Andrew Bartlett
2017-May-26 21:40 UTC
[Samba] attributeID is not known in our schema, not fixing replPropertyMetaData
On Fri, 2017-05-26 at 13:32 +0200, Karan Blas via samba wrote:> I expected that someone had the same problem before. > > DBchecker module does not provide fix for this. The implication is > that the main Samba DC is working fine but does not allow replication > with other DCs. They report WERR_DS_DRA_INTERNAL_ERROR in samba-tool > dsr showrepl for two two sections: Configuration and the main one > that contains the users. Other sections replicate fine. > > Promoting new DC also does not work. Data (both new and old) are > locked in this single DC 4.2.14. Exporting the database and importing > it in 4.6.3 fix some things but not this one. > > We found that replPropertyMetaData is uniquie for each user, setting > it empty "fix the error' but breaks the user object.Correct, if you delete replPropertyMetaData in any way, you totally break replication.> How to recreate this attribute properly? How to remove all entries > about attributeId 0XB7D8382? It was inherited from Exchange.Have you tried to remove the exchange schema from Samba? As you are probably aware by now, it is not permitted to remove schema, it will just break the directory. Additionally, we have had various bugs around the schema allocation for the ID numbers, and this is probably where things have gone wrong for you. This is fixed in 4.5. If this entry is on a deleted object, you could use samba-tool domain tombstones expunge to wipe it by choosing a shorter lifetime than 180 days. That would be the easiest way out of your pickle. For others, we hope to support the exchange schema soon, via the 2012 schema. I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Karan Blas
2017-May-27 01:16 UTC
[Samba] attributeID is not known in our schema, not fixing replPropertyMetaData
> > We found that replPropertyMetaData is uniquie for each user, setting > > it empty "fix the error' but breaks the user object. > > Correct, if you delete replPropertyMetaData in any way, you totally > break replication. >dbcheck should wipe that part of replPropertyMetaData with --fix but it is not implemented. If that attribute does non replicate, there should be way to recreate it based on the existing data/attributes of the object? On the other Samba (with newer version) where --full-sync was not run before disconnecting Win DC, replPropertyMetaData does not contain this attributeID. (We found some tool that decodes the content of the attribute). Does copying (ldbedit) replPropertyMetaData attribute data only, for each object from the healthy Samba over the damaged one will fix it? OR samba-tool drs replicate dc-damaged dc-blank DC=DOMAIN,DC=com should have flags to skip unknown parts, not to exit on first error> > How to recreate this attribute properly? How to remove all entries > > about attributeId 0XB7D8382? It was inherited from Exchange. > > Have you tried to remove the exchange schema from Samba? >No, is that possible?> As you are probably aware by now, it is not permitted to remove schema, > it will just break the directory. Additionally, we have had various > bugs around the schema allocation for the ID numbers, and this is > probably where things have gone wrong for you. This is fixed in 4.5. > > If this entry is on a deleted object, you could use samba-tool domain > tombstones expunge to wipe it by choosing a shorter lifetime than 180 > days. That would be the easiest way out of your pickle. >> For others, we hope to support the exchange schema soon, via the 2012 > schema. >Nice. In this case we do not need Exchange anymore. There should be wiki for migrating when Exchange already exists. All I can find is that Exchange schema is magical and not supported in Samba. THANKS! Keep up the good work.
Andrew Bartlett
2017-May-27 04:57 UTC
[Samba] attributeID is not known in our schema, not fixing replPropertyMetaData
On Sat, 2017-05-27 at 03:16 +0200, Karan Blas via samba wrote:> > > We found that replPropertyMetaData is uniquie for each user, setting > > > it empty "fix the error' but breaks the user object. > > > > Correct, if you delete replPropertyMetaData in any way, you totally > > break replication. > > > > dbcheck should wipe that part of replPropertyMetaData with --fix but it is not implemented.Correct, with no real-world test case at the time it was not reasonable nor safe to implement a --fix behaviour when we added these checks to dbcheck. So we left it with just the check.> If that attribute does non replicate, there should be way to recreate it based on the existing data/attributes of the object?That might be possible. However you indicated that this object is already deleted. Have you tried upgrading both DCs and just expunging it?> On the other Samba (with newer version) where --full-sync was not run > before disconnecting Win DC, replPropertyMetaData does not contain > this attributeID. (We found some tool that decodes the content of the > attribute). Does copying (ldbedit) replPropertyMetaData attribute > data only, for each object from the healthy Samba over the damaged > one will fix it?It is it not safe to manually edit replPropertyMetaData, nor copy it between DCs.> OR > > samba-tool drs replicate dc-damaged dc-blank DC=DOMAIN,DC=com > > should have flags to skip unknown parts, not to exit on first errorThis would not be safe, because when we safe the 'up to dateness vector' and the 'highwatermark' we promise that we have obtained and stored each object. We are already battling other errors ('missing objectclass') where objects are skipped unintentionally, and so I wont add such functionality intentionally.> > > > How to recreate this attribute properly? How to remove all entries > > > about attributeId 0XB7D8382? It was inherited from Exchange. > > > > Have you tried to remove the exchange schema from Samba? > > > > No, is that possible?No, but if you had it might have been a cause.> > As you are probably aware by now, it is not permitted to remove schema, > > it will just break the directory. Additionally, we have had various > > bugs around the schema allocation for the ID numbers, and this is > > probably where things have gone wrong for you. This is fixed in 4.5. > > > > If this entry is on a deleted object, you could use samba-tool domain > > tombstones expunge to wipe it by choosing a shorter lifetime than 180 > > days. That would be the easiest way out of your pickle. > > > > For others, we hope to support the exchange schema soon, via the 2012 > > schema. > > > > Nice. In this case we do not need Exchange anymore. There should be > wiki for migrating when Exchange already exists. All I can find is > that Exchange schema is magical and not supported in Samba.There should be many wiki articles. You can apply for edit permission if you like :-)> > THANKS! Keep up the good work.I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Possibly Parallel Threads
- attributeID is not known in our schema, not fixing replPropertyMetaData
- attributeID is not known in our schema, not fixing replPropertyMetaData
- attributeID is not known in our schema, not fixing replPropertyMetaData
- attributeID is not known in our schema, not fixing replPropertyMetaData
- Previously extended schema not working in 4.4.0