samba - Mar 2018 - Problem with data base after abnormal shutdown

Hello;
last week the power (energy) of the servers fail and it shutdown all.  
When the power restart in the check I find that the samba4 AD DC have  
problems. It work, but the users in some of the container or OU  
dissapear, I mean, when I check with the RSAT the OU in with the user  
most be, is empty
  When I try to run # samba-tool dbcheck this is what I have:

[root at gtmad ~]# samba-tool dbcheck
ltdb:  
tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb):  
tdb_rec_read bad magic 0x303038 at offset=2613200

ERROR(ldb): uncaught exception - Indexed and full searches both failed!

   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py",
line 157, in run
     controls=controls, attrs=attrs)
   File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line
188, in check_database
     res = self.samdb.search(base=DN, scope=scope, attrs=['dn'],  
controls=controls)

[root at gtmad ~]# samba-tool dbcheck --cross-ncs
ltdb:  
tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb):  
tdb_rec_read bad magic 0x303038 at offset=2613200

ERROR(ldb): uncaught exception - Indexed and full searches both failed!

   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py",
line 157, in run
     controls=controls, attrs=attrs)
   File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line
188, in check_database
     res = self.samdb.search(base=DN, scope=scope, attrs=['dn'],  
controls=controls)

[root at gtmad ~]# samba-tool dbcheck --cross-ncs --fix --yes
ltdb:  
tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb):  
tdb_rec_read bad magic 0x303038 at offset=2613200

ERROR(ldb): uncaught exception - Indexed and full searches both failed!

   File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py",
line 176, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py",
line 157, in run
     controls=controls, attrs=attrs)
   File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line
188, in check_database
     res = self.samdb.search(base=DN, scope=scope, attrs=['dn'],  
controls=controls)

  Always the same result.

  But when I query for some of users that dissapear of the OU with  
samba-tool user edit this is the result:

[root at gtmad ~]# samba-tool user edit orelvis

dn: CN=Orelvis Caraballo Pileta,OU=juridico,OU=gtm,DC=gtm,DC=onat,DC=gob,DC=cu
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Orelvis Caraballo Pileta
sn: Caraballo Pileta
givenName: Orelvis
instanceType: 4
whenCreated: 20151116213548.0Z
displayName: Orelvis Caraballo Pileta
uSNCreated: 4030
name: Orelvis Caraballo Pileta
objectGUID: d7685d1c-8042-49d4-8d21-3c5b7f43316f
codePage: 0
countryCode: 0
lastLogoff: 0
primaryGroupID: 513
objectSid: S-1-5-21-401494700-3510482446-2017854258-1137
accountExpires: 9223372036854775807
sAMAccountName: orelvis
sAMAccountType: 805306368
userPrincipalName: orelvis at gtm.onat.gob.cu
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC 
cu
userAccountControl: 512
memberOf: CN=juridico,OU=juridico,OU=gtm,DC=gtm,DC=onat,DC=gob,DC=cu
memberOf: CN=GFI_ESEC_ImagingDevices_FullAccess,CN=Users,DC=gtm,DC=onat,DC=gob
  ,DC=cu
homeDrive: S:
homeDirectory: \\gtmdato\salva_usuario\orelvis
userWorkstations: p117
pwdLastSet: 131617067116906820
lockoutTime: 0
lastLogonTimestamp: 131650797897292230
whenChanged: 20180309143629.0Z
uSNChanged: 139697
badPasswordTime: 131650927578286600
badPwdCount: 0
lastLogon: 131653371434683940
logonCount: 149623
distinguishedName: CN=Orelvis Caraballo Pileta,OU=juridico,OU=gtm,DC=gtm,DC=on
  at,DC=gob,DC=cu

  As can see, still in OU juridico.

  I create again the users that have been dissapear from his container  
or OU, but the problem with the command still there.
  Is there something that I can do to solve this? I do well creating  
the users again?

Rommel Rodriguez Toirac
rommelrt at nauta.cu

On Mon, 2018-03-12 at 17:50 -0400, Rommel Rodriguez Toirac via samba
wrote:
> Hello;
> last week the power (energy) of the servers fail and it shutdown all.  
> When the power restart in the check I find that the samba4 AD DC have  
> problems. It work, but the users in some of the container or OU  
> dissapear, I mean, when I check with the RSAT the OU in with the user  
> most be, is empty
>   When I try to run # samba-tool dbcheck this is what I have:
> 
> [root at gtmad ~]# samba-tool dbcheck
> ltdb:  
> tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb):  
> tdb_rec_read bad magic 0x303038 at offset=2613200
> 
> ERROR(ldb): uncaught exception - Indexed and full searches both failed!
> [root at gtmad ~]# samba-tool user edit orelvis
> 
> dn: CN=Orelvis Caraballo
Pileta,OU=juridico,OU=gtm,DC=gtm,DC=onat,DC=gob,DC=cu
>   As can see, still in OU juridico.
> 
>   I create again the users that have been dissapear from his container  
> or OU, but the problem with the command still there.
>   Is there something that I can do to solve this? I do well creating  
> the users again?
Your database is in very bad shape, and I hope you have good backups,
as you are better to try and work from them.

Assuming you don't, I hope you at least have good backups from before
you started trying to fix this.

Additionally, please look at the storage architecture you are using, as
Samba's TDB is meant to be poweroff safe, assuming the OS is honouring
the fsync() calls it makes.  However sometimes the layers under Samba
can ignore that.

Finally, to work with this file, you need to use the ldbdump tool. 
This has two modes, a normal search of the DB and a emergency search
looking for special magic values in the database to work around
corruption. 

Your task is to try and extract as much as possible of the domain and
work out if you either have all the objects (in which case re-injecting 
the objects into a new tdb backend database, and running dbcheck --
reindex might be enough) or if you need to re-create your domain with
the same parameters and then manually re-inject some objects (watching
out for SID collision). 

Both of these are not tasks for the faint of heart!  You would do best
to get some professional support for such a recovery. 

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba