On Thu, 2017-11-02 at 15:56 +0100, Denis Cardon via samba wrote:> Hi Samba team and Maxence, > > > last week we updated three domain controllers (Sernet Samba) from 4.2 to > > 4.7, typical upgrade path (4.3->4.4->4.5->4.6->4.7), everything was ok. > > > > The next day we got a mail from the Sernet team informing they fixed a > > bug affecting the group memberships. > > > > https://bugzilla.samba.org/show_bug.cgi?id=13095 > > > > We've applied the update and few days after the update which should fix > > the bug, we got a database corruption with multiple times the same user > > in a group and the coherency check between all DC was bad. > > > > I tried a dbcheck --cross-ncs --fix --yes, it fixed several errors > > (>2000) but now i still have 372 persistant errors and the dbcheck > > script won't fix them. > > > > The domain is still working great, creating / removing users, edit > > membership, the replication, everything works. > > > > Here's a part of the errors, all of them are "missing backlink" or > > "orphaned backlink". > > one of my colleague had the same issue after upgrade to 4.7.0 very > recently. We didn't have much time to look into it, so we just cleaned > up the member and memberof attributes (samba-tool group removemembers + > some ldbmodify) , then add back the users to the groups. It needed some > scripting to automate the stuff but it worked fine and dbcheck is now > happy. > > Actually, as that specific domain has seen most upgrades from early 4.0 > beta to 4.7, I was not sure if I was stumbling on some rotten entries in > my ldb database, or if it was a more widespread bug :-)Metze has some patches that should better fix the backlink issue in dbcheck, and I've proposed some patches to ensure that additional backlinks don't cause trouble if the object needs to be deleted. If dbcheck gives any more information when it fails to fix the missing or orphaned backlink, it would be helpful to see that so we can ensure we cover all the test cases needed for this. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Here's my full log of the --fix, no more informations :( https://pastebin.com/evkR0JiL On 11/02/2017 04:14 PM, Andrew Bartlett wrote:> On Thu, 2017-11-02 at 15:56 +0100, Denis Cardon via samba wrote: >> Hi Samba team and Maxence, >> >>> last week we updated three domain controllers (Sernet Samba) from 4.2 to >>> 4.7, typical upgrade path (4.3->4.4->4.5->4.6->4.7), everything was ok. >>> >>> The next day we got a mail from the Sernet team informing they fixed a >>> bug affecting the group memberships. >>> >>> https://bugzilla.samba.org/show_bug.cgi?id=13095 >>> >>> We've applied the update and few days after the update which should fix >>> the bug, we got a database corruption with multiple times the same user >>> in a group and the coherency check between all DC was bad. >>> >>> I tried a dbcheck --cross-ncs --fix --yes, it fixed several errors >>> (>2000) but now i still have 372 persistant errors and the dbcheck >>> script won't fix them. >>> >>> The domain is still working great, creating / removing users, edit >>> membership, the replication, everything works. >>> >>> Here's a part of the errors, all of them are "missing backlink" or >>> "orphaned backlink". >> one of my colleague had the same issue after upgrade to 4.7.0 very >> recently. We didn't have much time to look into it, so we just cleaned >> up the member and memberof attributes (samba-tool group removemembers + >> some ldbmodify) , then add back the users to the groups. It needed some >> scripting to automate the stuff but it worked fine and dbcheck is now >> happy. >> >> Actually, as that specific domain has seen most upgrades from early 4.0 >> beta to 4.7, I was not sure if I was stumbling on some rotten entries in >> my ldb database, or if it was a more widespread bug :-) > Metze has some patches that should better fix the backlink issue in > dbcheck, and I've proposed some patches to ensure that additional > backlinks don't cause trouble if the object needs to be deleted. > > If dbcheck gives any more information when it fails to fix the missing > or orphaned backlink, it would be helpful to see that so we can ensure > we cover all the test cases needed for this. > > Thanks, > > Andrew Bartlett
On Thu, 2017-11-02 at 16:19 +0100, Maxence Sartiaux via samba wrote:> Here's my full log of the --fix, no more informations :( > > https://pastebin.com/evkR0JiL >No worries. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba