samba - Oct 2014 - Continuous Normalisation error for attribute whenCreated when performing dbcheck

Hi all,

since the migration of our old Win2k domain to Samba4 some years ago
I get a lot of errors like the following when doing a
"samba-tool dbcheck --cross-ncs --fix" :


ERROR: Normalisation error for attribute whenCreated in
CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com
value '19700101000000.0Z' should be '16010101000000.0Z'
Fix normalisation for whenCreated from
CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com? [YES]
Normalised attribute whenCreated


This repeats 1000+ times for many different entries.

The samba-tool unfortunately does not fix the issue because when I start
it a second time it will complain again, this time with values switched
around:

value '16010101000000.0Z' should be '19700101000000.0Z'


Does anyone have an idea how to fix this ?

Thank you very much for your kind help.

best regards

Andreas

yes.. 

the attibute "whenCreated" is not synced ( correctly) 
there is a bug report of this. 

you can use this script: ( original created by Mourit Jan of the samba list ) 

used on debian/ubuntu


#!/bin/sh

## the email adress to report to.
SETMAILREPORT=your at emaildomain.tld

## First DC ( hostname or ipadres ) ( The DC with the FSMO Roles ) 
SETDCFSMO="dc1"
## Second DC ( hostname or ipadres more then 2 DC's, separated by space )
SETOTHERDCS="dc2"

SETSAMBATOOLS=`which samba-tool`
SETREMOVELOG=yes

for x in $SETOTHERDCS ; do
    $SETSAMBATOOLS ldapcmp --filter="whenChanged" ldap://$SETDCFSMO
ldap://$SETO                                                                    
THERDCS  -d0 2>&1 > /tmp/samba_ldapcmp_checkdb
done

if grep -q FAILURE /tmp/samba_ldapcmp_checkdb; then
   cat /tmp/samba_ldapcmp_checkdb | mail -s "FAILURE ldapcmp between
$SETDCFSMO                                                                      
and $SETOTHERDCS" $SETMAILREPORT
fi

if [ $SETREMOVELOG = yes ]; then
    rm /tmp/samba_ldapcmp_checkdb
fi
 
>-----Oorspronkelijk bericht-----
>Van: aoster at novanetwork.de 
>[mailto:samba-bounces at lists.samba.org] Namens Andreas Oster
>Verzonden: donderdag 16 oktober 2014 11:08
>Aan: samba at lists.samba.org
>Onderwerp: [Samba] Continuous Normalisation error for 
>attribute whenCreated when performing dbcheck
>
>Hi all,
>
>since the migration of our old Win2k domain to Samba4 some years ago
>I get a lot of errors like the following when doing a
>"samba-tool dbcheck --cross-ncs --fix" :
>
>
>ERROR: Normalisation error for attribute whenCreated in
>CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com
>value '19700101000000.0Z' should be '16010101000000.0Z'
>Fix normalisation for whenCreated from
>CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com? [YES]
>Normalised attribute whenCreated
>
>
>This repeats 1000+ times for many different entries.
>
>The samba-tool unfortunately does not fix the issue because 
>when I start
>it a second time it will complain again, this time with values switched
>around:
>
>value '16010101000000.0Z' should be '19700101000000.0Z'
>
>
>Does anyone have an idea how to fix this ?
>
>Thank you very much for your kind help.
>
>best regards
>
>Andreas
>
>-- 
>To unsubscribe from this list go to the following URL and read the
>instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 16/10/14 10:08, Andreas Oster wrote:
> Hi all,
>
> since the migration of our old Win2k domain to Samba4 some years ago
> I get a lot of errors like the following when doing a
> "samba-tool dbcheck --cross-ncs --fix" :
>
>
> ERROR: Normalisation error for attribute whenCreated in
> CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com
> value '19700101000000.0Z' should be '16010101000000.0Z'
> Fix normalisation for whenCreated from
> CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com? [YES]
> Normalised attribute whenCreated
>
>
> This repeats 1000+ times for many different entries.
>
> The samba-tool unfortunately does not fix the issue because when I start
> it a second time it will complain again, this time with values switched
> around:
>
> value '16010101000000.0Z' should be '19700101000000.0Z'
>
>
> Does anyone have an idea how to fix this ?
>
> Thank you very much for your kind help.
>
> best regards
>
> Andreas
>
Hi Andreas, I got so bogged down in Louis's script that I missed that 
the two values for 'whenCreated' are both rather special ;-)

You could write '19700101000000' as the first of January 1970, AKA Unix 
epoch time.
You could also write '16010101000000' as the first of January 1601, AKA 
windows epoch time.

I am absolutely positive that you didn't create anything in AD way back 
in 1601 (unless you have discovered the secret of time travel), I also 
do not think that you created anything in 1970, so the question really 
is, why are the 'whenCreated' attributes incorrectly set and how do I 
reset them.

Can you check if all these attributes are incorrectly set, you will 
probably have to resort to ldbsearch, grep, etc.

I would suggest that you backup everything before you start changing 
anything.

Rowland

On Thu, 2014-10-16 at 11:08 +0200, Andreas Oster wrote:
> Hi all,
> 
> since the migration of our old Win2k domain to Samba4 some years ago
> I get a lot of errors like the following when doing a
> "samba-tool dbcheck --cross-ncs --fix" :
> 
> 
> ERROR: Normalisation error for attribute whenCreated in
> CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com
> value '19700101000000.0Z' should be '16010101000000.0Z'
> Fix normalisation for whenCreated from
> CN=rpc-Ns-Group,CN=Schema,CN=Configuration,DC=samdom,DC=com? [YES]
> Normalised attribute whenCreated
> 
> 
> This repeats 1000+ times for many different entries.
> 
> The samba-tool unfortunately does not fix the issue because when I start
> it a second time it will complain again, this time with values switched
> around:
> 
> value '16010101000000.0Z' should be '19700101000000.0Z'
Both are expressions of 'zero time', in NT and unix times respectively. 

I suppose fix would be to always normalize via NT times, not unix times,
but it seems quite odd that we have zero values here to start with.  I
guess Win2k did something strange in the original setup, long ago. 

Sorry not to be able to give you an instant fix, but at least I can
assure you that this is 'mostly harmless' in the short-term. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba