thr3ads.net - samba - [Samba] AD object fix (Re: [Announce] Samba 4.7.5 Available for Download) [Feb 2018]

If this information is useful, please help other people find it:
Share via:

Jonathan Hunter

2018-Feb-07 23:44 UTC

[Samba] AD object fix (Re: [Announce] Samba 4.7.5 Available for Download)

Hi,

Firstly thank you to all the Samba team for continued help & support.. and
thank you to those involved in resolving bug 13228, which might well
explain a number of issues I was having recently (I had thought
coincidentally, after upgrading to 4.7.4)

Can I check the expected behaviour of 'samba-tool dbcheck --cross-ncs
--fix'?

On 7 February 2018 at 08:59, Karolin Seeger via samba <samba at
lists.samba.org> wrote:
> o  BUG 13228: This is a major issue in Samba's ActiveDirectory domain
>    controller code. It might happen that AD objects have missing or broken
>    linked attributes. This could lead to broken group memberships e.g.
>    All Samba AD domain controllers set up with Samba 4.6 or lower and then
>    upgraded to 4.7 are affected. The corrupt database can be fixed with
>    'samba-tool dbcheck --cross-ncs --fix'.
>
What is the expected behaviour of this command if run consecutively?

On my DCs, freshly upgraded from 4.7.4 to 4.7.5, I have run the following
two commands in sequence:
$ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-01
2>&1
$ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-02
2>&1

The files produced by each run are identical in size.. but I would have
instead expected file 02 to be smaller than file 01, since all the issues
should have been fixed first time round..?

Can I first check that I'm not missing something in syntax etc., before I
spam the list with more details?

I'm seeing output along the following lines, during *both* runs of
samba-tool dbcheck:

WARNING: no target object found for GUID component for DN value
msDS-NC-Replica-Locations in object
CN=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee,CN=Partitions,CN=Configuration,DC=mydomain
[....]
WARNING: target DN is deleted for msDS-NC-Replica-Locations in object [....]
Target GUID points at deleted DN [....]
Remove stale DN link? [YES]
Removed deleted DN on attribute msDS-NC-Replica-Locations

plus many more; the output files are 13KB each on this DC, and contain 47
fixes according to
$ cat samba-fix-01 | grep "[YES]" | wc -l
47

I already know (I think) that I need to run the command on each DC.. but
before going further I just wanted to check I'm at least trying the correct
approach for dbcheck itself.

Thanks,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

Maybe Matching Threads

Search for more possibly parallel threads

samba - Feb 2018 - AD object fix (Re: [Announce] Samba 4.7.5 Available for Download)

[Samba] AD object fix (Re: [Announce] Samba 4.7.5 Available for Download)

Maybe Matching Threads

Wisdom of the Ancients