Mike Lykov
2016-Nov-01 16:07 UTC
[Samba] Right way to restore deleted objects (in samba 4.1 or newer with or without "ad recycle bin")
Hello all! I operate two-dc domain, based on samba 2:4.1.9+dfsg-1~bpo70+1 Forest function level: (Windows) 2003 Domain function level: (Windows) 2003 Lowest function level of a DC: (Windows) 2008 R2 AD Recycle bin not enabled (it can be enabled only on Dom.Level 2008R2) Previous week one of our administrators delete computer accounts from AD by accident, and we are not able to restore it. I try to restore it as shown here: https://bugzilla.samba.org/show_bug.cgi?id=10371#c4 because recipe from wiki are only for active "AD recycle bin" https://wiki.samba.org/index.php/The_Active_Directory_Recycle_Bin#On_a_Samba_DC_2 method from bug (without recycle bin) - rename object from "Deleted objects" to lastknown place by ldbrename, and then delete IsDeleted attribute + add objectcategory attribute with ldbedit after that object can be viewed in ADUC again What about attributes as "lastKnownParent", "isRecycled" when restore objects, must i delete it also (I deleted it)? Why attribute "isRecycled" set, on wiki it present only if recycle bin enabled? Is it because replication to second DC are done and "Multi-DC Environment: Deleted Objects are Recycled Too Fast" (from wiki)? I restore objects with attribute "isRecycled" set and clear it, but now samba-tool dbcheck show me errors like "Not moving object DC=MYCOMP137\0ADEL:55eb09d2-26a4-4226-9d55-d36cfb37dd34,CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=mydom,DC=ru into LostAndFound ERROR: parent object not found for DC=MYCOMP18\0ADEL:8f40e027-6757-44e8-b5ee-3651ab0421b0,CN=Deleted Objects,DC=DomainDnsZones,DC=dc,DC=samges,DC=ru" If i run samba-tool dbcheck --fix, is it safe to fix it? Second question is about lost attributes after restore by this methods. Many attributes are lost, and after restore deleted machine account that computer cannot login to domain, saying "there are no trust with that domain" (from my memory). In samba log, for example, I see errors like "auth_check_password_recv: sam_ignoredomain authentication for user [MYDOMAIN\MYWS194$] FAILED with error NT_STATUS_WRONG_PASSWORD" I googling and find that deleting attributes when move it to "deleted objects" are controlled by "searchflags" attribute, as listed here: https://msdn.microsoft.com/en-us/library/ms679765(v=vs.85).aspx#windows_server_2003_r2 If I set for some attribute in schema an "8 (0x00000008)" value (in sum with other) that attribute must saved. But for edit the schema i must set special permissions, are worth it? Or I need to enable recycle bin and not to mess with schema editing and searchflags (additionaly I don't know which attributes I need to preserve)? Third question: What are right sequence for raise functional level for domain with samba-tool domain level raise --domain-level=2008_R2 ? Run it on DC with no FSMO roles and then on DC with it, and that's done? How to see that it successful other than "domain level show", is it affect replication? After raise level and run (found in sources) enablerecyclebin script - how I can restore objects, with ldbmodify as it shown on wiki, and all needed (for communicate with computer account, for example) attribites are restored? A. Bartlett wrote in https://bugzilla.samba.org/show_bug.cgi?id=10371#c27 about "Recycle bin not tested and therefore unsupported". Are there a version there it is working, is it working in samba 4.1, 4.2 or 4.4 (debian stable or testing)? What about a changelog for samba 4.5: "Samba now supports tombstone reanimation, a feature in the AD DC allowing tombstones, that is objects which have been deleted, to be restored with the original SID and GUID still in place." But are this "tombstone reanimation" conflicts with enabled "recycle bin" ? (#10371 comment 25) wiki stated that "Windows Tools for Restoring Deleted Objects Does Not Work", but #1071 comment says about working "adrestore -r" ? I find an Marc Muehlfeld's letter about similar themes :) https://lists.samba.org/archive/samba-technical/2016-August/115719.html -- Mike Lykov, system administrator, Russia
Andrew Bartlett
2016-Nov-01 17:33 UTC
[Samba] Right way to restore deleted objects (in samba 4.1 or newer with or without "ad recycle bin")
On Tue, 2016-11-01 at 20:07 +0400, Mike Lykov via samba wrote:> Hello all! > > I operate two-dc domain, based on samba 2:4.1.9+dfsg-1~bpo70+1First, please upgrade to Samba 4.5. This is particularly important if you wish to try and restore a deleted object.> Forest function level: (Windows) 2003 > Domain function level: (Windows) 2003 > Lowest function level of a DC: (Windows) 2008 R2 > > AD Recycle bin not enabled (it can be enabled only on Dom.Level > 2008R2)It is also simply not functional in any Samba version. It is so broken that if enabled, it actually just makes it much harder to restore objects.> Previous week one of our administrators delete computer accounts from > AD > by accident, and we are not able to restore it.Given that the password would have been deleted with the account, and that can not be recovered automatically, the solution is to just re- join the affected machine.> I googling and find that deleting attributes when move it to > "deleted > objects" are controlled by "searchflags" attribute, as listed here: > https://msdn.microsoft.com/en-us/library/ms679765(v=vs.85).aspx#windo > ws_server_2003_r2 > If I set for some attribute in schema an "8 (0x00000008)" value (in > sum > with other) that attribute must saved. But for edit the schema i > must > set special permissions, > are worth it?Please don't do that.> Or I need to enable recycle bin and not to mess with schema editing > and > searchflags (additionaly I don't know which attributes I need to > preserve)?Please also don't do that. Thanks for reminding us to get that script removed from the existing Samba versions, it only causes dangerous confusion.> Third question: > What are right sequence for raise functional level for domain with > samba-tool domain level raise --domain-level=2008_R2 ? > Run it on DC with no FSMO roles and then on DC with it, and that's > done?You should only need to do it once, it will replicate.> What about a changelog for samba 4.5: "Samba now supports tombstone > reanimation, a feature in the AD DC allowing tombstones, that is > objects > which have been deleted, to be restored with the original SID and > GUID > still in place." > But are this "tombstone reanimation" conflicts with enabled "recycle > bin" ? (#10371 comment 25) > wiki stated that "Windows Tools for Restoring Deleted Objects Does > Not > Work", but #1071 comment says about working "adrestore -r" ?The windows tools should work now. But as I said at the start, re- joining the client machine is the correct option here. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Mike Lykov
2016-Nov-01 18:53 UTC
[Samba] Right way to restore deleted objects (in samba 4.1 or newer with or without "ad recycle bin")
01.11.2016 21:33, Andrew Bartlett пишет:>> I operate two-dc domain, based on samba 2:4.1.9+dfsg-1~bpo70+1 > > First, please upgrade to Samba 4.5. This is particularly important if > you wish to try and restore a deleted object.by the way, what way to upgrade are better: - stop samba, install new deb package, do some actions recommended in changelogs and start samba again (on one dc and than on another), OR - do not stop samba, start a new dc with new version, join it as dc to domain, repeat with one more new dc with new version, transfer fsmo roles to new version, stop dc with old version?> Given that the password would have been deleted with the account, and > that can not be recovered automatically, the solution is to just re- > join the affected machine.after try to restore objects I got it in the ADUC console without passwords and group membership (not deleted objects are in "domain computers" group and have a "primary group"), and then I rejoin machines sucessfully. But computer objects still not have a group membership, does this affect anything?> The windows tools should work now. But as I said at the start, re- > joining the client machine is the correct option here.After all, now the right way are this: - upgrade to ver 4.5.1 - raise domain level to 2008r2 (or 2012?, or it is not need?) - use windows tools to restore tombstoned objects - do not enable "ad recycle bin" any way? what about a "losing attributes when delete without recycle bin" in 4.5.1? I would like to know how to act in "need to restore objects" situation in future.> I hope this helps,Thanks, I hope it too :) -- Mike