Ong Yu-Phing
2013-Jan-28 03:56 UTC
[Samba] unique index violation on objectGUID, CN=Deleted Objects, DC=samdom, DC=domain
I've grabbed the latest samba4 master branch from git, and am trying to
join the samba4 server to an existing domain. However, I'm bumping into
a unique index violation, with some objects in the CN=Deleted Objects
container. These objects were conflict objects created during some
replication issues, and the system admins have already deleted these
objects (hence why they are the Deleted Objects container, hah!).
Is the recommendation to just delete these "deleted" objects, or is
there some other command-line option in samba-tool that allows us to
specify to ignore a specific OU?
Note that this is the first time I'm doing this (joining an existing AD
domain), and I get the same result with both 4.0.1 production as well as
the latest commit (commit bb3238b46f0ffaf0bc8c0e16bdcc1cf5d2cad197,
Version 4.1.0pre1-GIT-bb3238b).
Here are my logs (samdom.domain and 10.10.1.7 is sanitised output):
==================root at cndc01s:~/samba-master# kinit administrator
Password for administrator at samdom.domain:
root at cndc01s:~/samba-master# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at samdom.domain
Valid starting Expires Service principal
28/01/2013 11:03:21 28/01/2013 21:03:24 krbtgt/samdom.domain at samdom.domain
renew until 29/01/2013 11:03:21
root at cndc01s:~/samba-master# /usr/local/samba/bin/samba-tool domain join
samdom.domain DC -Uadministrator --realm=samdom.domain --server=10.10.1.7
Password for [WORKGROUP\administrator]:
workgroup is samdom
realm is samdom.domain
checking sAMAccountName
Adding CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
Adding
CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
Adding CN=NTDS
Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
Adding SPNs to CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
Setting account password for CNDC01S$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=samdom,DC=domain
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[402]
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[804]
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[1206]
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[1553]
linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=domain] objects[402]
linked_values[57]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[804]
linked_values[0]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[1206]
linked_values[0]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[1608]
linked_values[37]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[1880]
linked_values[34]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=domain] objects[106] linked_values[94]
Partition[DC=samdom,DC=domain] objects[364] linked_values[0]
Partition[DC=samdom,DC=domain] objects[534] linked_values[281]
..
Partition[DC=samdom,DC=domain] objects[6239] linked_values[19]
Partition[DC=samdom,DC=domain] objects[6439] linked_values[6]
Partition[DC=samdom,DC=domain] objects[6624] linked_values[123]
Failed to apply records: ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed to
re-index objectGUID in
CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted
Objects,DC=samdom,DC=domain - ../lib/ldb/ldb_tdb/ldb_index.c:1131:
unique index violation on objectGUID in
CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted
Objects,DC=samdom,DC=domain: Entry already exists
Failed to commit objects: WERR_GENERAL_FAILURE
Join failed - cleaning up
checking sAMAccountName
Deleted CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
Deleted CN=NTDS
Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
Deleted
CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed
to
process chunk: NT_STATUS_UNSUCCESSFUL
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
return self.run(*args, **kwargs)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1104, in join_DC
ctx.do_join()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 1009, in do_join
ctx.join_replicate()
File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
line 748, in join_replicate
replica_flags=ctx.domain_replica_flags)
File
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line
252, in replicate
schema=schema, req_level=req_level, req=req)
==================
Thanks for any comments.
Ong Yu-Phing
2013-Jan-31 02:20 UTC
[Samba] unique index violation on objectGUID, CN=Deleted Objects, DC=samdom, DC=domain
Some (unsuccessful) updates, I've tried with both latest git pull () and samba 4.0.2, both still encounter the same problem. According to MS documentation, seems like I can't really delete objects from the CN=Deleted Objects container, I have to wait for the tombstone garbage collection to get to work, which means I have to wait ~180 days from when the objects were actually deleted. Does anybody have any idea about how to delete these sooner (NB: the sysadmins thought we could just change tombstone TTL to 1 day, but MS explicitly states this is a bad idea... ) On 28/01/2013 11:56, Ong Yu-Phing wrote:> I've grabbed the latest samba4 master branch from git, and am trying > to join the samba4 server to an existing domain. However, I'm bumping > into a unique index violation, with some objects in the CN=Deleted > Objects container. These objects were conflict objects created > during some replication issues, and the system admins have already > deleted these objects (hence why they are the Deleted Objects > container, hah!). > > Is the recommendation to just delete these "deleted" objects, or is > there some other command-line option in samba-tool that allows us to > specify to ignore a specific OU? > > Note that this is the first time I'm doing this (joining an existing > AD domain), and I get the same result with both 4.0.1 production as > well as the latest commit (commit > bb3238b46f0ffaf0bc8c0e16bdcc1cf5d2cad197, Version 4.1.0pre1-GIT-bb3238b). > > Here are my logs (samdom.domain and 10.10.1.7 is sanitised output): > ==================> root at cndc01s:~/samba-master# kinit administrator > Password for administrator at samdom.domain: > root at cndc01s:~/samba-master# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: administrator at samdom.domain > > Valid starting Expires Service principal > 28/01/2013 11:03:21 28/01/2013 21:03:24 > krbtgt/samdom.domain at samdom.domain > renew until 29/01/2013 11:03:21 > root at cndc01s:~/samba-master# /usr/local/samba/bin/samba-tool domain > join samdom.domain DC -Uadministrator --realm=samdom.domain > --server=10.10.1.7 > Password for [WORKGROUP\administrator]: > workgroup is samdom > realm is samdom.domain > checking sAMAccountName > Adding CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain > Adding > CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain > Adding CN=NTDS > Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain > Adding SPNs to CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain > Setting account password for CNDC01S$ > Enabling account > Calling bare provision > No IPv6 address will be assigned > Provision OK for domain DN DC=samdom,DC=domain > Starting replication > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[402] > linked_values[0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[804] > linked_values[0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] > objects[1206] linked_values[0] > Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] > objects[1553] linked_values[0] > Analyze and apply schema objects > Partition[CN=Configuration,DC=samdom,DC=domain] objects[402] > linked_values[57] > Partition[CN=Configuration,DC=samdom,DC=domain] objects[804] > linked_values[0] > Partition[CN=Configuration,DC=samdom,DC=domain] objects[1206] > linked_values[0] > Partition[CN=Configuration,DC=samdom,DC=domain] objects[1608] > linked_values[37] > Partition[CN=Configuration,DC=samdom,DC=domain] objects[1880] > linked_values[34] > Replicating critical objects from the base DN of the domain > Partition[DC=samdom,DC=domain] objects[106] linked_values[94] > Partition[DC=samdom,DC=domain] objects[364] linked_values[0] > Partition[DC=samdom,DC=domain] objects[534] linked_values[281] > .. > Partition[DC=samdom,DC=domain] objects[6239] linked_values[19] > Partition[DC=samdom,DC=domain] objects[6439] linked_values[6] > Partition[DC=samdom,DC=domain] objects[6624] linked_values[123] > Failed to apply records: ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed > to re-index objectGUID in > CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted > Objects,DC=samdom,DC=domain - ../lib/ldb/ldb_tdb/ldb_index.c:1131: > unique index violation on objectGUID in > CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted > Objects,DC=samdom,DC=domain: Entry already exists > Failed to commit objects: WERR_GENERAL_FAILURE > Join failed - cleaning up > checking sAMAccountName > Deleted CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain > Deleted CN=NTDS > Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain > Deleted > CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain > ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed to > process chunk: NT_STATUS_UNSUCCESSFUL > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run > return self.run(*args, **kwargs) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", > line 552, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, > dns_backend=dns_backend) > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", > line 1104, in join_DC > ctx.do_join() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", > line 1009, in do_join > ctx.join_replicate() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", > line 748, in join_replicate > replica_flags=ctx.domain_replica_flags) > File > "/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py", > line 252, in replicate > schema=schema, req_level=req_level, req=req) > ==================> > Thanks for any comments.