Jonathan Hunter
2016-Apr-11 22:02 UTC
[Samba] Previously extended schema not working in 4.4.0
Thanks Rowland. In here, I can see the objects I have created using my schema extensions, but I cannot see the schema classes or attributes themselves; I don't know if that is the problem. I'm not sure if by running ldbedit on sam.ldb, this does not include the contents of CN=Schema,CN=Configuration,DC=mydomain,DC=... or if it does include this part of the AD tree and these items are somehow missing in my case. The 'Active Directory Schema' MMC plug-in does show the classes and attributes, so that must be reading them from somewhere. On 11 April 2016 at 22:18, Rowland penny <rpenny at samba.org> wrote:> On 11/04/16 21:23, Jonathan Hunter wrote: > >> Hi, >> >> About a year ago (I think I was using v4.2.x at the time), I extended the >> schema of my Samba AD. This worked just fine and since then I have been >> able to create and edit objects from my custom schema via ADSIEdit. This >> worked fine under 4.3.x as well - the last such object I successfully >> created was just over two months ago, at which point I was running some >> variant of 4.3.x (probably 4.3.5). >> >> However, last week I upgraded all my DCs to 4.4.0 (to take advantage of >> the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that >> can no longer create my custom objects in AD. ADSIEdit reports that "A >> constraint violation occurred"; I get the same error from Apache Directory >> Studio, too - details are as follows: >> >> Error while creating entry >> - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD: >> No >> rDN found in replPropertyMetaData for >> mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk >> >> I have checked using the 'Active Directory Schema' MMC snap-in, and my >> custom schema classes and attributes do still seem to be showing as >> present >> and correct, just as I originally added them many months ago - I can't >> spot >> any problems there. >> >> It behaves exactly the same when I try to create objects on all four of my >> DCs. I can create other (non-custom) objects with no problems at all, and >> replication seems to work just fine for everything else - if I create a >> regular user, or modify its description, that change propagates perfectly >> well across all DCs. >> >> I suspect that some Samba database (replPropertyMetaData?) has got corrupt >> or out of sync somehow - but I don't know how to investigate further. Is >> this database in any kind of ldb file that I could dump / look at / edit ? >> > > Yes, AD is stored in sam.ldb, you can see this with: > > ldbedit -e nano -H /usr/local/samba/private/sam.ldb > > Replacing 'nano' with your favourite editor, 'usr/local/samba/private' > with the path to your 'sam.ldb' if yours is in a different place. > > This will show most of your AD, if you want to see the DNS records, add > '--cross-ncs' and if you want fully readable dns records, also add > '--show-binary' > > There are other .ldb files, but I wouldn't try to edit those. > > Rowland > > >> There's a chance that it broke in 4.3.6 (which was the version I used >> prior >> to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most >> recent >> object I can find in my AD - but I am now on 4.4.0 and it's definitely >> broken at the moment. If it's important, I could try to spin up an >> isolated >> VM and restore 4.3.6 from backups. >> >> Any pointers appreciated - I'm really not sure where to look next. >> >> Thanks :-) >> >> Jonathan >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Rowland penny
2016-Apr-12 06:31 UTC
[Samba] Previously extended schema not working in 4.4.0
On 11/04/16 23:02, Jonathan Hunter wrote:> Thanks Rowland. > > In here, I can see the objects I have created using my schema extensions, > but I cannot see the schema classes or attributes themselves; I don't know > if that is the problem. > > I'm not sure if by running ldbedit on sam.ldb, this does not include the > contents of CN=Schema,CN=Configuration,DC=mydomain,DC=... or if it does > include this part of the AD tree and these items are somehow missing in my > case. > > The 'Active Directory Schema' MMC plug-in does show the classes and > attributes, so that must be reading them from somewhere. > >The schema is in another NC, so use the 'cross-ncs' switch to see the schema. Rowland
Jonathan Hunter
2016-Apr-12 21:21 UTC
[Samba] Previously extended schema not working in 4.4.0
On 12 April 2016 at 07:31, Rowland penny <rpenny at samba.org> wrote:> > The schema is in another NC, so use the 'cross-ncs' switch to see the > schema.Thanks Rowland - adding --cross-ncs worked and I can now see the schema extensions using ldbedit. I can confirm that my schema extensions are definitely present, including as mentioned in the record below, which I imagine holds information required for replication and seems to be OK to me as well. (I checked two DCs (2DCG and 2DC1) and this record was the same on both, as far as I could see) So, I'm still stumped as to what is missing, and what would lead to "replmd_add: error during direct ADD: No rDN found in replPropertyMetaData" errors.. Thanks! Jonathan The record I found that seems to hold the replication information looks OK to me (with my limited knowledge, at least) : # record 712 dn: CN=Schema,CN=Configuration,DC=mydomain,DC=org,DC=uk objectClass: top objectClass: dMD cn: Schema instanceType: 13 whenCreated: 20130420175653.0Z uSNCreated: 8 objectVersion: 47 showInAdvancedViewOnly: TRUE name: Schema objectGUID: xxxxxxxx-yyyy-aaaa-bbbb-cccccccccccc objectCategory: CN=DMD,CN=Schema,CN=Configuration,DC=mydomain,DC=org,DC=uk msDs-masteredBy: CN=NTDS Settings,CN=2DC1,CN=Servers,CN=site1,CN=Sites ,CN=Configuration,DC=mydomain,DC=org,DC=uk msDs-masteredBy: CN=NTDS Settings,CN=1DC1,CN=Servers,CN=site2,CN=Sites,CN=Co nfiguration,DC=mydomain,DC=org,DC=uk msDs-masteredBy: CN=NTDS Settings,CN=2DCG,CN=Servers,CN=site1,CN=Sites,C N=Configuration,DC=mydomain,DC=org,DC=uk msDs-masteredBy: CN=NTDS Settings,CN=2DC2,CN=Servers,CN=site1,CN=Sites ,CN=Configuration,DC=mydomain,DC=org,DC=uk masteredBy: CN=NTDS Settings,CN=2DC1,CN=Servers,CN=site1,CN=Sites,CN=C onfiguration,DC=mydomain,DC=org,DC=uk masteredBy: CN=NTDS Settings,CN=1DC1,CN=Servers,CN=site2,CN=Sites,CN=Configu ration,DC=mydomain,DC=org,DC=uk masteredBy: CN=NTDS Settings,CN=2DCG,CN=Servers,CN=site1,CN=Sites,CN=Con figuration,DC=mydomain,DC=org,DC=uk masteredBy: CN=NTDS Settings,CN=2DC2,CN=Servers,CN=site1,CN=Sites,CN=C onfiguration,DC=mydomain,DC=org,DC=uk fSMORoleOwner: CN=NTDS Settings,CN=2DC1,CN=Servers,CN=site1,CN=Sites,C N=Configuration,DC=mydomain,DC=org,DC=uk whenChanged: 20150520155013.0Z uSNChanged: 12484 schemaInfo:: /aaaaaaaaaaa/bbbbbbbbbbbbbCN prefixMap: 0:2.5.4;1:2.5.6;2:1.2.840.113556.1.2;3:1.2.840.113556.1.3;4:2.16.84 0.1.101.2.2.1;5:2.16.840.1.101.2.2.3;6:2.16.840.1.101.2.1.5;7:2.16.840.1.101. 2.1.4;8:2.5.5;9:1.2.840.113556.1.4;10:1.2.840.113556.1.5;19:0.9.2342.19200300 .100;20:2.16.840.1.113730.3;21:0.9.2342.19200300.100.1;22:2.16.840.1.113730.3 .1;23:1.2.840.113556.1.5.7000;24:2.5.21;25:2.5.18;26:2.5.20;11:1.2.840.113556 .1.4.260;12:1.2.840.113556.1.5.56;13:1.2.840.113556.1.4.262;14:1.2.840.113556 .1.5.57;15:1.2.840.113556.1.4.263;16:1.2.840.113556.1.5.58;17:1.2.840.113556. 1.5.73;18:1.2.840.113556.1.4.305;27:1.3.6.1.4.1.1466.101.119;28:2.16.840.1.11 3730.3.2;29:1.3.6.1.4.1.250.1;30:1.2.840.113549.1.9;31:0.9.2342.19200300.100. 4;32:1.2.840.113556.1.6.23;33:1.2.840.113556.1.6.18.1;34:1.2.840.113556.1.6.1 8.2;35:1.2.840.113556.1.6.13.3;36:1.2.840.113556.1.6.13.4;37:1.3.6.1.1.1.1;38 :1.3.6.1.1.1.2;39:1.3.6.1.4.1.7165.4.1;40:1.3.6.1.4.1.7165.4.2;41:MY.CU.ST.OM.OID.1;42:MY.CU.ST.OM.OID.2 replUpToDateVector:: [...] repsFrom:: [...] repsFrom:: [...] repsFrom:: [...] repsTo:: [...] repsTo:: [...] repsTo:: [...] distinguishedName: CN=Schema,CN=Configuration,DC=mydomain,DC=org,DC=uk -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Maybe Matching Threads
- Previously extended schema not working in 4.4.0
- Previously extended schema not working in 4.4.0
- updates of repsFrom/repsTo attributes (was : Re: replPropertyMetaData & KCC issues after updating to Samba 4.5.0)
- replPropertyMetaData & KCC issues after updating to Samba 4.5.0
- showrepl is showing a deleted connexion