On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:> Hello list, > > maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:Does it change if you don't use that option?> Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted Objects,DC=DOMAIN,DC=intern (0 results): Operations error > Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this. > > If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop. > > Some other notes: > > If I run dbcheck with --cross-ncs and --fix I got some other errors like this: > > ERROR: missing backlink attribute 'memberOf' in > CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in > CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern > Fix missing backlink memberOf [YES] > Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' already exists")Can you show me the memberOf value son that user? ldbsearch -s base -b CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern --reveal --extended-dn Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hello Andrew, I cannot run complete domain join without this option, because of my hardware limitations. The join ends with " Committing SAM database" and python exception, because no more memory is available. if I run ldbsearch with --extended-dn I got this error message: search failed - Unsupported critical extension 1.2.840.113556.1.4.529 If I run ldbsearch without this option no memberOf attribute but 2 member attributes were found. And notice, that it is not a user, it is a group. Andrej -----Ursprüngliche Nachricht----- Von: Andrew Bartlett [mailto:abartlet at samba.org] Gesendet: Dienstag, 17. Oktober 2017 12:12 An: Andrej Gessel <Andrej.Gessel at janztec.com>; samba at lists.samba.org Betreff: Re: [Samba] samba 4.7.0 replication errors On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:> Hello list, > > maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:Does it change if you don't use that option?> Failed to apply records: > ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to > remove backlink of memberOf when deleting > CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted > Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base > dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted > Objects,DC=DOMAIN,DC=intern (0 results): Operations error Failed to > commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE > > USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this. > > If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop. > > Some other notes: > > If I run dbcheck with --cross-ncs and --fix I got some other errors like this: > > ERROR: missing backlink attribute 'memberOf' in > CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in > CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern > Fix missing backlink memberOf [YES] > Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': > value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' > already exists")Can you show me the memberOf value son that user? ldbsearch -s base -b CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern --reveal --extended-dn Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
I wasn't using the domain-critical-only setting when I had the backlink issues. Thanks, Arthur On 10/17/2017 6:16 AM, Andrej Gessel via samba wrote:> Hello Andrew, > > I cannot run complete domain join without this option, because of my hardware limitations. The join ends with " Committing SAM database" and python exception, because no more memory is available. > > if I run ldbsearch with --extended-dn I got this error message: > > search failed - Unsupported critical extension 1.2.840.113556.1.4.529 > > If I run ldbsearch without this option no memberOf attribute but 2 member attributes were found. And notice, that it is not a user, it is a group. > > > Andrej > > -----Ursprüngliche Nachricht----- > Von: Andrew Bartlett [mailto:abartlet at samba.org] > Gesendet: Dienstag, 17. Oktober 2017 12:12 > An: Andrej Gessel <Andrej.Gessel at janztec.com>; samba at lists.samba.org > Betreff: Re: [Samba] samba 4.7.0 replication errors > > On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote: >> Hello list, >> >> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this: > Does it change if you don't use that option? > >> Failed to apply records: >> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to >> remove backlink of memberOf when deleting >> CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted >> Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base >> dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted >> Objects,DC=DOMAIN,DC=intern (0 results): Operations error Failed to >> commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE >> >> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this. >> >> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop. >> >> Some other notes: >> >> If I run dbcheck with --cross-ncs and --fix I got some other errors like this: >> >> ERROR: missing backlink attribute 'memberOf' in >> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in >> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern >> Fix missing backlink memberOf [YES] >> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': >> value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' >> already exists") > Can you show me the memberOf value son that user? > > ldbsearch -s base -b > CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern > --reveal --extended-dn > > Thanks, > > Andrew BartlettThis e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.