vincent at cojot.name
2019-Jan-22 20:19 UTC
[Samba] dbtool --cross-ncs and undeletable errors..
On Tue, 22 Jan 2019, Rowland Penny via samba wrote:> On Tue, 22 Jan 2019 14:20:21 -0500 (EST) > "Vincent S. Cojot via samba" <samba at lists.samba.org> wrote: > >> >> Hi All, >> >> On my two-DC setup (dc00 and dc01 - Used to be a 4-Dc setup but 02 >> and 03 are gone), I've noticed the following errors which I am unable >> to fix.. Any hints? >> >> * Basic dbcheck is clean. >> >> [root at dc00 ~]# samba-tool dbcheck >> Checking 327 objects >> Checked 327 objects (0 errors) >> >> * Cross-NCS shows two errors related to a de-comissionned DC (dc02) >> and cannot auto-fix this.. How do I fix those errors? >> >> [root at dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes >> Checking 3574 objects >> ERROR: no target object found for GUID component for link fromServer >> in object >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> ERROR: target DN is deleted for fromServer in object >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn >> Target GUID points at deleted DN >> '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS >> Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' >> Remove DN link? [YES] >> ERROR: Failed to remove deleted DN attribute fromServer : (65, >> "objectclass_attrs: at least one mandatory attribute ('fromServer') >> on entry >> 'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' >> wasn't specified!") >> >> >> Thanks for any hints/pointers. >> >> Vincent >> > > This isn't an error, if you look very carefully at the 'link' you will > see 'DEL'. This means the record is a 'DELETED' record, you cannot > delete a 'DELETED' record ;-) > > If you wait for 180 days minus the number of days since you > decommissioned the DC, the record will just go away. > > RowlandHi Rowland, Thank you for your quick reply. Is there a way to force an expire on those things so I can get past those errors and only consider new errors as 'new'? It's been about 4-5 months since I removed those DCs but an ldbsearch shows more objects in need of purge (Computers that were removed, users too). If I wanted to clean this manually, I guess I could do the following (but I'm sure I'd -want- to do that): export LDB_MODULES_PATH=/usr/lib64/samba/ldb ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs \ --show-deleted --show-deactivated-link --extended-dn (and then light a few candles, I guess).. Is there a way to do that saefly using RSAT? Thanks, Vincent
On Tue, 22 Jan 2019 15:19:10 -0500 (EST) "Vincent S. Cojot via samba" <samba at lists.samba.org> wrote:> On Tue, 22 Jan 2019, Rowland Penny via samba wrote: > > > On Tue, 22 Jan 2019 14:20:21 -0500 (EST) > > "Vincent S. Cojot via samba" <samba at lists.samba.org> wrote: > > > >> > >> Hi All, > >> > >> On my two-DC setup (dc00 and dc01 - Used to be a 4-Dc setup but 02 > >> and 03 are gone), I've noticed the following errors which I am > >> unable to fix.. Any hints? > >> > >> * Basic dbcheck is clean. > >> > >> [root at dc00 ~]# samba-tool dbcheck > >> Checking 327 objects > >> Checked 327 objects (0 errors) > >> > >> * Cross-NCS shows two errors related to a de-comissionned DC (dc02) > >> and cannot auto-fix this.. How do I fix those errors? > >> > >> [root at dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes > >> Checking 3574 objects > >> ERROR: no target object found for GUID component for link > >> fromServer in object > >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn > >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS > >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn > >> ERROR: target DN is deleted for fromServer in object > >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn > >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS > >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn > >> Target GUID points at deleted DN > >> '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS > >> Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' > >> Remove DN link? [YES] > >> ERROR: Failed to remove deleted DN attribute fromServer : (65, > >> "objectclass_attrs: at least one mandatory attribute ('fromServer') > >> on entry > >> 'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' > >> wasn't specified!") > >> > >> > >> Thanks for any hints/pointers. > >> > >> Vincent > >> > > > > This isn't an error, if you look very carefully at the 'link' you > > will see 'DEL'. This means the record is a 'DELETED' record, you > > cannot delete a 'DELETED' record ;-) > > > > If you wait for 180 days minus the number of days since you > > decommissioned the DC, the record will just go away. > > > > Rowland > > Hi Rowland, > Thank you for your quick reply. Is there a way to force an expire on > those things so I can get past those errors and only consider new > errors as 'new'? It's been about 4-5 months since I removed those DCs > but an ldbsearch shows more objects in need of purge (Computers that > were removed, users too). > If I wanted to clean this manually, I guess I could do the following > (but I'm sure I'd -want- to do that): > > export LDB_MODULES_PATH=/usr/lib64/samba/ldb > ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs \ > --show-deleted --show-deactivated-link --extended-dn > (and then light a few candles, I guess).. > > Is there a way to do that saefly using RSAT? > > Thanks, > > Vincent >These are 'Tombstone' records and can be ignored, they will go away of their own accord, but if you want them to go away sooner, you are going to have to change something in AD. Run this as root on a DC: ldbedit -e nano -H /var/lib/samba/private/sam.ldb -s base -b "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com" Alter it to match your ldap domain. Amongst the output, there will be a line like this: tombstoneLifetime: 180 Change the '180' to whatever number of days you want. Close and save with 'Ctl-x' Now wait the number of days you set. Once your deleted records have gone away, I would repeat the process and reset the attribute back to 180 Rowland
vincent at cojot.name
2019-Jan-23 23:08 UTC
[Samba] dbtool --cross-ncs and undeletable errors..
Hi all, Hi Rowland,
No such luck. I temporarily set the tombstonelifetime to just 1 day (I'll
set it back to 180 days later) but the records still show up:
[root at dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes
Checking 3572 objects
ERROR: no target object found for GUID component for link fromServer in
object
CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
- <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS
Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
ERROR: target DN is deleted for fromServer in object
CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
- <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS
Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
Target GUID points at deleted DN
'<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS
Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
Remove DN link? [YES]
ERROR: Failed to remove deleted DN attribute fromServer : (65,
"objectclass_attrs: at least one mandatory attribute ('fromServer')
on
entry
'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
wasn't specified!")
Any ideas?
Vincent
On Tue, 22 Jan 2019, Rowland Penny via samba wrote:
> On Tue, 22 Jan 2019 15:19:10 -0500 (EST)
> "Vincent S. Cojot via samba" <samba at lists.samba.org>
wrote:
>
>> On Tue, 22 Jan 2019, Rowland Penny via samba wrote:
>>
>> > On Tue, 22 Jan 2019 14:20:21 -0500 (EST)
>> > "Vincent S. Cojot via samba" <samba at
lists.samba.org> wrote:
>> >
>> >>
>> >> Hi All,
>> >>
>> >> On my two-DC setup (dc00 and dc01 - Used to be a 4-Dc setup
but 02
>> >> and 03 are gone), I've noticed the following errors which
I am
>> >> unable to fix.. Any hints?
>> >>
>> >> * Basic dbcheck is clean.
>> >>
>> >> [root at dc00 ~]# samba-tool dbcheck
>> >> Checking 327 objects
>> >> Checked 327 objects (0 errors)
>> >>
>> >> * Cross-NCS shows two errors related to a de-comissionned DC
(dc02)
>> >> and cannot auto-fix this.. How do I fix those errors?
>> >>
>> >> [root at dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes
>> >> Checking 3574 objects
>> >> ERROR: no target object found for GUID component for link
>> >> fromServer in object
>> >>
CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS
>> >>
Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> >> ERROR: target DN is deleted for fromServer in object
>> >>
CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS
>> >>
Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> >> Target GUID points at deleted DN
>> >> '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS
>> >>
Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
>> >> Remove DN link? [YES]
>> >> ERROR: Failed to remove deleted DN attribute fromServer : (65,
>> >> "objectclass_attrs: at least one mandatory attribute
('fromServer')
>> >> on entry
>> >>
'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
>> >> wasn't specified!")
>> >>
>> >>
>> >> Thanks for any hints/pointers.
>> >>
>> >> Vincent
>> >>
>> >
>> > This isn't an error, if you look very carefully at the
'link' you
>> > will see 'DEL'. This means the record is a
'DELETED' record, you
>> > cannot delete a 'DELETED' record ;-)
>> >
>> > If you wait for 180 days minus the number of days since you
>> > decommissioned the DC, the record will just go away.
>> >
>> > Rowland
>>
>> Hi Rowland,
>> Thank you for your quick reply. Is there a way to force an expire on
>> those things so I can get past those errors and only consider new
>> errors as 'new'? It's been about 4-5 months since I removed
those DCs
>> but an ldbsearch shows more objects in need of purge (Computers that
>> were removed, users too).
>> If I wanted to clean this manually, I guess I could do the following
>> (but I'm sure I'd -want- to do that):
>>
>> export LDB_MODULES_PATH=/usr/lib64/samba/ldb
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs \
>> --show-deleted --show-deactivated-link --extended-dn
>> (and then light a few candles, I guess)..
>>
>> Is there a way to do that saefly using RSAT?
>>
>> Thanks,
>>
>> Vincent
>>
>
> These are 'Tombstone' records and can be ignored, they will go away
of
> their own accord, but if you want them to go away sooner, you are going
> to have to change something in AD.
>
> Run this as root on a DC:
>
> ldbedit -e nano -H /var/lib/samba/private/sam.ldb -s base -b
> "CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com"
>
> Alter it to match your ldap domain.
>
> Amongst the output, there will be a line like this:
>
> tombstoneLifetime: 180
>
> Change the '180' to whatever number of days you want.
> Close and save with 'Ctl-x'
>
> Now wait the number of days you set.
>
> Once your deleted records have gone away, I would repeat the process
> and reset the attribute back to 180
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba