samba - Jan 2015 - Duplicate (not so) single-valued attributes on some DCs?

We've run into a small issue over the holidays (I can't pinpoint it due
to nobody being in the office for the past three weeks and thus not
noticing anything): At least one LDAP entry has an (single-valued!)
attribute duplicated on *some* DCs, but not all of them ? and said
attribute hasn't been modified in six months.

Microsoft's ADSI just crashes when trying to open the entry on these
servers (servers that see only one value open fine).

ldbedit doesn't let me delete the second value (It reports "0 adds  0
modifies  0 deletes" when trying), modifying one value changes either or
both values, but never deletes any. The changes are correctly replicated
back to the other nodes, which only see the changed value. If I try to
change both values, I correctly get an "<0000200D: SINGLE-VALUE
attribute ? specified more than once>" error message.


Is this a known (replication?) issue? How can I fix it? Re-join the DCs
to the domain? How would I do this without fucking up other things?

-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20150107/2c9cbff0/attachment.pgp>

On Wed, 2015-01-07 at 15:01 +0100, Sven Schwedas wrote:
> We've run into a small issue over the holidays (I can't pinpoint it
due
> to nobody being in the office for the past three weeks and thus not
> noticing anything): At least one LDAP entry has an (single-valued!)
> attribute duplicated on *some* DCs, but not all of them ? and said
> attribute hasn't been modified in six months.
> 
> Microsoft's ADSI just crashes when trying to open the entry on these
> servers (servers that see only one value open fine).
> 
> ldbedit doesn't let me delete the second value (It reports "0 adds
0
> modifies  0 deletes" when trying), modifying one value changes either
or
> both values, but never deletes any. The changes are correctly replicated
> back to the other nodes, which only see the changed value. If I try to
> change both values, I correctly get an "<0000200D: SINGLE-VALUE
> attribute ? specified more than once>" error message.
> 
> 
> Is this a known (replication?) issue? How can I fix it? Re-join the DCs
> to the domain? How would I do this without fucking up other things?
It may be possible to fix it with LDIF, by using the 'replace' operation
in the modify rather than add/delete.  However, I'm much more curious as
to what the attribute is, how it got like that, and what we need to do
to have dbcheck find and potentially fix such issues.

Can you file a bug with more detail, and let me know the bug ID?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

On 2015-01-10 19:29, Andrew Bartlett wrote:
> On Wed, 2015-01-07 at 15:01 +0100, Sven Schwedas wrote:
>> We've run into a small issue over the holidays (I can't
pinpoint it due
>> to nobody being in the office for the past three weeks and thus not
>> noticing anything): At least one LDAP entry has an (single-valued!)
>> attribute duplicated on *some* DCs, but not all of them ? and said
>> attribute hasn't been modified in six months.
>>
>> Microsoft's ADSI just crashes when trying to open the entry on
these
>> servers (servers that see only one value open fine).
>>
>> ldbedit doesn't let me delete the second value (It reports "0
adds  0
>> modifies  0 deletes" when trying), modifying one value changes
either or
>> both values, but never deletes any. The changes are correctly
replicated
>> back to the other nodes, which only see the changed value. If I try to
>> change both values, I correctly get an "<0000200D: SINGLE-VALUE
>> attribute ? specified more than once>" error message.
>>
>>
>> Is this a known (replication?) issue? How can I fix it? Re-join the DCs
>> to the domain? How would I do this without fucking up other things?
> 
> It may be possible to fix it with LDIF, by using the 'replace'
operation
> in the modify rather than add/delete.  However, I'm much more curious
as
> to what the attribute is, how it got like that, and what we need to do
> to have dbcheck find and potentially fix such issues.
That (accidentally) seemed to have worked. Removing the attribute and
re-adding it in a second ldbedit pass correctly reset it on all member
servers.
> Can you file a bug with more detail, and let me know the bug ID?
I wrote up a (now post-mortem) bug report with all the details I can
scrape together. However, due the bad timing (sudden change over the
Christmas holidays) I cannot really pin-point the cause. It only
happened (as far as I can tell) with one single record, too.

It's filed in bugzilla as #11047.

-- 
Mit freundlichen Gr??en, / Best Regards,
Sven Schwedas
Systemadministrator
TAO Beratungs- und Management GmbH | Lendplatz 45 | A - 8020 Graz
Mail/XMPP: sven.schwedas at tao.at | +43 (0)680 301 7167
http://software.tao.at

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20150112/6cc0fbfc/attachment.pgp>