samba - Mar 2014 - one day AD use -> samba-tool dbcheck reports "Normalisation error for attribute 'objectClass'"

Hi all,

Our migration is coming along nicely, everything seems to work like it 
should... I thought...  Only samba-tool dbcheck reports five errors:

root at dc1:~# samba-tool dbcheck
Checking 1143 objects
ERROR: Normalisation error for attribute 'objectClass' in 
'CN=phdseminar,CN=Users,DC=my,DC=samba,DC=domain'
Values/Order of values do/does not match: ['top',
'securityPrincipal',
'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
'user']!
Not fixing attribute 'objectClass'
ERROR: Normalisation error for attribute 'objectClass' in 
'CN=postmaster,CN=Users,DC=my,DC=samba,DC=domain'
Values/Order of values do/does not match: ['top',
'securityPrincipal',
'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
'user']!
Not fixing attribute 'objectClass'
ERROR: Normalisation error for attribute 'objectClass' in 
'CN=opac,CN=Users,DC=my,DC=samba,DC=domain'
Values/Order of values do/does not match: ['top',
'securityPrincipal',
'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
'user']!
Not fixing attribute 'objectClass'
ERROR: Normalisation error for attribute 'objectClass' in 
'CN=seminar,CN=Users,DC=my,DC=samba,DC=domain'
Values/Order of values do/does not match: ['top',
'securityPrincipal',
'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
'user']!
Not fixing attribute 'objectClass'
ERROR: Normalisation error for attribute 'objectClass' in 
'CN=heupink,CN=Users,DC=my,DC=samba,DC=domain'
Values/Order of values do/does not match: ['top',
'securityPrincipal',
'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
'user']!
Not fixing attribute 'objectClass'
Please use --fix to fix these errors
Checked 1143 objects (5 errors)
root at dc1:~#

Are these errors something to worry about? This morning, right after the 
classicupgrade, I also ran the dbcheck, and it reported 1 error, and 
adding --fix did NOT cure anything.

So, is my AD database corrupt, after it's first day of being alive??

Errors are on both DC's, both are running btrfs, virtual machines, on 
hardware raid, no errors in syslog etc.

Ideas anyone?

PLEASE URGENTLY SECURE this evidence.

On Sat, 2014-03-29 at 17:09 +0100, mourik jan heupink - merit
wrote:
> Hi all,
> 
> Our migration is coming along nicely, everything seems to work like it 
> should... I thought...  Only samba-tool dbcheck reports five errors:
> 
> root at dc1:~# samba-tool dbcheck
> Checking 1143 objects
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=phdseminar,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=postmaster,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=opac,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=seminar,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=heupink,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> Please use --fix to fix these errors
> Checked 1143 objects (5 errors)
> root at dc1:~#
> 
> Are these errors something to worry about? This morning, right after the 
> classicupgrade, I also ran the dbcheck, and it reported 1 error, and 
> adding --fix did NOT cure anything.
> 
> So, is my AD database corrupt, after it's first day of being alive??
> 
> Errors are on both DC's, both are running btrfs, virtual machines, on 
> hardware raid, no errors in syslog etc.
> 
> Ideas anyone?
This has happened a few times in automated runs of our 'make test', but
I never was able to capture the flawed database.

I would very much like to investigate this, please ensure you keep a
full backup of the entire configuration (see the samba_backup script) of
both domain controllers, so I can have you run additional tests if
required.

On a more positive note, it looks 'harmless' to me, in that the
difference is due to a presumably un-initialised variable or some other
factor changing the subclass tree order.

It should not cause you any harm to leave these 'wrong', but please do
make those backups.

Thanks!

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On Sat, 2014-03-29 at 17:09 +0100, mourik jan heupink - merit
wrote:
> Hi all,
> 
> Our migration is coming along nicely, everything seems to work like it 
> should... I thought...  Only samba-tool dbcheck reports five errors:
> 
> root at dc1:~# samba-tool dbcheck
> Checking 1143 objects
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=phdseminar,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=postmaster,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=opac,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=seminar,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> ERROR: Normalisation error for attribute 'objectClass' in 
> 'CN=heupink,CN=Users,DC=my,DC=samba,DC=domain'
> Values/Order of values do/does not match: ['top',
'securityPrincipal',
> 'posixAccount', 'person', 'organizationalPerson',
'user']/['top',
> 'posixAccount', 'securityPrincipal', 'person',
'organizationalPerson',
> 'user']!
> Not fixing attribute 'objectClass'
> Please use --fix to fix these errors
> Checked 1143 objects (5 errors)
> root at dc1:~#
> 
> Are these errors something to worry about? This morning, right after the 
> classicupgrade, I also ran the dbcheck, and it reported 1 error, and 
> adding --fix did NOT cure anything.
> 
> So, is my AD database corrupt, after it's first day of being alive??
> 
> Errors are on both DC's, both are running btrfs, virtual machines, on 
> hardware raid, no errors in syslog etc.

So, I've looked into this a little, and offline you mentioned you use
LAM, which is adding securityPrincipal.  securityPrincipal is not
require for samAccountName, but of course LAM is perfectly valid to
specify it.  The issue is that posixAccount and securityPrincipal appear
to be equal in weight, and so sort order is not deterministic.

This appears to match MS-ADTS 3.1.1.2.4.6
Auxiliary Class
1. Class top remains as the first value;
2. Then it is followed by the set of dynamic auxiliary classes and the
classes in their superclass
chains, excluding those already present in the superclass chain of the
most specific structural
class. There is no specific order among the classes in this set, and no
class is listed more than
once.

So, what this leaves is that we need to make this deterministic, so our
tests and dbcheck do not fail spuriously.

I'll look into that.

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba