Hi, Does anyone have experience of using ldbedit or similar, to remove the duplicates below? (Is that even the right way for me to go?) Can I perhaps query something using ldbsearch, to find the duplicates, before using ldbedit? On Sun, 18 Nov 2018 at 21:37, Jonathan Hunter <jmhunter1 at gmail.com> wrote:> [...] > In my database, as reported by the domain join command above, I have > five duplicates 'for index on servicePrincipalName', plus 107 > duplicates for index on a custom LDAP attribute I am using. If there's > a correct way I can step through these one by one, and remove the > duplicates, I am happy to try...I guess ldbedit does carry some level of risk with it, but I can't seem to add any DCs to my domain at the moment which is unfortunate as I had a hardware failure that I now can't recover from. I note that this was last discussed on the list on 20 March 2018 at 03:14 (message ID <1113A703-649B-42D5-BDFC-2842767B31E5 at dignitastechnologies.com>) but there was no conclusion to that thread other than a comment that 4.9.0pre1 seemed to resolve the issue. However, I am now using 4.9.2 on one of my DCs and on the DC that is being newly joined, and I am still having the problem. (My two other DCs are still on 4.9.0) For reference, this is the type of error I'm getting when joining my DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for index on servicePrincipalName, duplicate of objectGUID 00000000-1111-2222-3333-444444444444 in @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein
On Tue, 20 Nov 2018 13:17:58 +0000 Jonathan Hunter via samba <samba at lists.samba.org> wrote:> Hi, > > Does anyone have experience of using ldbedit or similar, to remove the > duplicates below? (Is that even the right way for me to go?) Can I > perhaps query something using ldbsearch, to find the duplicates, > before using ldbedit? > > On Sun, 18 Nov 2018 at 21:37, Jonathan Hunter <jmhunter1 at gmail.com> > wrote: > > [...] > > In my database, as reported by the domain join command above, I have > > five duplicates 'for index on servicePrincipalName', plus 107 > > duplicates for index on a custom LDAP attribute I am using. If > > there's a correct way I can step through these one by one, and > > remove the duplicates, I am happy to try... > > I guess ldbedit does carry some level of risk with it, but I can't > seem to add any DCs to my domain at the moment which is unfortunate as > I had a hardware failure that I now can't recover from. > > I note that this was last discussed on the list on 20 March 2018 at > 03:14 (message ID > <1113A703-649B-42D5-BDFC-2842767B31E5 at dignitastechnologies.com>) but > there was no conclusion to that thread other than a comment that > 4.9.0pre1 seemed to resolve the issue. However, I am now using 4.9.2 > on one of my DCs and on the DC that is being newly joined, and I am > still having the problem. (My two other DCs are still on 4.9.0) > > For reference, this is the type of error I'm getting when joining my > DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > index on servicePrincipalName, duplicate of objectGUID > 00000000-1111-2222-3333-444444444444 in > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > > Cheers > > Jonathan >Try this to search for computers: ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldif Replace 'dc1' with your DC short hostname and 'dc=samdom,dc=example,dc=com' with your ldap info This actually raises an interesting question, when I run it, it lists all my computers, but the only ones that have a 'RestrictedKrbHost/PC_NAME' SPN are windows PC's, not one of my Unix computers has such a line. Rowland
Thanks to everyone who responded. I have now figured out what happened and why it wasn't working. Apparently somethings changed between the time I set up the machine and my attempt to add another users. When I initially set up the workstation I installed the recommended registry settings. Those were still in place. I discovered that part of the problem was that somewhere the wins server information was deleted. Once I added that to the network setting I could see and join the domain including browsing all of the machines in it but I still could not log in. Checking the PDC I found that the PDC was running winbindd. Once I shut that down everything worked as expected. I was able to log in using any valid domain user. I have removed the winbind package from the PDC so I should be good to go. Again thanks a lot.
Thanks Rowland. On Tue, 20 Nov 2018 at 13:56, Rowland Penny via samba <samba at lists.samba.org> wrote:> Jonathan Hunter via samba <samba at lists.samba.org> wrote: > > Does anyone have experience of using ldbedit or similar, to remove the > > duplicates below? (Is that even the right way for me to go?) Can I > > perhaps query something using ldbsearch, to find the duplicates, > > before using ldbedit? >Interestingly, I decided to play it safe and create a backup first of all, using the new samba 4.9.2 backup commands. But (probably as expected), the online backup reported the exact same errors as a domain join - i.e. "../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in XXX".. I am therefore not certain if this backup would actually be useful for a restore, but it seems that 4.9.2 does not yet contain support for an offline backup (it just has online/rename/restore)> Try this to search for computers: > > ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s > sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldifI ended up using the following variant instead (since I am logged in with a local user and have no Kerberos tickets) user at dc2:~ $ sudo ldbsearch -H /usr/local/samba/private/sam.ldb '(&(cn=laptop1)(objectclass=computer))' servicePrincipalName | less (where laptop1 is the computer object that had led to the errors about duplicate values) The output of this is as follows: # record 1 dn: CN=laptop1,OU=Laptops,OU=Computers,OU=MyOwnOU,DC=mydomain,DC=org servicePrincipalName: HOST/LAPTOP1.mydomain.org servicePrincipalName: RestrictedKrbHost/LAPTOP1.mydomain.org servicePrincipalName: HOST/LAPTOP1 servicePrincipalName: RestrictedKrbHost/LAPTOP1 servicePrincipalName: TERMSRV/LAPTOP1.mydomain.org servicePrincipalName: TERMSRV/LAPTOP1 servicePrincipalName: restrictedkrbhost/laptop1 servicePrincipalName: restrictedkrbhost/laptop1.mydomain.org servicePrincipalName: termsrv/laptop1 servicePrincipalName: termsrv/laptop1.mydomain.org Which leads me to think that I should be able to use ldbedit to remove the duplicate entries.. I think... ? Something like this might work.. I just need to work out which entries I can safely delete.. (UPPERCASE? CamelCase? lowercase? etc.) I think if I leave one of each, ignoring case, then things should mostly be OK. I think that the following command should work: user at dc2:~ $ sudo ldbedit -H /usr/local/samba/private/sam.ldb '(&(cn=laptop1)(objectclass=computer))' Luckily for me, one of the affected computers (this laptop1 example) is not actually in existence any longer, so I can use that as my first test edit before moving onto some of the other duplicate entries which are still in use.. Thanks Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein