Oliver Heinz
2018-Oct-15  13:47 UTC
[Samba] restore deleted user (ldbrename) on samba 4.9.1 fails
Dear list, I am trying to restore an deleted user object with samba 4.9.1 (sernet packages). I am aware that the object will lose some attributes without recycle bin enabled (enabling it is still not recommended, right?) I tried to rename the object in order to make the necessary modifications afterward (as documented in Stefan Kania's Samba 4 book). But ldbrename already fails. root at dc1:~# samba-tool user create testuser New Password: Retype Password: User 'testuser' created successfully root at dc1:~# samba-tool user delete testuser Deleted user testuser root at dc1:~# ldbsearch -H ldap://localhost -U administrator --password="Passw0rd" --show-deleted "cn=testuser\0ADEL:*" # record 1 dn: CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted Objects,DC=samdom,DC=example,DC=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user instanceType: 4 whenCreated: 20181015123644.0Z uSNCreated: 4038 objectGUID: d4357200-a367-4601-93df-8c769f1d0e4f objectSid: S-1-5-21-2104162034-3764151921-3268498227-1112 sAMAccountName: testuser userAccountControl: 512 isDeleted: TRUE lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com isRecycled: TRUE cn:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg=name:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg=whenChanged: 20181015123702.0Z uSNChanged: 4041 distinguishedName: CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=D eleted Objects,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com # Referral ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com # returned 4 records # 1 entries # 3 referrals root at dc1:~# ldbrename -H ldap://localhost -Uadministrator --password="Passw0rd" "CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted Objects,DC=samdom,DC=example,DC=com" "CN=testuser,CN=Users,DC=samdom,DC=example,DC=com" rename of 'CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted Objects,DC=samdom,DC=example,DC=com' to 'CN=testuser,CN=Users,DC=samdom,DC=example,DC=com' failed - LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from ../source4/ldap_server/ldap_backend.c:487 with LDB_WAIT_ALL: No such object (32)> <> Verbose and trace give no further hint. Any ideas? Seems to have work in earlier versions. With a regular LDAP we can use LDIF dumps to restore objects, not comfortable but working. But this is not working for AD as it is not allowed to objects with an objectSid, right? Is there another (recommended) way to restore deleted objects ( particularly users and groups). TIA, Oliver
Stefan Kania
2018-Oct-15  14:27 UTC
[Samba] restore deleted user (ldbrename) on samba 4.9.1 fails
sorry it's not working any more. At least if you have more then one DC. I didn't get an answer to this problem so that's the reason why it will not be part of the new samba4 book :-( Am 15.10.2018 um 15:47 schrieb Oliver Heinz via samba:> Dear list, > > I am trying to restore an deleted user object with samba 4.9.1 (sernet > packages). I am aware that the object will lose some attributes without > recycle bin enabled (enabling it is still not recommended, right?) > I tried to rename the object in order to make the necessary > modifications afterward (as documented in Stefan Kania's Samba 4 book). > But ldbrename already fails. > > root at dc1:~# samba-tool user create testuser > New Password: > Retype Password: > User 'testuser' created successfully > > root at dc1:~# samba-tool user delete testuser > Deleted user testuser > > root at dc1:~# ldbsearch -H ldap://localhost -U administrator > --password="Passw0rd" --show-deleted "cn=testuser\0ADEL:*" > # record 1 > dn: CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted > Objects,DC=samdom,DC=example,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > instanceType: 4 > whenCreated: 20181015123644.0Z > uSNCreated: 4038 > objectGUID: d4357200-a367-4601-93df-8c769f1d0e4f > objectSid: S-1-5-21-2104162034-3764151921-3268498227-1112 > sAMAccountName: testuser > userAccountControl: 512 > isDeleted: TRUE > lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com > isRecycled: TRUE > cn:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg=> name:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg=> whenChanged: 20181015123702.0Z > uSNChanged: 4041 > distinguishedName: > CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=D > eleted Objects,DC=samdom,DC=example,DC=com > > # Referral > ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com > > # Referral > ref: > ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com > > # Referral > ref: > ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com > > # returned 4 records > # 1 entries > # 3 referrals > > root at dc1:~# ldbrename -H ldap://localhost -Uadministrator > --password="Passw0rd" > "CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted > Objects,DC=samdom,DC=example,DC=com" > "CN=testuser,CN=Users,DC=samdom,DC=example,DC=com" > rename of > 'CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted > Objects,DC=samdom,DC=example,DC=com' to > 'CN=testuser,CN=Users,DC=samdom,DC=example,DC=com' failed - LDAP error > 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from > ../source4/ldap_server/ldap_backend.c:487 with LDB_WAIT_ALL: No such > object (32)> <> > > Verbose and trace give no further hint. Any ideas? Seems to have work in > earlier versions. > > With a regular LDAP we can use LDIF dumps to restore objects, not > comfortable but working. But this is not working for AD as it is not > allowed to objects with an objectSid, right? > Is there another (recommended) way to restore deleted objects ( > particularly users and groups). > > > > TIA, > Oliver > >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 195 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20181015/9349f9be/signature.sig>
Oliver Heinz
2018-Oct-16  10:29 UTC
[Samba] restore deleted user (ldbrename) on samba 4.9.1 fails
The output below was on a test environment with only one DC (it is the wiki example domain with dc1 and m1). So this way might be broken completely. Did anybody try it the Microsoft way? The "new" Active Directory Administrative Centre seems to not not work with Samba AD, right? Is anybody aware of other working methods like ldp.exe or PowerShell? TIA, Oliver Am 15.10.18 um 16:27 schrieb Stefan Kania via samba:> sorry it's not working any more. At least if you have more then one DC. > I didn't get an answer to this problem so that's the reason why it will > not be part of the new samba4 book :-( > > > Am 15.10.2018 um 15:47 schrieb Oliver Heinz via samba: >> Dear list, >> >> I am trying to restore an deleted user object with samba 4.9.1 (sernet >> packages). I am aware that the object will lose some attributes without >> recycle bin enabled (enabling it is still not recommended, right?) >> I tried to rename the object in order to make the necessary >> modifications afterward (as documented in Stefan Kania's Samba 4 book). >> But ldbrename already fails. >> >> root at dc1:~# samba-tool user create testuser >> New Password: >> Retype Password: >> User 'testuser' created successfully >> >> root at dc1:~# samba-tool user delete testuser >> Deleted user testuser >> >> root at dc1:~# ldbsearch -H ldap://localhost -U administrator >> --password="Passw0rd" --show-deleted "cn=testuser\0ADEL:*" >> # record 1 >> dn: CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted >> Objects,DC=samdom,DC=example,DC=com >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> instanceType: 4 >> whenCreated: 20181015123644.0Z >> uSNCreated: 4038 >> objectGUID: d4357200-a367-4601-93df-8c769f1d0e4f >> objectSid: S-1-5-21-2104162034-3764151921-3268498227-1112 >> sAMAccountName: testuser >> userAccountControl: 512 >> isDeleted: TRUE >> lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com >> isRecycled: TRUE >> cn:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg=>> name:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg=>> whenChanged: 20181015123702.0Z >> uSNChanged: 4041 >> distinguishedName: >> CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=D >> eleted Objects,DC=samdom,DC=example,DC=com >> >> # Referral >> ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com >> >> # Referral >> ref: >> ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com >> >> # Referral >> ref: >> ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com >> >> # returned 4 records >> # 1 entries >> # 3 referrals >> >> root at dc1:~# ldbrename -H ldap://localhost -Uadministrator >> --password="Passw0rd" >> "CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted >> Objects,DC=samdom,DC=example,DC=com" >> "CN=testuser,CN=Users,DC=samdom,DC=example,DC=com" >> rename of >> 'CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted >> Objects,DC=samdom,DC=example,DC=com' to >> 'CN=testuser,CN=Users,DC=samdom,DC=example,DC=com' failed - LDAP error >> 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from >> ../source4/ldap_server/ldap_backend.c:487 with LDB_WAIT_ALL: No such >> object (32)> <> >> >> Verbose and trace give no further hint. Any ideas? Seems to have work in >> earlier versions. >> >> With a regular LDAP we can use LDIF dumps to restore objects, not >> comfortable but working. But this is not working for AD as it is not >> allowed to objects with an objectSid, right? >> Is there another (recommended) way to restore deleted objects ( >> particularly users and groups). >> >> >> >> TIA, >> Oliver >> >> > > > >