Hello last week we updated three domain controllers (Sernet Samba) from 4.2 to 4.7, typical upgrade path (4.3->4.4->4.5->4.6->4.7), everything was ok. The next day we got a mail from the Sernet team informing they fixed a bug affecting the group memberships. https://bugzilla.samba.org/show_bug.cgi?id=13095 We've applied the update and few days after the update which should fix the bug, we got a database corruption with multiple times the same user in a group and the coherency check between all DC was bad. I tried a dbcheck --cross-ncs --fix --yes, it fixed several errors (>2000) but now i still have 372 persistant errors and the dbcheck script won't fix them. The domain is still working great, creating / removing users, edit membership, the replication, everything works. Here's a part of the errors, all of them are "missing backlink" or "orphaned backlink". [root at dc1 ~]# samba-tool dbcheck Checking 1233 objects ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_ila,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_insertion,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_report_bud,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_public_commun,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_report,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_insertion,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_art_60,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_report_bud,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_public_commun,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_energie,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_accueil,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_ss,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Willy Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_smd,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Marine Mathias,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in CN=cee_03,OU=AC,OU=MGROUPS,DC=contoso,DC=com ...... Not removing orphaned backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Sabine Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Sabine Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Sabine Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Sabine Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Jean-Paul Tistaert,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Jean-Paul Tistaert,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Cédric De Mul,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Jean-Paul Tistaert,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: missing backlink attribute 'memberOf' in CN=Cédric De Mul,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com Not fixing missing backlink memberOf ERROR: orphaned backlink attribute 'memberOf' in CN=Sabine Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in CN=cee_outils,OU=AC,OU=MGROUPS,DC=contoso,DC=com Not removing orphaned backlink memberOf Please use --fix to fix these errors Checked 1233 objects (372 errors) Is there any script or update to fix this issue ? Thanks.
Hi Samba team and Maxence,> last week we updated three domain controllers (Sernet Samba) from 4.2 to > 4.7, typical upgrade path (4.3->4.4->4.5->4.6->4.7), everything was ok. > > The next day we got a mail from the Sernet team informing they fixed a > bug affecting the group memberships. > > https://bugzilla.samba.org/show_bug.cgi?id=13095 > > We've applied the update and few days after the update which should fix > the bug, we got a database corruption with multiple times the same user > in a group and the coherency check between all DC was bad. > > I tried a dbcheck --cross-ncs --fix --yes, it fixed several errors > (>2000) but now i still have 372 persistant errors and the dbcheck > script won't fix them. > > The domain is still working great, creating / removing users, edit > membership, the replication, everything works. > > Here's a part of the errors, all of them are "missing backlink" or > "orphaned backlink".one of my colleague had the same issue after upgrade to 4.7.0 very recently. We didn't have much time to look into it, so we just cleaned up the member and memberof attributes (samba-tool group removemembers + some ldbmodify) , then add back the users to the groups. It needed some scripting to automate the stuff but it worked fine and dbcheck is now happy. Actually, as that specific domain has seen most upgrades from early 4.0 beta to 4.7, I was not sure if I was stumbling on some rotten entries in my ldb database, or if it was a more widespread bug :-) Cheers, Denis> > [root at dc1 ~]# samba-tool dbcheck > Checking 1233 objects > ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard > Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_ila,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard > Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_insertion,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard > Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_report_bud,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard > Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_public_commun,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard > Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_report,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Gérard > Dellaval,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_insertion,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_art_60,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_report_bud,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_public_commun,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_energie,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_accueil,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_ss,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Willy > Gaspard,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_smd,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Marine > Mathias,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cee_03,OU=AC,OU=MGROUPS,DC=contoso,DC=com > ...... > Not removing orphaned backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Sabine > Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Sabine > Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Sabine > Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Sabine > Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cee,OU=AC,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Jean-Paul > Tistaert,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Jean-Paul > Tistaert,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Cédric De > Mul,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Jean-Paul > Tistaert,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: missing backlink attribute 'memberOf' in CN=Cédric De > Mul,OU=CPAS,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cpas_applic,OU=CPAS,OU=MGROUPS,DC=contoso,DC=com > Not fixing missing backlink memberOf > ERROR: orphaned backlink attribute 'memberOf' in CN=Sabine > Dillien,OU=AC,OU=MUSERS,DC=contoso,DC=com for link member in > CN=cee_outils,OU=AC,OU=MGROUPS,DC=contoso,DC=com > Not removing orphaned backlink memberOf > Please use --fix to fix these errors > Checked 1233 objects (372 errors) > > Is there any script or update to fix this issue ? > > > Thanks. > >-- Denis Cardon Tranquil IT Systems Les Espaces Jules Verne, bâtiment A 12 avenue Jules Verne 44230 Saint Sébastien sur Loire tel : +33 (0) 2.40.97.57.55 http://www.tranquil-it-systems.fr
On Thu, 2017-11-02 at 15:56 +0100, Denis Cardon via samba wrote:> Hi Samba team and Maxence, > > > last week we updated three domain controllers (Sernet Samba) from 4.2 to > > 4.7, typical upgrade path (4.3->4.4->4.5->4.6->4.7), everything was ok. > > > > The next day we got a mail from the Sernet team informing they fixed a > > bug affecting the group memberships. > > > > https://bugzilla.samba.org/show_bug.cgi?id=13095 > > > > We've applied the update and few days after the update which should fix > > the bug, we got a database corruption with multiple times the same user > > in a group and the coherency check between all DC was bad. > > > > I tried a dbcheck --cross-ncs --fix --yes, it fixed several errors > > (>2000) but now i still have 372 persistant errors and the dbcheck > > script won't fix them. > > > > The domain is still working great, creating / removing users, edit > > membership, the replication, everything works. > > > > Here's a part of the errors, all of them are "missing backlink" or > > "orphaned backlink". > > one of my colleague had the same issue after upgrade to 4.7.0 very > recently. We didn't have much time to look into it, so we just cleaned > up the member and memberof attributes (samba-tool group removemembers + > some ldbmodify) , then add back the users to the groups. It needed some > scripting to automate the stuff but it worked fine and dbcheck is now > happy. > > Actually, as that specific domain has seen most upgrades from early 4.0 > beta to 4.7, I was not sure if I was stumbling on some rotten entries in > my ldb database, or if it was a more widespread bug :-)Metze has some patches that should better fix the backlink issue in dbcheck, and I've proposed some patches to ensure that additional backlinks don't cause trouble if the object needs to be deleted. If dbcheck gives any more information when it fails to fix the missing or orphaned backlink, it would be helpful to see that so we can ensure we cover all the test cases needed for this. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba