / hint. >> >> >> >> Niels. >> >> i.A. >> StadtRadio Göttingen 107,1 MHz >> http://www.stadtradio-goettingen.de >> >> -- >> --- >> Niels Dettenbach >> Syndicat IT & Internet >> http://www.syndicat.com >> PGP: https://syndicat.com/pub_key.asc >> --- >> >> >> >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >
Apparently Analagous Threads
- No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT
- No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT
- No such Base DN: CN=Produktion A-Studio (alt?), CN=Users, DC=srg2, DC=local / RSAT
- "dos filetime resolution" "dos filetimes" respected in samba4
- can not resolve chown issue