Sven Schwedas
2019-Jul-03 15:26 UTC
[Samba] `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
On 03.07.19 17:19, Rowland penny via samba wrote:>> All these object classes were tests we did? years ago, and which have >> been "deleted" (I don't even remember by what mechanism) for almost as >> long. No object should still be using any of these, and on graz-dc-sem >> that's true. > I would love to know how you deleted something from the schema, it is > normally a bit 'Hotel California', you can add to the schema but never > remove anything from the schema.Hence "deleted", they're still around, just disabled. Which caused the ID reuse problem in the first place.>> There is, however, a new class called taoUser with the same X500 OID as >> ucsUser that's only used in one domain account (mine, of course); on >> graz-dc-sem the object correctly has the taoUser class assigned, on the >> other servers it's still an ucsUser. > > That is probably your problem, you cannot have different names for what > seems to be the same objectclass.That's that, but I can't figure out what's supposed to reuse the other two IDs.>> All servers seem to replicate without errors according to samba-tool drs >> showrepl. >> >> How do I get rid of these bogus Schema entries, and how do I fix the >> user account? > > I do not think you can remove anything from the schema, but I believe > you can deactivate schema objects, try reading this: > > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10)They already are disabled. -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190703/f3aab60e/signature.sig>
Rowland penny
2019-Jul-03 16:04 UTC
[Samba] `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
On 03/07/2019 16:26, Sven Schwedas via samba wrote:> On 03.07.19 17:19, Rowland penny via samba wrote: >>> All these object classes were tests we did? years ago, and which have >>> been "deleted" (I don't even remember by what mechanism) for almost as >>> long. No object should still be using any of these, and on graz-dc-sem >>> that's true. >> I would love to know how you deleted something from the schema, it is >> normally a bit 'Hotel California', you can add to the schema but never >> remove anything from the schema. > Hence "deleted", they're still around, just disabled. Which caused the > ID reuse problem in the first place. > >>> There is, however, a new class called taoUser with the same X500 OID as >>> ucsUser that's only used in one domain account (mine, of course); on >>> graz-dc-sem the object correctly has the taoUser class assigned, on the >>> other servers it's still an ucsUser. >> That is probably your problem, you cannot have different names for what >> seems to be the same objectclass. > That's that, but I can't figure out what's supposed to reuse the other > two IDs. > >>> All servers seem to replicate without errors according to samba-tool drs >>> showrepl. >>> >>> How do I get rid of these bogus Schema entries, and how do I fix the >>> user account? >> I do not think you can remove anything from the schema, but I believe >> you can deactivate schema objects, try reading this: >> >> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10) > They already are disabled.Have you extended the schema to use 'taouser' ? I ask this because (from what you posted) it uses the same X500 OID as 'ucsUser', another name for X500 OID is 'governsID', so this may be your problem, try deleting 'taouser' from your AD object (this is allowed) and see if your problem goes away. Rowland
Sven Schwedas
2019-Jul-04 13:45 UTC
[Samba] `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
On 03.07.19 18:04, Rowland penny via samba wrote:>>>> How do I get rid of these bogus Schema entries, and how do I fix the >>>> user account? >>> I do not think you can remove anything from the schema, but I believe >>> you can deactivate schema objects, try reading this: >>> >>> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10) >>> >> They already are disabled. > > Have you extended the schema to use 'taouser' ?Yes.> I ask this because (from what you posted) it uses the same X500 OID as > 'ucsUser', another name for X500 OID is 'governsID', so this may be your > problem, try deleting 'taouser' from your AD object (this is allowed) > and see if your problem goes away.That fixed the dbcheck crashes on the other three servers, they now complete successfully. Still left are the three governsId collisions, which are now identical across all DCs:> Checking 3861 objects > Error: governsID CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId > Error: governsID CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId > Error: governsID CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId > Checked 3861 objects (3 errors)How do I fix those? Can I just edit the old, defunct classes and change their governsId without breaking something? -- Mit freundlichen Gr??en, / Best Regards, Sven Schwedas, Systemadministrator ? sven.schwedas at tao.at | ? +43 680 301 7167 TAO Digital | Teil der TAO Beratungs- & Management GmbH Lendplatz 45 | FN 213999f/Klagenfurt, FB-Gericht Villach A8020 Graz | https://www.tao-digital.at -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 659 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20190704/f923ef7f/signature.sig>
Possibly Parallel Threads
- `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
- `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
- `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
- `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
- `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId