samba - Jan 2013 - unique index violation on objectGUID, CN=Deleted Objects, DC=samdom, DC=domain

I've grabbed the latest samba4  master branch from git, and am trying to 
join the samba4 server to an existing domain.  However, I'm bumping into 
a unique index violation, with some objects in the CN=Deleted Objects 
container.    These objects were conflict objects created during some 
replication issues, and the system admins have already deleted these 
objects (hence why they are the Deleted Objects container, hah!).

Is the recommendation to just delete these "deleted" objects, or is 
there some other command-line option in samba-tool that allows us to 
specify to ignore a specific OU?

Note that this is the first time I'm doing this (joining an existing AD 
domain), and I get the same result with both 4.0.1 production as well as 
the latest commit (commit bb3238b46f0ffaf0bc8c0e16bdcc1cf5d2cad197, 
Version 4.1.0pre1-GIT-bb3238b).

Here are my logs (samdom.domain and 10.10.1.7 is sanitised output):
==================root at cndc01s:~/samba-master# kinit administrator
Password for administrator at samdom.domain:
root at cndc01s:~/samba-master# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator at samdom.domain

Valid starting       Expires              Service principal
28/01/2013 11:03:21  28/01/2013 21:03:24 krbtgt/samdom.domain at samdom.domain
     renew until 29/01/2013 11:03:21
root at cndc01s:~/samba-master# /usr/local/samba/bin/samba-tool domain join 
samdom.domain DC -Uadministrator --realm=samdom.domain --server=10.10.1.7
Password for [WORKGROUP\administrator]:
workgroup is samdom
realm is samdom.domain
checking sAMAccountName
Adding CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
Adding 
CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
Adding CN=NTDS 
Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
Adding SPNs to CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
Setting account password for CNDC01S$
Enabling account
Calling bare provision
No IPv6 address will be assigned
Provision OK for domain DN DC=samdom,DC=domain
Starting replication
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[402] 
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[804] 
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[1206] 
linked_values[0]
Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[1553] 
linked_values[0]
Analyze and apply schema objects
Partition[CN=Configuration,DC=samdom,DC=domain] objects[402] 
linked_values[57]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[804] 
linked_values[0]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[1206] 
linked_values[0]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[1608] 
linked_values[37]
Partition[CN=Configuration,DC=samdom,DC=domain] objects[1880] 
linked_values[34]
Replicating critical objects from the base DN of the domain
Partition[DC=samdom,DC=domain] objects[106] linked_values[94]
Partition[DC=samdom,DC=domain] objects[364] linked_values[0]
Partition[DC=samdom,DC=domain] objects[534] linked_values[281]
..
Partition[DC=samdom,DC=domain] objects[6239] linked_values[19]
Partition[DC=samdom,DC=domain] objects[6439] linked_values[6]
Partition[DC=samdom,DC=domain] objects[6624] linked_values[123]
Failed to apply records: ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed to 
re-index objectGUID in 
CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted
Objects,DC=samdom,DC=domain - ../lib/ldb/ldb_tdb/ldb_index.c:1131: 
unique index violation on objectGUID in 
CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted
Objects,DC=samdom,DC=domain: Entry already exists
Failed to commit objects: WERR_GENERAL_FAILURE
Join failed - cleaning up
checking sAMAccountName
Deleted CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
Deleted CN=NTDS 
Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
Deleted 
CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Failed
to
process chunk: NT_STATUS_UNSUCCESSFUL
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
line 175, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
line 552, in run
     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
line 1104, in join_DC
     ctx.do_join()
   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
line 1009, in do_join
     ctx.join_replicate()
   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", 
line 748, in join_replicate
     replica_flags=ctx.domain_replica_flags)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
line
252, in replicate
     schema=schema, req_level=req_level, req=req)
==================
Thanks for any comments.

Some (unsuccessful) updates, I've tried with both latest git pull () and 
samba 4.0.2, both still encounter the same problem.

According to MS documentation, seems like I can't really delete objects 
from the CN=Deleted Objects container, I have to wait for the tombstone 
garbage collection to get to work, which means I have to wait ~180 days 
from when the objects were actually deleted.  Does anybody have any idea 
about how to delete these sooner (NB: the sysadmins thought we could 
just change tombstone TTL to 1 day, but MS explicitly states this is a 
bad idea... )

On 28/01/2013 11:56, Ong Yu-Phing wrote:
> I've grabbed the latest samba4  master branch from git, and am trying 
> to join the samba4 server to an existing domain.  However, I'm bumping 
> into a unique index violation, with some objects in the CN=Deleted 
> Objects container.    These objects were conflict objects created 
> during some replication issues, and the system admins have already 
> deleted these objects (hence why they are the Deleted Objects 
> container, hah!).
>
> Is the recommendation to just delete these "deleted" objects, or
is
> there some other command-line option in samba-tool that allows us to 
> specify to ignore a specific OU?
>
> Note that this is the first time I'm doing this (joining an existing 
> AD domain), and I get the same result with both 4.0.1 production as 
> well as the latest commit (commit 
> bb3238b46f0ffaf0bc8c0e16bdcc1cf5d2cad197, Version 4.1.0pre1-GIT-bb3238b).
>
> Here are my logs (samdom.domain and 10.10.1.7 is sanitised output):
> ==================> root at cndc01s:~/samba-master# kinit administrator
> Password for administrator at samdom.domain:
> root at cndc01s:~/samba-master# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: administrator at samdom.domain
>
> Valid starting       Expires              Service principal
> 28/01/2013 11:03:21  28/01/2013 21:03:24 
> krbtgt/samdom.domain at samdom.domain
>     renew until 29/01/2013 11:03:21
> root at cndc01s:~/samba-master# /usr/local/samba/bin/samba-tool domain 
> join samdom.domain DC -Uadministrator --realm=samdom.domain 
> --server=10.10.1.7
> Password for [WORKGROUP\administrator]:
> workgroup is samdom
> realm is samdom.domain
> checking sAMAccountName
> Adding CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
> Adding 
>
CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
> Adding CN=NTDS 
>
Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
> Adding SPNs to CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
> Setting account password for CNDC01S$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=samdom,DC=domain
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[402] 
> linked_values[0]
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] objects[804] 
> linked_values[0]
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] 
> objects[1206] linked_values[0]
> Schema-DN[CN=Schema,CN=Configuration,DC=samdom,DC=domain] 
> objects[1553] linked_values[0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=samdom,DC=domain] objects[402] 
> linked_values[57]
> Partition[CN=Configuration,DC=samdom,DC=domain] objects[804] 
> linked_values[0]
> Partition[CN=Configuration,DC=samdom,DC=domain] objects[1206] 
> linked_values[0]
> Partition[CN=Configuration,DC=samdom,DC=domain] objects[1608] 
> linked_values[37]
> Partition[CN=Configuration,DC=samdom,DC=domain] objects[1880] 
> linked_values[34]
> Replicating critical objects from the base DN of the domain
> Partition[DC=samdom,DC=domain] objects[106] linked_values[94]
> Partition[DC=samdom,DC=domain] objects[364] linked_values[0]
> Partition[DC=samdom,DC=domain] objects[534] linked_values[281]
> ..
> Partition[DC=samdom,DC=domain] objects[6239] linked_values[19]
> Partition[DC=samdom,DC=domain] objects[6439] linked_values[6]
> Partition[DC=samdom,DC=domain] objects[6624] linked_values[123]
> Failed to apply records: ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed 
> to re-index objectGUID in 
>
CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted
> Objects,DC=samdom,DC=domain - ../lib/ldb/ldb_tdb/ldb_index.c:1131: 
> unique index violation on objectGUID in 
>
CN=S-1-5-21-1002020466-2171359742-195674365-1193\0ADEL:62dd3445-a58a-4631-9ab9-673430cb37af\0ACNF:62dd3445-a58a-4631-9ab9-673430cb37af,CN=Deleted
> Objects,DC=samdom,DC=domain: Entry already exists
> Failed to commit objects: WERR_GENERAL_FAILURE
> Join failed - cleaning up
> checking sAMAccountName
> Deleted CN=CNDC01S,OU=Domain Controllers,DC=samdom,DC=domain
> Deleted CN=NTDS 
>
Settings,CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
> Deleted 
>
CN=CNDC01S,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=samdom,DC=domain
> ERROR(<type 'exceptions.TypeError'>): uncaught exception -
Failed to
> process chunk: NT_STATUS_UNSUCCESSFUL
>   File 
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File 
>
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py",
> line 552, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, 
> dns_backend=dns_backend)
>   File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line 1104, in join_DC
>     ctx.do_join()
>   File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line 1009, in do_join
>     ctx.join_replicate()
>   File
"/usr/local/samba/lib/python2.7/site-packages/samba/join.py",
> line 748, in join_replicate
>     replica_flags=ctx.domain_replica_flags)
>   File 
>
"/usr/local/samba/lib/python2.7/site-packages/samba/drs_utils.py",
> line 252, in replicate
>     schema=schema, req_level=req_level, req=req)
> ==================>
> Thanks for any comments.