rommelrt at nauta.cu
2018-Mar-12 21:50 UTC
[Samba] Problem with data base after abnormal shutdown
Hello; last week the power (energy) of the servers fail and it shutdown all. When the power restart in the check I find that the samba4 AD DC have problems. It work, but the users in some of the container or OU dissapear, I mean, when I check with the RSAT the OU in with the user most be, is empty When I try to run # samba-tool dbcheck this is what I have: [root at gtmad ~]# samba-tool dbcheck ltdb: tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb): tdb_rec_read bad magic 0x303038 at offset=2613200 ERROR(ldb): uncaught exception - Indexed and full searches both failed! File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 188, in check_database res = self.samdb.search(base=DN, scope=scope, attrs=['dn'], controls=controls) [root at gtmad ~]# samba-tool dbcheck --cross-ncs ltdb: tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb): tdb_rec_read bad magic 0x303038 at offset=2613200 ERROR(ldb): uncaught exception - Indexed and full searches both failed! File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 188, in check_database res = self.samdb.search(base=DN, scope=scope, attrs=['dn'], controls=controls) [root at gtmad ~]# samba-tool dbcheck --cross-ncs --fix --yes ltdb: tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb): tdb_rec_read bad magic 0x303038 at offset=2613200 ERROR(ldb): uncaught exception - Indexed and full searches both failed! File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 176, in _run return self.run(*args, **kwargs) File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 157, in run controls=controls, attrs=attrs) File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 188, in check_database res = self.samdb.search(base=DN, scope=scope, attrs=['dn'], controls=controls) Always the same result. But when I query for some of users that dissapear of the OU with samba-tool user edit this is the result: [root at gtmad ~]# samba-tool user edit orelvis dn: CN=Orelvis Caraballo Pileta,OU=juridico,OU=gtm,DC=gtm,DC=onat,DC=gob,DC=cu objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Orelvis Caraballo Pileta sn: Caraballo Pileta givenName: Orelvis instanceType: 4 whenCreated: 20151116213548.0Z displayName: Orelvis Caraballo Pileta uSNCreated: 4030 name: Orelvis Caraballo Pileta objectGUID: d7685d1c-8042-49d4-8d21-3c5b7f43316f codePage: 0 countryCode: 0 lastLogoff: 0 primaryGroupID: 513 objectSid: S-1-5-21-401494700-3510482446-2017854258-1137 accountExpires: 9223372036854775807 sAMAccountName: orelvis sAMAccountType: 805306368 userPrincipalName: orelvis at gtm.onat.gob.cu objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=gtm,DC=onat,DC=gob,DC cu userAccountControl: 512 memberOf: CN=juridico,OU=juridico,OU=gtm,DC=gtm,DC=onat,DC=gob,DC=cu memberOf: CN=GFI_ESEC_ImagingDevices_FullAccess,CN=Users,DC=gtm,DC=onat,DC=gob ,DC=cu homeDrive: S: homeDirectory: \\gtmdato\salva_usuario\orelvis userWorkstations: p117 pwdLastSet: 131617067116906820 lockoutTime: 0 lastLogonTimestamp: 131650797897292230 whenChanged: 20180309143629.0Z uSNChanged: 139697 badPasswordTime: 131650927578286600 badPwdCount: 0 lastLogon: 131653371434683940 logonCount: 149623 distinguishedName: CN=Orelvis Caraballo Pileta,OU=juridico,OU=gtm,DC=gtm,DC=on at,DC=gob,DC=cu As can see, still in OU juridico. I create again the users that have been dissapear from his container or OU, but the problem with the command still there. Is there something that I can do to solve this? I do well creating the users again? Rommel Rodriguez Toirac rommelrt at nauta.cu
Andrew Bartlett
2018-Mar-12 22:01 UTC
[Samba] Problem with data base after abnormal shutdown
On Mon, 2018-03-12 at 17:50 -0400, Rommel Rodriguez Toirac via samba wrote:> Hello; > last week the power (energy) of the servers fail and it shutdown all. > When the power restart in the check I find that the samba4 AD DC have > problems. It work, but the users in some of the container or OU > dissapear, I mean, when I check with the RSAT the OU in with the user > most be, is empty > When I try to run # samba-tool dbcheck this is what I have: > > [root at gtmad ~]# samba-tool dbcheck > ltdb: > tdb(/var/lib/samba/private/sam.ldb.d/DC=GTM,DC=ONAT,DC=GOB,DC=CU.ldb): > tdb_rec_read bad magic 0x303038 at offset=2613200 > > ERROR(ldb): uncaught exception - Indexed and full searches both failed!> [root at gtmad ~]# samba-tool user edit orelvis > > dn: CN=Orelvis Caraballo Pileta,OU=juridico,OU=gtm,DC=gtm,DC=onat,DC=gob,DC=cu> As can see, still in OU juridico. > > I create again the users that have been dissapear from his container > or OU, but the problem with the command still there. > Is there something that I can do to solve this? I do well creating > the users again?Your database is in very bad shape, and I hope you have good backups, as you are better to try and work from them. Assuming you don't, I hope you at least have good backups from before you started trying to fix this. Additionally, please look at the storage architecture you are using, as Samba's TDB is meant to be poweroff safe, assuming the OS is honouring the fsync() calls it makes. However sometimes the layers under Samba can ignore that. Finally, to work with this file, you need to use the ldbdump tool. This has two modes, a normal search of the DB and a emergency search looking for special magic values in the database to work around corruption. Your task is to try and extract as much as possible of the domain and work out if you either have all the objects (in which case re-injecting the objects into a new tdb backend database, and running dbcheck -- reindex might be enough) or if you need to re-create your domain with the same parameters and then manually re-inject some objects (watching out for SID collision). Both of these are not tasks for the faint of heart! You would do best to get some professional support for such a recovery. I hope this helps, Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba