samba - Jul 2018 - Undeletable objects in AD

Hello,

after migration from a NT style domain to Samba AD (running 4.7.8) with
the classicupgrade method I have two group objects in the AD tree with
german umlauts which I can't access or delete. When I try I get a error
which says literally "object not found on the server". Same when using
other LDAP tools.

It's not a great problem, but how can I get rid of this two group objects?

Kind regards,

Henry

On Mon, 23 Jul 2018 10:44:21 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> after migration from a NT style domain to Samba AD (running 4.7.8)
> with the classicupgrade method I have two group objects in the AD
> tree with german umlauts which I can't access or delete. When I try I
> get a error which says literally "object not found on the
server".
> Same when using other LDAP tools.
> 
> It's not a great problem, but how can I get rid of this two group
> objects?
> 
> Kind regards,
> 
> Henry
> 
> 
How are you searching and what with ?

Have you tried ldbedit ?

ldbedit -e <your favourite editor> -H /path/to/sam.ldb

This will display everything in the editor and you can then search in
that for the groups. You should then be able to create a filter to
delete the groups

Rowland

On Mon, 23 Jul 2018 11:27:38 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> How are you searching and what with ?
I used the ADUC tool and LDAPAdmin.
> 
> Have you tried ldbedit ?
> 
> ldbedit -e <your favourite editor> -H /path/to/sam.ldb
> 
> This will display everything in the editor and you can then search in
> that for the groups. You should then be able to create a filter to
> delete the groups


Yes, the objects in question are displayed, one of them looks like this:

# record 46  
dn: CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan
cn::
cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcncinstanceType: 4
whenCreated: 20180720113100.0Z
uSNCreated: 5982
name::
cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcncobjectGUID:
ecbda919-4c16-4d06-9695-2540e35b44da
objectSid: S-1-5-21-4144324718-2848790307-3888702956-3897
sAMAccountName:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtc
 ncsAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=iww,DC=lan
gidNumber: 1448
objectClass: top
objectClass: posixGroup
objectClass: group
msSFU30NisDomain: iww
whenChanged: 20180720113106.0Z
uSNChanged: 15576
distinguishedName:: Q049cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taX
 NjaGUtcncsQ049VXNlcnMsREM9aXd3LERDPWxhbg=
However, "ldbdel -H /var/lib/samba/private/sam.ldb
'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan'"
doesn't work, it says "entry does not exist"

As you can see, some parts are base64 encoded but I am unsure how to use this 
in conjunction with ldbdel or ldbedit, e.g.  I tried
 
 ldbedit -e vim -H /var/lib/samba/private/sam.ldb
'(sAMAccountName=cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc=)'
 ldbedit -e vim -H /var/lib/samba/private/sam.ldb
'(sAMAccountName=:cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc=)'
 ldbedit -e vim -H /var/lib/samba/private/sam.ldb
'(sAMAccountName=::cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc=)'

and all of them fail with "no matching records - cannot edit".

Same when using objectGUID or objectSid.

Kind regards,

Henry