Hello, I have 2 samba DCs. DC1 with FSMO role and DC2. These days, when I use dbcheck in DC1 ,I got the following error: # samba-tool dbcheck --cross-ncs Checking 4419 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Users,DC=adagene,DC=cn - <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000> ;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1 9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599>;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cnNot fixing SID component mismatch Please use --fix to fix these errors Checked 4419 objects (1 errors) ---In DC2 ,there is no error. And I try to fix that in DC1: # samba-tool dbcheck --cross-ncs --fix Checking 4419 objects ERROR: incorrect DN SID component for member in object CN=Domain Users,CN=Users,DC=adagene,DC=cn - <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000> ;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1 9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599>;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cnChange DN to <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<SID=S-1-5-21-570971082-13333576 99-3675202899-1007>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn? [y/N/all/none] all Failed to fix incorrect DN SID on attribute member : (68, 'samldb: member CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn already set via primaryGroupID 513') Checked 4419 objects (1 errors) I check the user Jack’s sid and guid in RSAT tool. His sid is S-1-5-21-570971082-1333357699-3675202899-1007 and guid is c5c33d48-226b-4105-9c69-0506a22d3a15. All seems matches expectation. And I use the ldap compare tools: # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator Password for [ADAGENE\administrator]: * Comparing [DOMAIN] context... * Objects to be compared: 761 * Result for [DOMAIN]: SUCCESS * Comparing [CONFIGURATION] context... * Objects to be compared: 1615 * Result for [CONFIGURATION]: SUCCESS * Comparing [SCHEMA] context... * Objects to be compared: 1550 * Result for [SCHEMA]: SUCCESS * Comparing [DNSDOMAIN] context... * Objects to be compared: 241 * Result for [DNSDOMAIN]: SUCCESS * Comparing [DNSFOREST] context... * Objects to be compared: 20 * Result for [DNSFOREST]: SUCCESS See that the ldap content in the two DCs are the same. But One got a error and the other got none error. So How could I fix the error in DC1 ? Yours Adam.
Hi, It appears to be an error in dbcheck, where we're making assertions on the primaryGroupID despite the fact that it is dealing with an inactive link. It should be safe to ignore, and should disappear once the stale link is deleted permanently after the usual tombstone period. There probably needs to be a bug filed though, to make sure we fix this unintended error. Cheers, Garming On 10/02/18 01:34, 徐星亚 via samba wrote:> Hello, I have 2 samba DCs. DC1 with FSMO role and DC2. These days, when I > use dbcheck in DC1 ,I got the following error: > > > > # samba-tool dbcheck --cross-ncs > > Checking 4419 objects > > ERROR: incorrect DN SID component for member in object CN=Domain > Users,CN=Users,DC=adagene,DC=cn - > <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000> > ;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1 > 9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599 >> ;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn > Not fixing SID component mismatch > > Please use --fix to fix these errors > > Checked 4419 objects (1 errors) > > ---In DC2 ,there is no error. > > > > And I try to fix that in DC1: > > > > # samba-tool dbcheck --cross-ncs --fix > > Checking 4419 objects > > ERROR: incorrect DN SID component for member in object CN=Domain > Users,CN=Users,DC=adagene,DC=cn - > <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000> > ;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1 > 9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599 >> ;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn > Change DN to > <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<SID=S-1-5-21-570971082-13333576 > 99-3675202899-1007>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn? > [y/N/all/none] all > > Failed to fix incorrect DN SID on attribute member : (68, 'samldb: member > CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn already set via primaryGroupID > 513') > > Checked 4419 objects (1 errors) > > > > I check the user Jack’s sid and guid in RSAT tool. His sid is > S-1-5-21-570971082-1333357699-3675202899-1007 and guid is > c5c33d48-226b-4105-9c69-0506a22d3a15. All seems matches expectation. > > > > And I use the ldap compare tools: > > > > # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator > > Password for [ADAGENE\administrator]: > > > > * Comparing [DOMAIN] context... > > * Objects to be compared: 761 > > * Result for [DOMAIN]: SUCCESS > > * Comparing [CONFIGURATION] context... > > * Objects to be compared: 1615 > > * Result for [CONFIGURATION]: SUCCESS > > * Comparing [SCHEMA] context... > > * Objects to be compared: 1550 > > * Result for [SCHEMA]: SUCCESS > > * Comparing [DNSDOMAIN] context... > > * Objects to be compared: 241 > > * Result for [DNSDOMAIN]: SUCCESS > > * Comparing [DNSFOREST] context... > > * Objects to be compared: 20 > > * Result for [DNSFOREST]: SUCCESS > > > > See that the ldap content in the two DCs are the same. But One got a error > and the other got none error. > > > > So How could I fix the error in DC1 ? > > > > Yours Adam. >
adam_xu at adagene.com.cn
2018-Feb-14 01:15 UTC
[Samba] A db error that dbcheck tool can't fix
Garming, Thanks for your reply. Could I deleted the stale link manually, Or the
bug will be fixed in next release ?
From: Garming Sam via samba
Date: 2018-02-14 07:16
To: 徐星亚; samba
Subject: Re: [Samba] A db error that dbcheck tool can't fix
Hi,
It appears to be an error in dbcheck, where we're making assertions on
the primaryGroupID despite the fact that it is dealing with an inactive
link. It should be safe to ignore, and should disappear once the stale
link is deleted permanently after the usual tombstone period. There
probably needs to be a bug filed though, to make sure we fix this
unintended error.
Cheers,
Garming
On 10/02/18 01:34, 徐星亚 via samba wrote:> Hello, I have 2 samba DCs. DC1 with FSMO role and DC2. These days, when I
> use dbcheck in DC1 ,I got the following error:
>
>
>
> # samba-tool dbcheck --cross-ncs
>
> Checking 4419 objects
>
> ERROR: incorrect DN SID component for member in object CN=Domain
> Users,CN=Users,DC=adagene,DC=cn -
>
<GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000>
>
;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1
>
9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599
>> ;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn
> Not fixing SID component mismatch
>
> Please use --fix to fix these errors
>
> Checked 4419 objects (1 errors)
>
> ---In DC2 ,there is no error.
>
>
>
> And I try to fix that in DC1:
>
>
>
> # samba-tool dbcheck --cross-ncs --fix
>
> Checking 4419 objects
>
> ERROR: incorrect DN SID component for member in object CN=Domain
> Users,CN=Users,DC=adagene,DC=cn -
>
<GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000>
>
;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1
>
9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599
>> ;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn
> Change DN to
>
<GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<SID=S-1-5-21-570971082-13333576
> 99-3675202899-1007>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn?
> [y/N/all/none] all
>
> Failed to fix incorrect DN SID on attribute member : (68, 'samldb:
member
> CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn already set via primaryGroupID
> 513')
>
> Checked 4419 objects (1 errors)
>
>
>
> I check the user Jack’s sid and guid in RSAT tool. His sid is
> S-1-5-21-570971082-1333357699-3675202899-1007 and guid is
> c5c33d48-226b-4105-9c69-0506a22d3a15. All seems matches expectation.
>
>
>
> And I use the ldap compare tools:
>
>
>
> # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
>
> Password for [ADAGENE\administrator]:
>
>
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 761
>
> * Result for [DOMAIN]: SUCCESS
>
> * Comparing [CONFIGURATION] context...
>
> * Objects to be compared: 1615
>
> * Result for [CONFIGURATION]: SUCCESS
>
> * Comparing [SCHEMA] context...
>
> * Objects to be compared: 1550
>
> * Result for [SCHEMA]: SUCCESS
>
> * Comparing [DNSDOMAIN] context...
>
> * Objects to be compared: 241
>
> * Result for [DNSDOMAIN]: SUCCESS
>
> * Comparing [DNSFOREST] context...
>
> * Objects to be compared: 20
>
> * Result for [DNSFOREST]: SUCCESS
>
>
>
> See that the ldap content in the two DCs are the same. But One got a error
> and the other got none error.
>
>
>
> So How could I fix the error in DC1 ?
>
>
>
> Yours Adam.
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba