samba - Jul 2019 - `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId

It's amazing how long Samba just keeps running even when apparently
everything's broken.

In preparation of finally upgrading our DCs to 41.0, I ran dbcheck on
all of them, resulting in:

graz-dc-sem:
> Checking 3861 objects
> Error: governsID CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at
on 1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
> Error: governsID
CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
> Error: governsID
CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
> Checked 3861 objects (3 errors)
All other DCs:
> Checking 3861 objects
> Error: governsID CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at
on 1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
> Error: governsID
CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
> Error: governsID
CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
> ERROR(runtime): uncaught exception - objectclass ucsUser marked as
isDefunct objectClass in schema - not valid for new objects
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176,
in _run
>     return self.run(*args, **kwargs)
>   File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 157,
in run
>     controls=controls, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py",
line 198, in check_database
>     error_count += self.check_object(object.dn, attrs=attrs)
>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py",
line 1708, in check_object
>     normalised = self.samdb.dsdb_normalise_attributes(self.samdb_schema,
attrname, obj[attrname])
>   File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line
677, in dsdb_normalise_attributes
>     return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name,
ldif_elements)

All these object classes were tests we did? years ago, and which have
been "deleted" (I don't even remember by what mechanism) for
almost as
long. No object should still be using any of these, and on graz-dc-sem
that's true.

There is, however, a new class called taoUser with the same X500 OID as
ucsUser that's only used in one domain account (mine, of course); on
graz-dc-sem the object correctly has the taoUser class assigned, on the
other servers it's still an ucsUser.

All servers seem to replicate without errors according to samba-tool drs
showrepl.

How do I get rid of these bogus Schema entries, and how do I fix the
user account?

-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas, Systemadministrator
? sven.schwedas at tao.at | ? +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190703/418d8af9/signature.sig>

On 03/07/2019 15:50, Sven Schwedas via samba wrote:
> It's amazing how long Samba just keeps running even when apparently
> everything's broken.
>
> In preparation of finally upgrading our DCs to 41.0, I ran dbcheck on
> all of them, resulting in:
>
> graz-dc-sem:
>> Checking 3861 objects
>> Error: governsID
CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
>> Error: governsID
CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
>> Error: governsID
CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
>> Checked 3861 objects (3 errors)
> All other DCs:
>> Checking 3861 objects
>> Error: governsID
CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
>> Error: governsID
CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
>> Error: governsID
CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
>> ERROR(runtime): uncaught exception - objectclass ucsUser marked as
isDefunct objectClass in schema - not valid for new objects
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176,
in _run
>>      return self.run(*args, **kwargs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 157,
in run
>>      controls=controls, attrs=attrs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 198, in
check_database
>>      error_count += self.check_object(object.dn, attrs=attrs)
>>    File
"/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 1708, in
check_object
>>      normalised =
self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname, obj[attrname])
>>    File "/usr/lib/python2.7/dist-packages/samba/samdb.py",
line 677, in dsdb_normalise_attributes
>>      return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name,
ldif_elements)
>
> All these object classes were tests we did? years ago, and which have
> been "deleted" (I don't even remember by what mechanism) for
almost as
> long. No object should still be using any of these, and on graz-dc-sem
> that's true.
I would love to know how you deleted something from the schema, it is 
normally a bit 'Hotel California', you can add to the schema but never 
remove anything from the schema.
>
> There is, however, a new class called taoUser with the same X500 OID as
> ucsUser that's only used in one domain account (mine, of course); on
> graz-dc-sem the object correctly has the taoUser class assigned, on the
> other servers it's still an ucsUser.
That is probably your problem, you cannot have different names for what 
seems to be the same objectclass.
>
> All servers seem to replicate without errors according to samba-tool drs
> showrepl.
>
> How do I get rid of these bogus Schema entries, and how do I fix the
> user account?
I do not think you can remove anything from the schema, but I believe 
you can deactivate schema objects, try reading this:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10)

Rowland

On 03.07.19 17:19, Rowland penny via samba wrote:
>> All these object classes were tests we did? years ago, and which have
>> been "deleted" (I don't even remember by what mechanism)
for almost as
>> long. No object should still be using any of these, and on graz-dc-sem
>> that's true.
> I would love to know how you deleted something from the schema, it is
> normally a bit 'Hotel California', you can add to the schema but
never
> remove anything from the schema.
Hence "deleted", they're still around, just disabled. Which caused
the
ID reuse problem in the first place.
>> There is, however, a new class called taoUser with the same X500 OID as
>> ucsUser that's only used in one domain account (mine, of course);
on
>> graz-dc-sem the object correctly has the taoUser class assigned, on the
>> other servers it's still an ucsUser.
> 
> That is probably your problem, you cannot have different names for what
> seems to be the same objectclass.
That's that, but I can't figure out what's supposed to reuse the
other
two IDs.
>> All servers seem to replicate without errors according to samba-tool
drs
>> showrepl.
>>
>> How do I get rid of these bogus Schema entries, and how do I fix the
>> user account?
> 
> I do not think you can remove anything from the schema, but I believe
> you can deactivate schema objects, try reading this:
> 
>
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10)
They already are disabled.

-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas, Systemadministrator
? sven.schwedas at tao.at | ? +43 680 301 7167
TAO Digital   | Teil der TAO Beratungs- & Management GmbH
Lendplatz 45  | FN 213999f/Klagenfurt, FB-Gericht Villach
A8020 Graz    | https://www.tao-digital.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20190703/f3aab60e/signature.sig>