Jonathan Hunter
2016-Apr-14 12:37 UTC
[Samba] Previously extended schema not working in 4.4.0
Thank you, Andrew - I hadn't done so. (In a good way, I haven't yet had problems with samba that have caused me to delve quite so deeply into the DB :) so I'm not as familiar with the range of tools as I could be, sorry!) This has flagged up quite a few errors, all along the lines of: # samba-tool dbcheck --cross-ncs Checking 4079 objects MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290001 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0029000a MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290004 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0009030e MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00090001 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020119 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020002 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020001 MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00000000 ERROR: incorrect attributeID values in replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk Not fixing incorrect value 0x00290004 with 0xbd27f4d3 for myAttr in replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk [this is repeated many times, for multiple objects] [ sometimes ERROR: duplicate attributeID values ] Please use --fix to fix these errors Checked 4083 objects (110 errors) Before I run again with --fix... - I will take a dump (using ldapsearch) of this OU before I do anything - I don't know what the different codes e.g. 0x00290001, represent - or even why there are multiple of these per object. The actual numbers vary from one to the next; there is some overlap but also different values given - I'm not sure what --fix will do if it finds an "incorrect" values; where will it get the right value from? I guess, as long as I have a dump of the OU, at worst I could drop the entire contents and re-create it, should --fix not do what I expect.. I don't know why this happened; perhaps it was something to do with my upgrade method from 4.3.x to 4.4.0 (compile 4.4.0; make install; restart samba). I've used that same recipe many times to go from 4.1.x - 4.2.x - 4.3.x and that has always worked fine, but maybe I have been lucky (or unlucky?) in some way.. . Many thanks! Jonathan On 14 April 2016 at 11:28, Andrew Bartlett <abartlet at samba.org> wrote:> On Mon, 2016-04-11 at 21:23 +0100, Jonathan Hunter wrote: > > Hi, > > > > About a year ago (I think I was using v4.2.x at the time), I extended > > the > > schema of my Samba AD. This worked just fine and since then I have > > been > > able to create and edit objects from my custom schema via ADSIEdit. > > This > > worked fine under 4.3.x as well - the last such object I successfully > > created was just over two months ago, at which point I was running > > some > > variant of 4.3.x (probably 4.3.5). > > > > However, last week I upgraded all my DCs to 4.4.0 (to take advantage > > of > > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found > > that > > can no longer create my custom objects in AD. ADSIEdit reports that > > "A > > constraint violation occurred"; I get the same error from Apache > > Directory > > Studio, too - details are as follows: > > > > Error while creating entry > > - [LDAP: error code 19 - 0000202F: replmd_add: error during direct > > ADD: No > > rDN found in replPropertyMetaData for > > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk > > > > I have checked using the 'Active Directory Schema' MMC snap-in, and > > my > > custom schema classes and attributes do still seem to be showing as > > present > > and correct, just as I originally added them many months ago - I > > can't spot > > any problems there. > > > > It behaves exactly the same when I try to create objects on all four > > of my > > DCs. I can create other (non-custom) objects with no problems at all, > > and > > replication seems to work just fine for everything else - if I create > > a > > regular user, or modify its description, that change propagates > > perfectly > > well across all DCs. > > > > I suspect that some Samba database (replPropertyMetaData?) has got > > corrupt > > or out of sync somehow - but I don't know how to investigate further. > > Is > > this database in any kind of ldb file that I could dump / look at / > > edit ? > > > > There's a chance that it broke in 4.3.6 (which was the version I used > > prior > > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most > > recent > > object I can find in my AD - but I am now on 4.4.0 and it's > > definitely > > broken at the moment. If it's important, I could try to spin up an > > isolated > > VM and restore 4.3.6 from backups. > > > > Any pointers appreciated - I'm really not sure where to look next. > > Have you run dbcheck? > > samba-tool dbcheck --cross-ncs > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT > http://catalyst.net.nz/services/samba > > > >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Jonathan Hunter
2016-Apr-14 17:07 UTC
[Samba] Previously extended schema not working in 4.4.0
On 14 April 2016 at 13:37, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> # samba-tool dbcheck --cross-ncs > Checking 4079 objects > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290001 > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0029000a > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290004 > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0009030e > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00090001 > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020119 > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020002 > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020001 > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00000000 >ERROR: incorrect attributeID values in replPropertyMetaData on> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk > > Not fixing incorrect value 0x00290004 with 0xbd27f4d3 for myAttr in > replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk >Going back over the results of 'samba-tool dbcheck', it struck me just now that the errors flagged up only appear on objects previously created using my extended schema - these are exactly the same type of errors I am now getting when trying to create more of these objects. So I think that 'samba-tool dbcheck' is displaying the symptom, and in fact running 'samba-tool dbcheck' probably won't help my situation. What could cause the errors shown via 'samba-tool dbcheck'? Thanks :) Jonathan> On 14 April 2016 at 11:28, Andrew Bartlett <abartlet at samba.org> wrote: > >> On Mon, 2016-04-11 at 21:23 +0100, Jonathan Hunter wrote: >> > Hi, >> > >> > About a year ago (I think I was using v4.2.x at the time), I extended >> > the >> > schema of my Samba AD. This worked just fine and since then I have >> > been >> > able to create and edit objects from my custom schema via ADSIEdit. >> > This >> > worked fine under 4.3.x as well - the last such object I successfully >> > created was just over two months ago, at which point I was running >> > some >> > variant of 4.3.x (probably 4.3.5). >> > >> > However, last week I upgraded all my DCs to 4.4.0 (to take advantage >> > of >> > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found >> > that >> > can no longer create my custom objects in AD. ADSIEdit reports that >> > "A >> > constraint violation occurred"; I get the same error from Apache >> > Directory >> > Studio, too - details are as follows: >> > >> > Error while creating entry >> > - [LDAP: error code 19 - 0000202F: replmd_add: error during direct >> > ADD: No >> > rDN found in replPropertyMetaData for >> > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk >> > >> > I have checked using the 'Active Directory Schema' MMC snap-in, and >> > my >> > custom schema classes and attributes do still seem to be showing as >> > present >> > and correct, just as I originally added them many months ago - I >> > can't spot >> > any problems there. >> > >> > It behaves exactly the same when I try to create objects on all four >> > of my >> > DCs. I can create other (non-custom) objects with no problems at all, >> > and >> > replication seems to work just fine for everything else - if I create >> > a >> > regular user, or modify its description, that change propagates >> > perfectly >> > well across all DCs. >> > >> > I suspect that some Samba database (replPropertyMetaData?) has got >> > corrupt >> > or out of sync somehow - but I don't know how to investigate further. >> > Is >> > this database in any kind of ldb file that I could dump / look at / >> > edit ? >> > >> > There's a chance that it broke in 4.3.6 (which was the version I used >> > prior >> > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most >> > recent >> > object I can find in my AD - but I am now on 4.4.0 and it's >> > definitely >> > broken at the moment. If it's important, I could try to spin up an >> > isolated >> > VM and restore 4.3.6 from backups. >> > >> > Any pointers appreciated - I'm really not sure where to look next. >> >> Have you run dbcheck? >> >> samba-tool dbcheck --cross-ncs >> >> Andrew Bartlett >> >> -- >> Andrew Bartlett http://samba.org/~abartlet/ >> Authentication Developer, Samba Team http://samba.org >> Samba Developer, Catalyst IT >> http://catalyst.net.nz/services/samba >> >> >> >> > > > -- > "If we knew what it was we were doing, it would not be called research, > would it?" > - Albert Einstein >-- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
Andrew Bartlett
2016-Apr-14 19:20 UTC
[Samba] Previously extended schema not working in 4.4.0
On Thu, 2016-04-14 at 18:07 +0100, Jonathan Hunter wrote:> On 14 April 2016 at 13:37, Jonathan Hunter <jmhunter1 at gmail.com> > wrote: > > > # samba-tool dbcheck --cross-ncs > > Checking 4079 objects > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290001 > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0029000a > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290004 > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0009030e > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00090001 > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020119 > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020002 > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020001 > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00000000 > > > ERROR: incorrect attributeID values in replPropertyMetaData on > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk > > > > Not fixing incorrect value 0x00290004 with 0xbd27f4d3 for myAttr in > > replPropertyMetaData on > > MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk > > > > Going back over the results of 'samba-tool dbcheck', it struck me > just now > that the errors flagged up only appear on objects previously created > using > my extended schema - these are exactly the same type of errors I am > now > getting when trying to create more of these objects. > > So I think that 'samba-tool dbcheck' is displaying the symptom, and > in fact > running 'samba-tool dbcheck' probably won't help my situation. > > What could cause the errors shown via 'samba-tool dbcheck'?Our DRS replication code with extended schema has been pretty badly broken in a number of releases, and so we fixed the bugs and added dbcheck rules to fix the damage. We also added code in Samba to refuse to operate when we detect damage at runtime. Once you run with --fix it should all get back to normal - thankfully we have enough information, just a little scrambled, to fix this up. (Those rules are actually some of the best-tested in dbcheck). We continue to improve our extended schema code. Hopefully we will have it all solid for 4.5, but it is much, much better in 4.4 than 4.2 was. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba