On Tue, 13 Nov 2018 at 21:26, Rowland Penny via samba <samba at lists.samba.org> wrote:> > On Tue, 13 Nov 2018 20:55:08 +0000 > Jonathan Hunter via samba <samba at lists.samba.org> wrote: > > > After running the following: > > $ sudo samba-tool domain join mydomain.org DC -U myadmin --site=mysite > > --server=dc3 > > all seems well, until: > > [...] > > Setting up secrets.ldb > > Setting up the registry > > Setting up the privileges database > > Setting up idmap db > > Setting up SAM db > > Setting up sam.ldb partitions and settings > > Setting up sam.ldb rootDSE > > Pre-loading the Samba 4 and AD schema > > Unable to determine the DomainSID, can not enforce uniqueness > > constraint on local domainSIDs > > [... and also ...] > > Replicating critical objects from the base DN of the domain > > Partition[DC=mydomain,DC=org] objects[99/99] linked_values[28/28] > > Partition[DC=mydomain,DC=org] objects[501/886] linked_values[0/61] > > Partition[DC=mydomain,DC=org] objects[903/886] linked_values[0/718] > > ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > > index on servicePrincipalName, duplicate of objectGUID > > 00000000-1111-2222-3333-444444444444 in > > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > > [lots of these] > > I think you may be running into this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=8929 > > You may have duplicate SPN's e.g. one 'HOST/somePC' and another > 'host/somepc'You could well be right, thank you. It's entirely possible - my domain has been upgraded through various samba versions so that might be the case. Looks like this is an old bug, so I am guessing that a) it isn't likely to be fixed imminently, and b) until I can get rid of the duplicate entries somehow, I won't be able to join any DCs back into my domain...> Also there were several problems with 4.9.0, so I would rapidly upgrade > to 4.9.2I did check the release notes and couldn't see anything critical for my environment at the time, but I may well have missed something - so am upgrading now and will try again. The other message that worried me was the one about "Unable to determine the DomainSID", I don't know what is causing that... (or if indeed it would be a problem) Many thanks as always, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On Wed, 14 Nov 2018 08:34:11 +0000 Jonathan Hunter via samba <samba at lists.samba.org> wrote:> The other message that worried me was the one about "Unable to > determine the DomainSID", I don't know what is causing that... (or if > indeed it would be a problem)You can safely ignore that, I don't know where it is coming from, but it seems to appear every time you provision or join a DC. Rowland
Thanks Rowland for the advice, I have now tried joining a 4.9.2 machine to the domain, targeting the join at a 4.9.2 DC. Same result as below, unfortunately - I think you are probably correct with the bug below (#8929). On Wed, 14 Nov 2018 at 08:34, Jonathan Hunter <jmhunter1 at gmail.com> wrote: [...]> > > $ sudo samba-tool domain join mydomain.org DC -U myadmin --site=mysite > > > --server=dc3 > > > [...] > > > Replicating critical objects from the base DN of the domain > > > [...] > > > ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > > > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > > > index on servicePrincipalName, duplicate of objectGUID > > > 00000000-1111-2222-3333-444444444444 in > > > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > > > [lots of these] > > > > I think you may be running into this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=8929 > > > > You may have duplicate SPN's e.g. one 'HOST/somePC' and another > > 'host/somepc'I am sure that this is what is happening for me.. but it looks as though I am now unable to join any new DCs into my domain, until I can figure out how to work around this. Is there a way I can maybe use ldbedit to manually adjust the database, and remove duplicates somehow? (That seems risky to me, but I don't know what alternative I have..) In my database, as reported by the domain join command above, I have five duplicates 'for index on servicePrincipalName', plus 107 duplicates for index on a custom LDAP attribute I am using. If there's a correct way I can step through these one by one, and remove the duplicates, I am happy to try... Or - is anybody working on bug 8929? Currently I am one DC down, and don't think I can re-add it as things stand.. so I'm willing to try manually editing if that will help. Cheers, Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Hi, Does anyone have experience of using ldbedit or similar, to remove the duplicates below? (Is that even the right way for me to go?) Can I perhaps query something using ldbsearch, to find the duplicates, before using ldbedit? On Sun, 18 Nov 2018 at 21:37, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> [...] > In my database, as reported by the domain join command above, I have > five duplicates 'for index on servicePrincipalName', plus 107 > duplicates for index on a custom LDAP attribute I am using. If there's > a correct way I can step through these one by one, and remove the > duplicates, I am happy to try...I guess ldbedit does carry some level of risk with it, but I can't seem to add any DCs to my domain at the moment which is unfortunate as I had a hardware failure that I now can't recover from. I note that this was last discussed on the list on 20 March 2018 at 03:14 (message ID <1113A703-649B-42D5-BDFC-2842767B31E5 at dignitastechnologies.com>) but there was no conclusion to that thread other than a comment that 4.9.0pre1 seemed to resolve the issue. However, I am now using 4.9.2 on one of my DCs and on the DC that is being newly joined, and I am still having the problem. (My two other DCs are still on 4.9.0) For reference, this is the type of error I'm getting when joining my DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for index on servicePrincipalName, duplicate of objectGUID 00000000-1111-2222-3333-444444444444 in @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein