samba - Feb 2016 - ldbadd issue on Samba 4.1.13 AD DC

On 2/9/2016 3:48 PM, Rowland penny wrote:
> On 09/02/16 19:59, Allen Chen wrote:
>> Hi there,
>>
>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit). Everything 
>> is working fine.
>>
>> Issue: ldbadd cannot re-add a deleted user account.
>> What I did:
>> 1. save user account
>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>> sAMAccountName=krtu > ./user-add.ldif
>>
>> 2. delete the user account
>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb 
>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>> This user has been deleted. ldbsearch couldn't find it.
>>
>> 2. add it back again
>> First remove the following attr from the saved file user-add.ldif
>> sAMAccountType
>> memberOf
>> objectGUID
>> primaryGroupID
>>
>> Then ldbadd gives the error:
>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb ./user-add.ldif
>> ERR: Entry already exists : "../lib/ldb/ldb_tdb/ldb_index.c:1216: 
>> Failed to re-index objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com - 
>> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on 
>> objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com" on DN 
>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>> Add failed after processing 0 records
>>
>> Is it normal?
>>
>> Thanks,
>
> Two things spring to mind, first, why would you want to delete a user 
> and then recreate it again.
> Secondly, the users SID comes in two parts, the SID (this is used for 
> for all domain objects) and a RID, this RID comes from a pool and this 
> may be your problem.
>
> Can we see the ldif you used (suitably sanitized).
>
> Rowland
>
Hi Rowland,
I just want to try these two command: ldbdel and ldbadd.
If ldbadd cannot add a previous existed account, then what's the point 
of ldbadd?

Here is the ldif file created by ldbsearch:
# ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
sAMAccountName=krtu > ./user-add.ldif
dn: CN=krtu,CN=Users,DC=mydomain,DC=com
cn: krtu
sn: Allen
givenName: Wan
instanceType: 4
whenCreated: 20160208213002.0Z
displayName: Allen Wan
uSNCreated: 1978630
name: krtu
badPwdCount: 0
codePage: 0
countryCode: 0
homeDirectory: /home/employees/krtu
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
scriptPath: logon.bat
objectSid: S-1-5-21-3939752234-2171877362-3959421765-5590
logonCount: 0
sAMAccountName: krtu
userPrincipalName: krtu at mydomain.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
uidNumber: 3029
gidNumber: 1027
loginShell: /bin/false
objectClass: top
objectClass: posixAccount
objectClass: person
objectClass: organizationalPerson
objectClass: user
pwdLastSet: 130994406020000000
userAccountControl: 512
accountExpires: 134466822030000000
whenChanged: 20160208213003.0Z
uSNChanged: 1978635
distinguishedName: CN=krtu,CN=Users,DC=mydomain,DC=com

Thanks,
Allen

On 10/02/16 20:58, Allen Chen wrote:
> On 2/9/2016 3:48 PM, Rowland penny wrote:
>> On 09/02/16 19:59, Allen Chen wrote:
>>> Hi there,
>>>
>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit).
Everything
>>> is working fine.
>>>
>>> Issue: ldbadd cannot re-add a deleted user account.
>>> What I did:
>>> 1. save user account
>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>>> sAMAccountName=krtu > ./user-add.ldif
>>>
>>> 2. delete the user account
>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb 
>>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>>> This user has been deleted. ldbsearch couldn't find it.
>>>
>>> 2. add it back again
>>> First remove the following attr from the saved file user-add.ldif
>>> sAMAccountType
>>> memberOf
>>> objectGUID
>>> primaryGroupID
>>>
>>> Then ldbadd gives the error:
>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb ./user-add.ldif
>>> ERR: Entry already exists :
"../lib/ldb/ldb_tdb/ldb_index.c:1216:
>>> Failed to re-index objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com
>>> - ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on 
>>> objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com" on DN 
>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>> Add failed after processing 0 records
>>>
>>> Is it normal?
>>>
>>> Thanks,
>>
>> Two things spring to mind, first, why would you want to delete a user 
>> and then recreate it again.
>> Secondly, the users SID comes in two parts, the SID (this is used for 
>> for all domain objects) and a RID, this RID comes from a pool and 
>> this may be your problem.
>>
>> Can we see the ldif you used (suitably sanitized).
>>
>> Rowland
>>
> Hi Rowland,
> I just want to try these two command: ldbdel and ldbadd.
> If ldbadd cannot add a previous existed account, then what's the point 
> of ldbadd?
The point of ldbadd is to add an ldif to AD, the only problem is that 
you are trying to add a user back that you have deleted. You can do this 
but not as you are trying to do and, as far as windows is concerned, 
your user will not be the same user.

This ldif will probably work:

dn: CN=krtu,CN=Users,DC=mydomain,DC=com
cn: krtu
sn: Allen
givenName: Wan
displayName: Allen Wan
name: krtu
homeDirectory: /home/employees/krtu
scriptPath: logon.bat
sAMAccountName: krtu
userPrincipalName: krtu at mydomain.com
uidNumber: 3029
gidNumber: 1027
loginShell: /bin/false
objectClass: user
userAccountControl: 512

You could probably shorten it further and it would still add your user. 
There is one attribute that you tried to add, that you cannot add:

objectSid

This value is set by the system when the account is created i.e. AD 
wants to create a new SID

There are other attributes you shouldn't directly set yourself.

If you want to add a user, I suggest you use ADUC or samba-tool etc. If 
you delete a user, as far as I am aware, you cannot recreate the exact 
same user, you can only create a new user with the same name.

Rowland
>
> Here is the ldif file created by ldbsearch:
> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
> sAMAccountName=krtu > ./user-add.ldif
> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
> cn: krtu
> sn: Allen
> givenName: Wan
> instanceType: 4
> whenCreated: 20160208213002.0Z
> displayName: Allen Wan
> uSNCreated: 1978630
> name: krtu
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: /home/employees/krtu
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> scriptPath: logon.bat
> objectSid: S-1-5-21-3939752234-2171877362-3959421765-5590
> logonCount: 0
> sAMAccountName: krtu
> userPrincipalName: krtu at mydomain.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
> uidNumber: 3029
> gidNumber: 1027
> loginShell: /bin/false
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130994406020000000
> userAccountControl: 512
> accountExpires: 134466822030000000
> whenChanged: 20160208213003.0Z
> uSNChanged: 1978635
> distinguishedName: CN=krtu,CN=Users,DC=mydomain,DC=com
>
> Thanks,
> Allen
>
>

Hi,

As far as I have understood Rowland is right, objectSid can't be re-used:
objects during deletion are not really deleted but pushed into some recycle
bin (for a time according to tombstoneLifetime).

Perhaps you can force usage of some objectSid during creation or during
modification but I have no idea how that would impact the way next
objectSid will be chosen.

Nevertheless you can modify your users with ldbmodify or ldapmodify, you
can even modify there DN with modrdn as changetype into your LDIF, so there
should be no necessity to re-use objectSid.

Cheers,

mathias

2016-02-10 22:39 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 10/02/16 20:58, Allen Chen wrote:
>
>> On 2/9/2016 3:48 PM, Rowland penny wrote:
>>
>>> On 09/02/16 19:59, Allen Chen wrote:
>>>
>>>> Hi there,
>>>>
>>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit).
Everything is
>>>> working fine.
>>>>
>>>> Issue: ldbadd cannot re-add a deleted user account.
>>>> What I did:
>>>> 1. save user account
>>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb
>>>> sAMAccountName=krtu > ./user-add.ldif
>>>>
>>>> 2. delete the user account
>>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb
>>>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>>>> This user has been deleted. ldbsearch couldn't find it.
>>>>
>>>> 2. add it back again
>>>> First remove the following attr from the saved file
user-add.ldif
>>>> sAMAccountType
>>>> memberOf
>>>> objectGUID
>>>> primaryGroupID
>>>>
>>>> Then ldbadd gives the error:
>>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb
./user-add.ldif
>>>> ERR: Entry already exists :
"../lib/ldb/ldb_tdb/ldb_index.c:1216:
>>>> Failed to re-index objectSid in
CN=krtu,CN=Users,DC=mydomain,DC=com -
>>>> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on
objectSid in
>>>> CN=krtu,CN=Users,DC=mydomain,DC=com" on DN
>>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>>> Add failed after processing 0 records
>>>>
>>>> Is it normal?
>>>>
>>>> Thanks,
>>>>
>>>
>>> Two things spring to mind, first, why would you want to delete a
user
>>> and then recreate it again.
>>> Secondly, the users SID comes in two parts, the SID (this is used
for
>>> for all domain objects) and a RID, this RID comes from a pool and
this may
>>> be your problem.
>>>
>>> Can we see the ldif you used (suitably sanitized).
>>>
>>> Rowland
>>>
>>> Hi Rowland,
>> I just want to try these two command: ldbdel and ldbadd.
>> If ldbadd cannot add a previous existed account, then what's the
point of
>> ldbadd?
>>
>
> The point of ldbadd is to add an ldif to AD, the only problem is that you
> are trying to add a user back that you have deleted. You can do this but
> not as you are trying to do and, as far as windows is concerned, your user
> will not be the same user.
>
> This ldif will probably work:
>
> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
> cn: krtu
> sn: Allen
> givenName: Wan
> displayName: Allen Wan
> name: krtu
> homeDirectory: /home/employees/krtu
> scriptPath: logon.bat
> sAMAccountName: krtu
> userPrincipalName: krtu at mydomain.com
> uidNumber: 3029
> gidNumber: 1027
> loginShell: /bin/false
> objectClass: user
> userAccountControl: 512
>
> You could probably shorten it further and it would still add your user.
> There is one attribute that you tried to add, that you cannot add:
>
> objectSid
>
> This value is set by the system when the account is created i.e. AD wants
> to create a new SID
>
> There are other attributes you shouldn't directly set yourself.
>
> If you want to add a user, I suggest you use ADUC or samba-tool etc. If
> you delete a user, as far as I am aware, you cannot recreate the exact same
> user, you can only create a new user with the same name.
>
> Rowland
>
>
>> Here is the ldif file created by ldbsearch:
>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb
sAMAccountName=krtu
>> > ./user-add.ldif
>> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
>> cn: krtu
>> sn: Allen
>> givenName: Wan
>> instanceType: 4
>> whenCreated: 20160208213002.0Z
>> displayName: Allen Wan
>> uSNCreated: 1978630
>> name: krtu
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> homeDirectory: /home/employees/krtu
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> scriptPath: logon.bat
>> objectSid: S-1-5-21-3939752234-2171877362-3959421765-5590
>> logonCount: 0
>> sAMAccountName: krtu
>> userPrincipalName: krtu at mydomain.com
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
>> uidNumber: 3029
>> gidNumber: 1027
>> loginShell: /bin/false
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> pwdLastSet: 130994406020000000
>> userAccountControl: 512
>> accountExpires: 134466822030000000
>> whenChanged: 20160208213003.0Z
>> uSNChanged: 1978635
>> distinguishedName: CN=krtu,CN=Users,DC=mydomain,DC=com
>>
>> Thanks,
>> Allen
>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On 2/10/2016 4:39 PM, Rowland penny wrote:
> On 10/02/16 20:58, Allen Chen wrote:
>> On 2/9/2016 3:48 PM, Rowland penny wrote:
>>> On 09/02/16 19:59, Allen Chen wrote:
>>>> Hi there,
>>>>
>>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit). 
>>>> Everything is working fine.
>>>>
>>>> Issue: ldbadd cannot re-add a deleted user account.
>>>> What I did:
>>>> 1. save user account
>>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>>>> sAMAccountName=krtu > ./user-add.ldif
>>>>
>>>> 2. delete the user account
>>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb 
>>>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>>>> This user has been deleted. ldbsearch couldn't find it.
>>>>
>>>> 2. add it back again
>>>> First remove the following attr from the saved file
user-add.ldif
>>>> sAMAccountType
>>>> memberOf
>>>> objectGUID
>>>> primaryGroupID
>>>>
>>>> Then ldbadd gives the error:
>>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb
./user-add.ldif
>>>> ERR: Entry already exists :
"../lib/ldb/ldb_tdb/ldb_index.c:1216:
>>>> Failed to re-index objectSid in
CN=krtu,CN=Users,DC=mydomain,DC=com
>>>> - ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation
on
>>>> objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com" on DN 
>>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>>> Add failed after processing 0 records
>>>>
>>>> Is it normal?
>>>>
>>>> Thanks,
>>>
>>> Two things spring to mind, first, why would you want to delete a 
>>> user and then recreate it again.
>>> Secondly, the users SID comes in two parts, the SID (this is used 
>>> for for all domain objects) and a RID, this RID comes from a pool 
>>> and this may be your problem.
>>>
>>> Can we see the ldif you used (suitably sanitized).
>>>
>>> Rowland
>>>
>> Hi Rowland,
>> I just want to try these two command: ldbdel and ldbadd.
>> If ldbadd cannot add a previous existed account, then what's the 
>> point of ldbadd?
>
> The point of ldbadd is to add an ldif to AD, the only problem is that 
> you are trying to add a user back that you have deleted. You can do 
> this but not as you are trying to do and, as far as windows is 
> concerned, your user will not be the same user.
>
> This ldif will probably work:
>
> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
> cn: krtu
> sn: Allen
> givenName: Wan
> displayName: Allen Wan
> name: krtu
> homeDirectory: /home/employees/krtu
> scriptPath: logon.bat
> sAMAccountName: krtu
> userPrincipalName: krtu at mydomain.com
> uidNumber: 3029
> gidNumber: 1027
> loginShell: /bin/false
> objectClass: user
> userAccountControl: 512
>
> You could probably shorten it further and it would still add your 
> user. There is one attribute that you tried to add, that you cannot add:
>
> objectSid
>
> This value is set by the system when the account is created i.e. AD 
> wants to create a new SID
>
> There are other attributes you shouldn't directly set yourself.
>
> If you want to add a user, I suggest you use ADUC or samba-tool etc. 
> If you delete a user, as far as I am aware, you cannot recreate the 
> exact same user, you can only create a new user with the same name.
>
> Rowland
It is good to know. Thanks Rowland and mathias for the explanation.
I thought ldbdel and ldbadd are the two commands to delete and add it back.
So I can keep objectSid as the same as the deleted one, and the user on 
client machine can continue to use the profile, which is what I want.
The man page doesn't say you cannot add a record back.

In AD world, you cannot add a deleted user back to the system with the 
same objectSid.

Thanks,
Allen