samba - Oct 2015 - unique index violation on objectSid on samba ad

Hi everyone,

I think, I've done something stupid here. At first I've created 2 lxc
containers and provisioned one as dc.office.mtt and joined second one to
the first ad bdc.tsnr.mtt. Then I've cloned those containers several times
and changed ip adresses and dns names of new containers to different
subnets. The name of domain stayed the same.

At first everything seemed fine, but when I tried to create a new
user/machine on dc.tsnr.mtt on cloned container I got

Failed to create user record CN=test1,CN=Users,DC=tsnr,DC=mtt:
../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in
CN=test1,CN=Users,DC=tsnr,DC=mtt - ../lib/ldb/ldb_tdb/ldb_index.c:1148:
unique index violation on objectSid in CN=test1,CN=Users,DC=tsnr,DC=mtt
Failed to add entry for user test1.

And the same issue goes for any user or computer name. No such trouble on
original dc or on any of the bdc's.
How can I fix this? Please help since the only option I see is to
re-provision every domain and re-join every computer to it, which is a lot
of pain.

Thanks in advance!

I tried to understand:
You have 2 DCs, so you have Samba4 acting as AD domain.
You are using VM for your DC.
You moved your DC so their IP and host name changed. These new DCs are
called "cloned DCs".

Now playing with your database on your cloned DC, Samba complains because
it can't index objectSID anymore.

You kept your old DCs. On these DC no issue when playing with the database.

If all that is true, just poweroff cloned DCs and start blank systems to
replace these stopped "cloned DCs". On these systems, install Samba
and
join these Samba to your domain (in which you have now only non-cloned DC).
Once you will have one DC on the network where were the cloned-DCs, you can
seize FSMO roles on that DC.

Once the new DC on new network has grabbed FSMO roles you can:
- add new DC to that domain
- remove (demote) old DC, the ones used to cloned.



2015-10-19 12:42 GMT+02:00 Krutskikh Ivan <stein.hak at gmail.com>:
> Hi everyone,
>
> I think, I've done something stupid here. At first I've created 2
lxc
> containers and provisioned one as dc.office.mtt and joined second one to
> the first ad bdc.tsnr.mtt. Then I've cloned those containers several
times
> and changed ip adresses and dns names of new containers to different
> subnets. The name of domain stayed the same.
>
> At first everything seemed fine, but when I tried to create a new
> user/machine on dc.tsnr.mtt on cloned container I got
>
> Failed to create user record CN=test1,CN=Users,DC=tsnr,DC=mtt:
> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in
> CN=test1,CN=Users,DC=tsnr,DC=mtt - ../lib/ldb/ldb_tdb/ldb_index.c:1148:
> unique index violation on objectSid in CN=test1,CN=Users,DC=tsnr,DC=mtt
> Failed to add entry for user test1.
>
> And the same issue goes for any user or computer name. No such trouble on
> original dc or on any of the bdc's.
> How can I fix this? Please help since the only option I see is to
> re-provision every domain and re-join every computer to it, which is a lot
> of pain.
>
> Thanks in advance!
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hello Ivan,

Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
> I think, I've done something stupid here. At first I've created 2
lxc
> containers and provisioned one as dc.office.mtt and joined second one to
> the first ad bdc.tsnr.mtt.
You should not name your DC something like "backup" (bdc). If the
first
one (dc) gets lost, you only have one. There's no primary, secondary,
etc. in an AD.

But this isn't your problem :-)


> Then I've cloned those containers several times
> and changed ip adresses and dns names of new containers to different
> subnets.
This was the mistake you made. Don't join and then clone! DCs have GUIDs
inside the AD. If you change the name/IP after the join, you have two
hosts with the same GUID in AD and you will of course get replication
problems.

Is this already in production or just with a large number of
user/computers? If not, start from scratch. I think it's much less work
and risk to prevent upcomming trouble in future.

1. Install first DC
2. Provision a domain on it
3. Install second DC as template (just install OS + Samba, but don't join!)
4. Clone your machine
5. Give the clone a new hostname and IP
6. Join the cloned machine to the domain
7. Repeat 4-6 for all DCs you want to create.



Regards,
Marc

ok =( Guess I should repeat all the work from scratch. So just to check if
I got it right:

1) Create a new container. Provision a ad dc on it. Can I join some machine
to apply some gpo's and to create users at this point? I'll delete it
afterwards

2) Power down the container from 1) and use it as a template for every
other dc I need just by changing ip/dns

3) Create another template for the second domain. Clone it and attach for
each new dc from 2)

Will this work? The dc's would work in different lan's.

2015-10-19 15:39 GMT+03:00 Marc Muehlfeld <mmuehlfeld at samba.org>:
> Hello Ivan,
>
> Am 19.10.2015 um 12:42 schrieb Krutskikh Ivan:
> > I think, I've done something stupid here. At first I've
created 2 lxc
> > containers and provisioned one as dc.office.mtt and joined second one
to
> > the first ad bdc.tsnr.mtt.
>
> You should not name your DC something like "backup" (bdc). If the
first
> one (dc) gets lost, you only have one. There's no primary, secondary,
> etc. in an AD.
>
> But this isn't your problem :-)
>
>
>
> > Then I've cloned those containers several times
> > and changed ip adresses and dns names of new containers to different
> > subnets.
>
> This was the mistake you made. Don't join and then clone! DCs have
GUIDs
> inside the AD. If you change the name/IP after the join, you have two
> hosts with the same GUID in AD and you will of course get replication
> problems.
>
> Is this already in production or just with a large number of
> user/computers? If not, start from scratch. I think it's much less work
> and risk to prevent upcomming trouble in future.
>
> 1. Install first DC
> 2. Provision a domain on it
> 3. Install second DC as template (just install OS + Samba, but don't
join!)
> 4. Clone your machine
> 5. Give the clone a new hostname and IP
> 6. Join the cloned machine to the domain
> 7. Repeat 4-6 for all DCs you want to create.
>
>
>
> Regards,
> Marc
>