Hello list,
maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and
perform join with "domain-critical-only"-option. Smb.conf is generated
by samba. After starting joined samba I got error like this:
Failed to apply records:
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to remove
backlink of memberOf when deleting
CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted
Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base dn
CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted
Objects,DC=DOMAIN,DC=intern (0 results): Operations error
Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP
it will be displayed. Replicating single-object with full-sync do not solved
this issue. Only removing the USERGROUP object with ldbdel and rerun replication
with --local --full-sync --single-object solved this.
If I run samba-tool drs replication --local ... I load about 40000 objects (~50%
of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error
above and replication starts again, so I run into endless replication loop.
Some other notes:
If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
ERROR: missing backlink attribute 'memberOf' in
CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in
CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
Fix missing backlink memberOf [YES]
Failed to fix missing backlink memberOf : (20, "attribute
'memberOf': value #17 on
'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' already
exists")
I didn’t see it for USER object, but a lot of other objects.
Andrej
-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Andrew
Bartlett via samba
Gesendet: Samstag, 14. Oktober 2017 20:52
An: Garming Sam <garming at catalyst.net.nz>; thom_schu at gmx.de; samba
at lists.samba.org
Betreff: Re: [Samba] samba 4.7.0 replication errors
On Mon, 2017-10-02 at 09:59 +1300, Garming Sam via samba
wrote:> Can you provide a bit more logs? At first glance, it doesn't seem
> quite related to group memberships.
>
I agree, we need more logs here. Turn up the log level and see what the error
causing that final error is.
However, take care not to publish confidential details like staff names and
sensitive attributes like unicodePwd or supplimentalCredentials to a public
mailing list.
Running 'samba-tool drs clone-dc-database' against one of the DCs would
be very instructive. This does the same thing as a fresh join, but without
adding any DC objects.
The dbcheck errors you mention are interesting. Backlinks are only implicitly
transferred over DRS replication, but if they are very wrong perhaps the update
of them failed. What did the powershell script do?
Did it just delete users, or did it try to remove them from the group first?
If replication broke only after user/group modification, then this may be due to
a latent DB issue, not detected after the initial upgrade because nothing read
or modified those DB entries. Once they were touched the issue became
'live'.
In particular, Samba 4.7.0 includes code to sort links like member within an
attribute. The process to modify the group list after the upgrade to sorted
links might fail if the DB wasn't clean.
A downgrade to Samba 4.6 should be safe in the meantime, we haven't changed
the DB format and it is much less strict in this area (the change was made to
improve performance), however we would really like to understand the issue more.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba