samba - Feb 2018 - samba-tool dbcheck on 4.7.5, after bug 13228

Hi,

Have changed the subject line to make my question clearer :)

What is the expected behaviour of 'samba-tool dbcheck --fix'? Should
running this command two times still produce the same output?

I think I was bitten by bug 13228, but am not sure if I'm running the right
command to resolve.

Cheers

Jonathan

On 7 February 2018 at 23:44, Jonathan Hunter <jmhunter1 at gmail.com>
wrote:
> Hi,
>
> Firstly thank you to all the Samba team for continued help & support..
and
> thank you to those involved in resolving bug 13228, which might well
> explain a number of issues I was having recently (I had thought
> coincidentally, after upgrading to 4.7.4)
>
> Can I check the expected behaviour of 'samba-tool dbcheck --cross-ncs
> --fix'?
>
> On 7 February 2018 at 08:59, Karolin Seeger via samba <
> samba at lists.samba.org> wrote:
>
>> o  BUG 13228: This is a major issue in Samba's ActiveDirectory
domain
>>    controller code. It might happen that AD objects have missing or
broken
>>    linked attributes. This could lead to broken group memberships e.g.
>>    All Samba AD domain controllers set up with Samba 4.6 or lower and
then
>>    upgraded to 4.7 are affected. The corrupt database can be fixed with
>>    'samba-tool dbcheck --cross-ncs --fix'.
>>
>
> What is the expected behaviour of this command if run consecutively?
>
> On my DCs, freshly upgraded from 4.7.4 to 4.7.5, I have run the following
> two commands in sequence:
> $ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-01
2>&1
> $ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-02
2>&1
>
> The files produced by each run are identical in size.. but I would have
> instead expected file 02 to be smaller than file 01, since all the issues
> should have been fixed first time round..?
>
> Can I first check that I'm not missing something in syntax etc., before
I
> spam the list with more details?
>
> I'm seeing output along the following lines, during *both* runs of
> samba-tool dbcheck:
>
> WARNING: no target object found for GUID component for DN value
> msDS-NC-Replica-Locations in object CN=aaaaaaaa-bbbb-cccc-dddd-
> eeeeeeeeeeee,CN=Partitions,CN=Configuration,DC=mydomain [....]
> WARNING: target DN is deleted for msDS-NC-Replica-Locations in object
> [....]
> Target GUID points at deleted DN [....]
> Remove stale DN link? [YES]
> Removed deleted DN on attribute msDS-NC-Replica-Locations
>
> plus many more; the output files are 13KB each on this DC, and contain 47
> fixes according to
> $ cat samba-fix-01 | grep "[YES]" | wc -l
> 47
>
> I already know (I think) that I need to run the command on each DC.. but
> before going further I just wanted to check I'm at least trying the
correct
> approach for dbcheck itself.
>
> Thanks,
>
> Jonathan
>
> --
> "If we knew what it was we were doing, it would not be called
research,
> would it?"
>       - Albert Einstein
>


-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

Hi,

Replying to my own query, for those following along at home (or reading the
archives in the future). Thanks very much to Garming for giving me these
pointers.

My initial query probably wasn't very clear - apologies - but what it
boiled down to was that "samba-tool dbcheck --cross-ncs" identified a
number of errors, but these were *NOT* fixed when I ran the same command
with "--yes".

The answer was that I needed to run dbcheck *without* the "--yes"
argument,
and instead manually specify y / all during the check itself. *These have
slightly different behaviours*, particularly if there is an error in the
middle which might be happening.

This successfully fixed the errors I had in my DB (actually, I still had
some group membership issues with some newer users I had added to Domain
Users / Domain Guests) but the bulk of the problems are now gone. I did
also run the dbcheck on each DC individually; each had a slightly different
set of errors, but most of my DCs are now reporting no errors via dbcheck,
which is good :-)

I'm therefore not sure if the "samba-tool dbcheck --help" wording
for
"--yes" should be updated.
Currently the help text for --yes is:
  "don't confirm changes, just do them all as a single
transaction".

Should it say something like:
  "don't confirm changes individually, do them all as a single
transaction,
this has different behaviour to answering yes each time, and may fail in
case of some errors"
?

(The other pointer I was given was to raise the debug level (maybe to level
3) using -d3 and seeing if there are any error messages presented in those
logs. I didn't need to use this, but it might help others having similar
issues.)

Cheers,

Jonathan

On 9 February 2018 at 10:20, Jonathan Hunter <jmhunter1 at gmail.com>
wrote:
>
> On 7 February 2018 at 23:44, Jonathan Hunter <jmhunter1 at gmail.com>
wrote:
>
>> Hi,
>>
>> Firstly thank you to all the Samba team for continued help &
support..
>> and thank you to those involved in resolving bug 13228, which might
well
>> explain a number of issues I was having recently (I had thought
>> coincidentally, after upgrading to 4.7.4)
>>
>> Can I check the expected behaviour of 'samba-tool dbcheck
--cross-ncs
>> --fix'?
>>
>> On 7 February 2018 at 08:59, Karolin Seeger via samba <
>> samba at lists.samba.org> wrote:
>>
>>> o  BUG 13228: This is a major issue in Samba's ActiveDirectory
domain
>>>    controller code. It might happen that AD objects have missing or
>>> broken
>>>    linked attributes. This could lead to broken group memberships
e.g.
>>>    All Samba AD domain controllers set up with Samba 4.6 or lower
and
>>> then
>>>    upgraded to 4.7 are affected. The corrupt database can be fixed
with
>>>    'samba-tool dbcheck --cross-ncs --fix'.
>>>
>>
>> What is the expected behaviour of this command if run consecutively?
>>
>
-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

On Fri, 2018-02-16 at 11:44 +0000, Jonathan Hunter via samba
wrote:
> Hi,
> 
> Replying to my own query, for those following along at home (or reading the
> archives in the future). Thanks very much to Garming for giving me these
> pointers.
> 
> My initial query probably wasn't very clear - apologies - but what it
> boiled down to was that "samba-tool dbcheck --cross-ncs"
identified a
> number of errors, but these were *NOT* fixed when I ran the same command
> with "--yes".
> 
> The answer was that I needed to run dbcheck *without* the "--yes"
argument,
> and instead manually specify y / all during the check itself. *These have
> slightly different behaviours*, particularly if there is an error in the
> middle which might be happening.
> 
> This successfully fixed the errors I had in my DB (actually, I still had
> some group membership issues with some newer users I had added to Domain
> Users / Domain Guests) but the bulk of the problems are now gone. I did
> also run the dbcheck on each DC individually; each had a slightly different
> set of errors, but most of my DCs are now reporting no errors via dbcheck,
> which is good :-)
> 
> I'm therefore not sure if the "samba-tool dbcheck --help"
wording for
> "--yes" should be updated.
> Currently the help text for --yes is:
>   "don't confirm changes, just do them all as a single
transaction".
> 
> Should it say something like:
>   "don't confirm changes individually, do them all as a single
transaction,
> this has different behaviour to answering yes each time, and may fail in
> case of some errors"
> ?
It is more like "don't confirm changes, require all changes to apply
successfully (use a single transaction)". 

Ideally all errors have a fix and the fix applies successfully but in
the real world it seems this isn't the case.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba