On Mon, 23 Jul 2018 11:27:38 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> How are you searching and what with ?I used the ADUC tool and LDAPAdmin.> > Have you tried ldbedit ? > > ldbedit -e <your favourite editor> -H /path/to/sam.ldb > > This will display everything in the editor and you can then search in > that for the groups. You should then be able to create a filter to > delete the groupsYes, the objects in question are displayed, one of them looks like this: # record 46 dn: CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan cn:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcncinstanceType: 4 whenCreated: 20180720113100.0Z uSNCreated: 5982 name:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcncobjectGUID: ecbda919-4c16-4d06-9695-2540e35b44da objectSid: S-1-5-21-4144324718-2848790307-3888702956-3897 sAMAccountName:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtc ncsAMAccountType: 268435456 groupType: -2147483646 objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=iww,DC=lan gidNumber: 1448 objectClass: top objectClass: posixGroup objectClass: group msSFU30NisDomain: iww whenChanged: 20180720113106.0Z uSNChanged: 15576 distinguishedName:: Q049cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taX NjaGUtcncsQ049VXNlcnMsREM9aXd3LERDPWxhbg= However, "ldbdel -H /var/lib/samba/private/sam.ldb 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan'" doesn't work, it says "entry does not exist" As you can see, some parts are base64 encoded but I am unsure how to use this in conjunction with ldbdel or ldbedit, e.g. I tried ldbedit -e vim -H /var/lib/samba/private/sam.ldb '(sAMAccountName=cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc=)' ldbedit -e vim -H /var/lib/samba/private/sam.ldb '(sAMAccountName=:cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc=)' ldbedit -e vim -H /var/lib/samba/private/sam.ldb '(sAMAccountName=::cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc=)' and all of them fail with "no matching records - cannot edit". Same when using objectGUID or objectSid. Kind regards, Henry
On Mon, 23 Jul 2018 14:02:45 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> On Mon, 23 Jul 2018 11:27:38 +0100 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > How are you searching and what with ? > > I used the ADUC tool and LDAPAdmin. > > > > > Have you tried ldbedit ? > > > > ldbedit -e <your favourite editor> -H /path/to/sam.ldb > > > > This will display everything in the editor and you can then search > > in that for the groups. You should then be able to create a filter > > to delete the groups > > > > Yes, the objects in question are displayed, one of them looks like > this: > > # record 46 > dn: > CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan > cn:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> instanceType: 4 whenCreated: 20180720113100.0Z > uSNCreated: 5982 > name:: > cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> objectGUID: ecbda919-4c16-4d06-9695-2540e35b44da objectSid: > S-1-5-21-4144324718-2848790307-3888702956-3897 sAMAccountName:: > cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtc nc> sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=iww,DC=lan > gidNumber: 1448 > objectClass: top > objectClass: posixGroup > objectClass: group > msSFU30NisDomain: iww > whenChanged: 20180720113106.0Z > uSNChanged: 15576 > distinguishedName:: > Q049cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taX > NjaGUtcncsQ049VXNlcnMsREM9aXd3LERDPWxhbg=> > However, "ldbdel -H /var/lib/samba/private/sam.ldb > 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan'" > doesn't work, it says "entry does not exist"Try it without the single quotes around the DN If this doesn't work, try opening AD in ldbedit again and manually delete all the object lines (including the 'record' line) By the way, I do hope you have a backup. Rowland
On Mon, 23 Jul 2018 13:12:42 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Mon, 23 Jul 2018 14:02:45 +0200 > Henry Jensen via samba <samba at lists.samba.org> wrote: > > > > Yes, the objects in question are displayed, one of them looks like > > this: > > > > # record 46 > > dn: > > CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan > > cn:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> > instanceType: 4 whenCreated: 20180720113100.0Z > > uSNCreated: 5982 > > name:: > > cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> > objectGUID: ecbda919-4c16-4d06-9695-2540e35b44da objectSid: > > S-1-5-21-4144324718-2848790307-3888702956-3897 sAMAccountName:: > > cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtc nc> > sAMAccountType: 268435456 > > groupType: -2147483646 > > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=iww,DC=lan > > gidNumber: 1448 > > objectClass: top > > objectClass: posixGroup > > objectClass: group > > msSFU30NisDomain: iww > > whenChanged: 20180720113106.0Z > > uSNChanged: 15576 > > distinguishedName:: > > Q049cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taX > > NjaGUtcncsQ049VXNlcnMsREM9aXd3LERDPWxhbg=> > > > However, "ldbdel -H /var/lib/samba/private/sam.ldb > > 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan'" > > doesn't work, it says "entry does not exist" > > Try it without the single quotes around the DN > If this doesn't work, try opening AD in ldbedit again and manually > delete all the object lines (including the 'record' line)I tried it on my test environment (didn't want to do it in production) first. Still no luck - when i delete the entire object with ldbedit it says "failed to delete CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan - objectclass: Cannot delete CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan, entry does not exist!" So, no chance to get them out of there easy way? Strange how they got in there in the first place by classicupgrade. Because I knew that umlauts can lead to problems I renamed those objects in the original OpenLDAP tree before doing the classicupgrade. The renamed groups got migrated to AD and I can manage them without problems, but there are also the groups with umlauts (they even have the same GIDs). Kind regards, Henry
On Mon, 2018-07-23 at 14:02 +0200, Henry Jensen via samba wrote:> On Mon, 23 Jul 2018 11:27:38 +0100 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > How are you searching and what with ? > > I used the ADUC tool and LDAPAdmin. > > > > > Have you tried ldbedit ? > > > > ldbedit -e <your favourite editor> -H /path/to/sam.ldb > > > > This will display everything in the editor and you can then search in > > that for the groups. You should then be able to create a filter to > > delete the groups > > > > Yes, the objects in question are displayed, one of them looks like this: > > # record 46 > dn: CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan > cn:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> instanceType: 4 > whenCreated: 20180720113100.0Z > uSNCreated: 5982 > name:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> objectGUID: ecbda919-4c16-4d06-9695-2540e35b44da > objectSid: S-1-5-21-4144324718-2848790307-3888702956-3897 > sAMAccountName:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtc > nc> sAMAccountType: 268435456 > groupType: -2147483646 > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=iww,DC=lan > gidNumber: 1448 > objectClass: top > objectClass: posixGroup > objectClass: group > msSFU30NisDomain: iww > whenChanged: 20180720113106.0Z > uSNChanged: 15576 > distinguishedName:: Q049cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taX > NjaGUtcncsQ049VXNlcnMsREM9aXd3LERDPWxhbg=> > However, "ldbdel -H /var/lib/samba/private/sam.ldb 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan'" doesn't work, it says "entry does not exist"I suspect this is a case of one layer somewhere in the stack being unhappy. Try turning up the debug level and see if you can get it to confess something more specific. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT https://catalyst.net.nz/services/samba
On Wed, 25 Jul 2018 14:19:26 +1200 Andrew Bartlett via samba <samba at lists.samba.org> wrote:> > Yes, the objects in question are displayed, one of them looks like this: > > > > # record 46 > > dn: CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan > > cn:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> > instanceType: 4 > > whenCreated: 20180720113100.0Z > > uSNCreated: 5982 > > name:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtcnc> > objectGUID: ecbda919-4c16-4d06-9695-2540e35b44da > > objectSid: S-1-5-21-4144324718-2848790307-3888702956-3897 > > sAMAccountName:: cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taXNjaGUtc > > nc> > sAMAccountType: 268435456 > > groupType: -2147483646 > > objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=iww,DC=lan > > gidNumber: 1448 > > objectClass: top > > objectClass: posixGroup > > objectClass: group > > msSFU30NisDomain: iww > > whenChanged: 20180720113106.0Z > > uSNChanged: 15576 > > distinguishedName:: Q049cHJvamVrdC1zdC53ZW5kZWwtd3Z3LXRlY2huaXNjaC3Dtmtvbm9taX > > NjaGUtcncsQ049VXNlcnMsREM9aXd3LERDPWxhbg=> > > > However, "ldbdel -H /var/lib/samba/private/sam.ldb 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan'" doesn't work, it says "entry does not exist" > > I suspect this is a case of one layer somewhere in the stack being > unhappy. Try turning up the debug level and see if you can get it to > confess something more specific.Not really: root at dc1:~# ldbdel -v -d 10 -H /var/lib/samba/private/sam.ldb 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan' INFO: Current debug levels: all: 10 tdb: 10 printdrivers: 10 lanman: 10 smb: 10 rpc_parse: 10 rpc_srv: 10 rpc_cli: 10 passdb: 10 sam: 10 auth: 10 winbind: 10 vfs: 10 idmap: 10 quota: 10 acls: 10 locking: 10 msdfs: 10 dmapi: 10 registry: 10 scavenger: 10 dns: 10 ldb: 10 tevent: 10 auth_audit: 10 auth_json_audit: 10 kerberos: 10 drs_repl: 10 smb2: 10 smb2_credits: 10 lpcfg_load: refreshing parameters from /etc/samba/smb.conf Processing section "[global]" Processing section "[netlogon]" Processing section "[sysvol]" pm_process() returned Yes GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'spnego' registered GENSEC backend 'schannel' registered GENSEC backend 'naclrpc_as_system' registered GENSEC backend 'sasl-EXTERNAL' registered GENSEC backend 'ntlmssp' registered GENSEC backend 'ntlmssp_resume_ccache' registered GENSEC backend 'http_basic' registered GENSEC backend 'http_ntlm' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered Security token SIDs (1): SID[ 0]: S-1-5-18 Privileges (0xFFFFFFFFFFFFFFFF): Privilege[ 0]: SeMachineAccountPrivilege Privilege[ 1]: SeTakeOwnershipPrivilege Privilege[ 2]: SeBackupPrivilege Privilege[ 3]: SeRestorePrivilege Privilege[ 4]: SeRemoteShutdownPrivilege Privilege[ 5]: SePrintOperatorPrivilege Privilege[ 6]: SeAddUsersPrivilege Privilege[ 7]: SeDiskOperatorPrivilege Privilege[ 8]: SeSecurityPrivilege Privilege[ 9]: SeSystemtimePrivilege Privilege[ 10]: SeShutdownPrivilege Privilege[ 11]: SeDebugPrivilege Privilege[ 12]: SeSystemEnvironmentPrivilege Privilege[ 13]: SeSystemProfilePrivilege Privilege[ 14]: SeProfileSingleProcessPrivilege Privilege[ 15]: SeIncreaseBasePriorityPrivilege Privilege[ 16]: SeLoadDriverPrivilege Privilege[ 17]: SeCreatePagefilePrivilege Privilege[ 18]: SeIncreaseQuotaPrivilege Privilege[ 19]: SeChangeNotifyPrivilege Privilege[ 20]: SeUndockPrivilege Privilege[ 21]: SeManageVolumePrivilege Privilege[ 22]: SeImpersonatePrivilege Privilege[ 23]: SeCreateGlobalPrivilege Privilege[ 24]: SeEnableDelegationPrivilege Rights (0x 0): Initial schema load needed, as we have no existing schema, seq_num: 3 schema_fsmo_init: we are master[yes] updates allowed[yes] delete of 'CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan' failed - (No such object) objectclass: Cannot delete CN=projekt-st.wendel-wvw-technisch-ökonomische-rw,CN=Users,DC=iww,DC=lan, entry does not exist! Kind Regards, Henry