On Mon, 2016-05-16 at 16:41 +0100, ash-samba at comtek.co.uk wrote:> > > Andrew Bartlett > > I haven't actually got ldbdump on the machine, and I can't see it > > in > > the Debian packages. That said, I do appear to be able to add DNS > > records now, so I'm assuming it was the index. If you particularly > > want me to find out then I'll try to get a dump, but as long as its > > working I'm happy to leave it be! > > > > Ash > > Well, I will try to obtain that ldbdump > > samba-tool dbcheck --reindex doesn't seem to have entirely worked. > While > we can add DNS records we can't add users. For example: > > > /usr/bin/samba-tool user add test.user --uid=test.user > --random-password --uid-number=10226 --surname=user --given-name=test > --job-title=Storekeeper --department=Repairs > --mail-address=test.user at example.com --telephone-number=01244123456 > --gid-number=513 > > ERROR(ldb): Failed to add user 'test.user': - > ../ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in CN=test > user,CN=Users,DC=chester-dc,DC=example,DC=com - > ../ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in > CN=test user,CN=Users,DC=chester-dc,DC=example,DC=comG'Day, This is a serious situation. What it means is that the nextRid value for that DC points at a user account that already exists, so when we go to create it, the create fails. That, and the other issue, suggests you have had some serious DB corruption, and this may not be the only issues. Does a full dbcheck pass? (Not just the reindex). Is there another DC that still works, that you can replicate from? (but you suggested other issues I think). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
> G'Day, > > This is a serious situation. What it means is that the nextRid value for that DC points at a user account that already exists, so when we go to create it, the create fails.I've just looked at the LDAP output, and nextRid is 1000 for both dn: CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etc The most recent successful new user (that I'm aware of) is objectSid: S-1-5-21-2702589905-558746101-3641499263-2825 I can't see any objectSid entries which end in 1000 though. The lowest one we have is S-1-5-21-2702589905-558746101-3641499263-1101> That, and the other issue, suggests you have had some serious DB corruption, and this may not be the only issues. Does a full dbcheck pass? (Not just the reindex).dbcheck works on empire.> Is there another DC that still works, that you can replicate from? (but you suggested other issues I think).We can successfully "/usr/bin/samba-tool user add" with alaska (a machine located on another continent, with a quite unreliable link!), and that gives us an account with S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and empire, so there is clearly some amount of working replication. Confusingly, after doing this nextRid is still 1000 on both machines. Creating a new local DC (and decommissioning empire) would be a good solution for us. I can add a new DC (v-ward) by specifying --server=alaska.chester-dc, and I get no errors in the process. The samba process on v-ward isn't working, though. I'm still trying to debug this (currently it isn't even listening to port 389).
On 17/05/16 12:11, ash-samba at comtek.co.uk wrote:> >> G'Day, >> >> This is a serious situation. What it means is that the nextRid value >> for that DC points at a user account that already exists, so when we >> go to create it, the create fails. > I've just looked at the LDAP output, and nextRid is 1000 for both dn: > CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etcSame here.> > The most recent successful new user (that I'm aware of) is objectSid: > S-1-5-21-2702589905-558746101-3641499263-2825 > > I can't see any objectSid entries which end in 1000 though. The lowest > one we have is S-1-5-21-2702589905-558746101-3641499263-1101 >> That, and the other issue, suggests you have had some serious DB >> corruption, and this may not be the only issues. Does a full dbcheck >> pass? (Not just the reindex). > dbcheck works on empire. >> Is there another DC that still works, that you can replicate from? >> (but you suggested other issues I think). > > We can successfully "/usr/bin/samba-tool user add" with alaska (a > machine located on another continent, with a quite unreliable link!), > and that gives us an account with > S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and > empire, so there is clearly some amount of working replication. > Confusingly, after doing this nextRid is still 1000 on both machines.This could be because you are looking at the wrong attribute in the wrong place. Try looking at the object 'CN=RID Set,CN=ALASKA,OU=Domain Controllers,DC=CHESTER-DC,DC=EXAMPLE,DC=COM' and the attribute 'rIDNextRID' it contains. Rowland> > Creating a new local DC (and decommissioning empire) would be a good > solution for us. I can add a new DC (v-ward) by specifying > --server=alaska.chester-dc, and I get no errors in the process. The > samba process on v-ward isn't working, though. I'm still trying to > debug this (currently it isn't even listening to port 389). > >
On Tue, 2016-05-17 at 12:11 +0100, ash-samba at comtek.co.uk wrote:> > G'Day, > > > > This is a serious situation. What it means is that the nextRid > > value for that DC points at a user account that already exists, so > > when we go to create it, the create fails. > I've just looked at the LDAP output, and nextRid is 1000 for both dn: > CN=Builtin,DC=chester-dc,etc and for dn: DC=chester-dc,etc > > The most recent successful new user (that I'm aware of) is objectSid: > S-1-5-21-2702589905-558746101-3641499263-2825 > > I can't see any objectSid entries which end in 1000 though. The > lowest > one we have is S-1-5-21-2702589905-558746101-3641499263-1101 > > That, and the other issue, suggests you have had some serious DB > > corruption, and this may not be the only issues. Does a full > > dbcheck pass? (Not just the reindex). > dbcheck works on empire. > > Is there another DC that still works, that you can replicate from? > > (but you suggested other issues I think). > > We can successfully "/usr/bin/samba-tool user add" with alaska (a > machine located on another continent, with a quite unreliable link!), > and that gives us an account with > S-1-5-21-2702589905-558746101-3641499263-7125 on -both- alaska and > empire, so there is clearly some amount of working replication. > Confusingly, after doing this nextRid is still 1000 on both machines.The value you need to look for is in the RID Set, not the domain, which is a legacy figure we don't use. Sorry for the red herring.> Creating a new local DC (and decommissioning empire) would be a good > solution for us. I can add a new DC (v-ward) by specifying > --server=alaska.chester-dc, and I get no errors in the process. The > samba process on v-ward isn't working, though. I'm still trying to > debug > this (currently it isn't even listening to port 389).OK. That seems serious. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba