Attempted to join domain via ./bin/samba-tool domain join ncs.k12.de.us<http://ncs.k12.de.us> DC -Uadministrator --realm=ncs.k12.de.us<http://ncs.k12.de.us> But this failed with Committing SAM database Failed to apply linked attribute change 'attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0' dn: <GUID=4d560497-5f00-4d97-96a0-47ae1799ba92>;<SID=S-1-5-21-276688905-1455118844-2751846679-67110292>;CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us Join failed - cleaning up checking sAMAccountName ERROR(ldb): uncaught exception - attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0 File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1169, in join_DC ctx.do_join() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1074, in do_join ctx.join_replicate() File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 848, in join_replicate ctx.local_samdb.transaction_commit() As suggestion found here https://irclog.samba.org/2013/09/20130908-Sun.log: is to use ldbedit -H /usr/local/samba/private/sam.ldb --show-deleted '(isDeleted=*)' to manually delete all the accounts with this attribute. When doing this I should stop samba on all DCs and then edit the local sam.ldb on each. Then restart samba on the DC and re-try joining the domain after deleting all files /usr/local/samba/private on the DC I am attempting to join to the domain as a DC? Also saw on Samba list Nikos Mita had similar issue. It was suggested to try using samba-tool dbcheck -fix. Should I try this first? I'm just concerned whether this would complete or not. I have 94,443 records and this server only has 8GB of memory. I want to make certain I get the sequence correct. Also, before doing any of the above, I will make a copy of the private directories on the DC just in case ... Any help is appreciated. Thanks! Regards, Jeff Jeff Donaldson Technology Director Newark Charter School jeff.donaldson at ncs.k12.de.us (302) 369-2001 ext: 425
On Thu, 2013-10-17 at 12:50 +0000, Donaldson Jeff wrote:> Attempted to join domain via > > ./bin/samba-tool domain join ncs.k12.de.us<http://ncs.k12.de.us> DC -Uadministrator --realm=ncs.k12.de.us<http://ncs.k12.de.us> > > But this failed with > > Committing SAM database > Failed to apply linked attribute change 'attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0' > dn: <GUID=4d560497-5f00-4d97-96a0-47ae1799ba92>;<SID=S-1-5-21-276688905-1455118844-2751846679-67110292>;CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us > > Join failed - cleaning up > checking sAMAccountName > ERROR(ldb): uncaught exception - attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0 > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1169, in join_DC > ctx.do_join() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1074, in do_join > ctx.join_replicate() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 848, in join_replicate > ctx.local_samdb.transaction_commit() > > As suggestion found here https://irclog.samba.org/2013/09/20130908-Sun.log: is to use > > ldbedit -H /usr/local/samba/private/sam.ldb --show-deleted > '(isDeleted=*)'This is not good advise for the general case. Deleting the objects manually breaks replication (because the purpose of the deleted object is to replicate the fact that it is deleted!), and should be a last resort.> to manually delete all the accounts with this attribute. When doing > this I should stop samba on all DCs and then edit the local sam.ldb on > each. Then restart samba on the DC and re-try joining the domain after > deleting all files /usr/local/samba/private on the DC I am attempting > to join to the domain as a DC? > > Also saw on Samba list Nikos Mita had similar issue. It was suggested > to try using samba-tool dbcheck -fix. Should I try this first? I'm > just concerned whether this would complete or not. I have 94,443 > records and this server only has 8GB of memory. > > I want to make certain I get the sequence correct. > > Also, before doing any of the above, I will make a copy of the private > directories on the DC just in case ... > > Any help is appreciated. Thanks!G'Day, It seems to be the week for very, very large Samba installations! I've looked at the code, and I know the line that fails, but don't I know why this happens. Can you show me the failing object with ldbsearch? ldbsearch --show-deleted -H /usr/local/samba/private/sam.ldb -s base -b 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us' The thing is, an object that has isRecycled set on it should not be able to get to the line of code that fails, so I'm quite puzzled. I can fix the 'error' simply (just need to create a new blank modification, rather than re-using a search result), but I first want to know why it is wrong. Can you also let me know the full history of this domain? A user that is deleted should have a name with "DEL" and a GUID in it. The second part, once I have that is working out why our tests didn't cover this code path, and working out how to make them do that. But while you won't need to run dbcheck now, you will at some point in the future. What we clearly do need is for a few of our very large installations to club together and work on/isolate the remaining issues at the scale you have. Thank you so much for taking Samba to the extreme, and I will do what I can to best assist you. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz
On Thu, 2013-10-17 at 12:50 +0000, Donaldson Jeff wrote:> Attempted to join domain via > > ./bin/samba-tool domain join ncs.k12.de.us<http://ncs.k12.de.us> DC -Uadministrator --realm=ncs.k12.de.us<http://ncs.k12.de.us> > > But this failed with > > Committing SAM database > Failed to apply linked attribute change 'attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0' > dn: <GUID=4d560497-5f00-4d97-96a0-47ae1799ba92>;<SID=S-1-5-21-276688905-1455118844-2751846679-67110292>;CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us > > Join failed - cleaning up > checking sAMAccountName > ERROR(ldb): uncaught exception - attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0 > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run > return self.run(*args, **kwargs) > File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run > machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend) > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1169, in join_DC > ctx.do_join() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1074, in do_join > ctx.join_replicate() > File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 848, in join_replicate > ctx.local_samdb.transaction_commit() > > As suggestion found here https://irclog.samba.org/2013/09/20130908-Sun.log: is to use > > ldbedit -H /usr/local/samba/private/sam.ldb --show-deleted '(isDeleted=*)' > > to manually delete all the accounts with this attribute. When doing this I should stop samba on all DCs and then edit the local sam.ldb on each. Then restart samba on the DC and re-try joining the domain after deleting all files /usr/local/samba/private on the DC I am attempting to join to the domain as a DC? > > Also saw on Samba list Nikos Mita had similar issue. It was suggested to try using samba-tool dbcheck -fix. Should I try this first? I'm just concerned whether this would complete or not. I have 94,443 records and this server only has 8GB of memory. > > I want to make certain I get the sequence correct. > > Also, before doing any of the above, I will make a copy of the private directories on the DC just in case ... > > Any help is appreciated. Thanks!Did you ever get to the bottom of this? I'm working on a patch for this issue because I'm worried about a broader corruption that this may or may not be related to. Did you ever run Samba from GIT or a 4.1 pre-release? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Seemingly Similar Threads
- issue with multiple Samba DC and uid/gid assignment.
- Fw: Re: Made a join with a netbios name, which already existed, now replication errors
- Replication issue
- Fw: Re: Made a join with a netbios name, which already existed, now replication errors
- DNS issue with second samba DC