Andrew Bartlett
2022-Oct-05 19:14 UTC
[Samba] Repacking database from v1 to v2 / Samba failed to prime database, error code 22
On Wed, 2022-10-05 at 10:21 +0200, Arnaud FLORENT via samba wrote:> Hi > > Le 04/10/2022 ? 22:15, Andrew Bartlett a ?crit : > > Yes. First try with unpatched Samba 4.13 (or much better a > > supported > > version please!), but if that fails then grab Samba 'git master' > > and > > build that for testing, as my patch is now merged there. > > > > Backported patches will appear at > > https://bugzilla.samba.org/show_bug.cgi?id=15189 > > > > > so i ran samba-tool drs clone-dc-database with debug level 3 > > it helped me to find 3 entries with weird (bad encoding?) values on > attribute (defined in updated LDAP schema) > > > after fixing those values on samba 4.3 AD, samba-tool drs > clone-dc-database run successfullyGreat.> and samba-tool dbcheck on targetdir report only 1 error with SID > conflicts with our current RID set in CN=RID Set,Awesome!> > > > > We can also look into why the in-place upgrade fails. > > > > > > > > Running 'samba-tool dbcheck --reindex' using the modern version > > > > should > > > > allow the error to be seen in a more controlled circumstance, > > > > and > > > > allow > > > > raising the debug level etc. > > > > > > samba-tool dbcheck (without --reindex) on 4.13 returns > > > > > > Checked 4287 objects (6449 errors) > > > > > > mainly > > > > > > ERROR: incorrect attributeID values in replPropertyMetaData on > > > ... > > > ERROR: unsorted attributeID values in replPropertyMetaData on ... > > > ERROR: unsorted attributeID values in replPropertyMetaData on ... > > > > > > > > > but may be it is because db repacking failed? > > > > No, this is a different thing. These are real bugs at a higher > > layer, > > and while the unsorted attributeIDs are harmless (to samba, will > > break > > windows), the incorrect attributeID may impact on the attempted > > replication. > > > > What happens with the --reindex? (This opens a transaction, which > > triggers the re-index, otherwise we just read the old format). > > reindex failed on same attribute as samba-tool drs clone-dc-database > > re-indexed database : (1, "reindexing failed: > ../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index > kwartzExtID > in CN=someuser,CN=Users,DC=my,DC=domaine - Failed to create index > key > for attribute 'kwartzExtID':Unknown error:Entry @ATTRIBUTES already > exists") > > > so i did this: > > - fixed this attribute values values on samba 4.3 server > > - copy private dir backup to samba 4.13 test server > > - samba 4.13 then starts successfully with 5 "ldb: Repacking > database > from v1 to v2 " message in log.samba > > - directory returns all users and groups (via wbinfo or ldap) > > > BUT > > samba-tool dbcheck still reports Checked 4204 objects (6365 errors) > with > in log 3 types of errors: > > ERROR: incorrect attributeID values in replPropertyMetaData > > ERROR: unsorted attributeID values in replPropertyMetaData > > ERROR: linked attribute 'member' is present on deleted object > > > but samba-tool dbcheck --reindex runs successfully [completed re- > index OK] >So now run 'samba-tool dbcheck --cross-ncs --fix --yes' to fix those errors.> > do you think AD will be fully functionnal with this copied data (as > for > in place upgrade)?To be clear, this is an in-place upgrade, as far as Samba is concerned, as you copied over the private directory files. So yes, it shows that an in-place upgrade on the original server would work. Just make sure you run that 'samba-tool dbcheck --cross-ncs --fix -- yes' to tidy up our historical errors in replPropertyMetaData and avoid a future duplicate allocation of that rouge SID. I wish you all the best with your upgrade and encourage a move to a fully supported version ASAP, as there are a number of security issues still in 4.13 (unless someone other than Samba has been backporting). Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions
Arnaud FLORENT
2022-Oct-06 07:58 UTC
[Samba] Repacking database from v1 to v2 / Samba failed to prime database, error code 22
Hi Andrew i run in place upgrade test successfully thank you i also run samba-tool dbcheck --cross-ncs --fix successfully after upgrade as you suggested it report a new error type: ERROR: incorrect instanceType part of Binary DN binary component for msDS-HasInstantiatedNCs ?but all errors were fixed. could you please explain why those dbcheck errors were not reported when i run samba-tool dbcheck with samba 4.3? may be extra check where added between 4.3 and 4.13? should i be worried about those errors? could they happen again? could those errors impact AD perfs on Samba 4.3? thanks again for your support Le 05/10/2022 ? 21:14, Andrew Bartlett a ?crit?:> On Wed, 2022-10-05 at 10:21 +0200, Arnaud FLORENT via samba wrote: >> Hi >> >> Le 04/10/2022 ? 22:15, Andrew Bartlett a ?crit : >>> Yes. First try with unpatched Samba 4.13 (or much better a >>> supported >>> version please!), but if that fails then grab Samba 'git master' >>> and >>> build that for testing, as my patch is now merged there. >>> >>> Backported patches will appear at >>> https://bugzilla.samba.org/show_bug.cgi?id=15189 >>> >> >> so i ran samba-tool drs clone-dc-database with debug level 3 >> >> it helped me to find 3 entries with weird (bad encoding?) values on >> attribute (defined in updated LDAP schema) >> >> >> after fixing those values on samba 4.3 AD, samba-tool drs >> clone-dc-database run successfully > Great. > >> and samba-tool dbcheck on targetdir report only 1 error with SID >> conflicts with our current RID set in CN=RID Set, > Awesome! > >>>>> We can also look into why the in-place upgrade fails. >>>>> >>>>> Running 'samba-tool dbcheck --reindex' using the modern version >>>>> should >>>>> allow the error to be seen in a more controlled circumstance, >>>>> and >>>>> allow >>>>> raising the debug level etc. >>>> samba-tool dbcheck (without --reindex) on 4.13 returns >>>> >>>> Checked 4287 objects (6449 errors) >>>> >>>> mainly >>>> >>>> ERROR: incorrect attributeID values in replPropertyMetaData on >>>> ... >>>> ERROR: unsorted attributeID values in replPropertyMetaData on ... >>>> ERROR: unsorted attributeID values in replPropertyMetaData on ... >>>> >>>> >>>> but may be it is because db repacking failed? >>> No, this is a different thing. These are real bugs at a higher >>> layer, >>> and while the unsorted attributeIDs are harmless (to samba, will >>> break >>> windows), the incorrect attributeID may impact on the attempted >>> replication. >>> >>> What happens with the --reindex? (This opens a transaction, which >>> triggers the re-index, otherwise we just read the old format). >> reindex failed on same attribute as samba-tool drs clone-dc-database >> >> re-indexed database : (1, "reindexing failed: >> ../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index >> kwartzExtID >> in CN=someuser,CN=Users,DC=my,DC=domaine - Failed to create index >> key >> for attribute 'kwartzExtID':Unknown error:Entry @ATTRIBUTES already >> exists") >> >> >> so i did this: >> >> - fixed this attribute values values on samba 4.3 server >> >> - copy private dir backup to samba 4.13 test server >> >> - samba 4.13 then starts successfully with 5 "ldb: Repacking >> database >> from v1 to v2 " message in log.samba >> >> - directory returns all users and groups (via wbinfo or ldap) >> >> >> BUT >> >> samba-tool dbcheck still reports Checked 4204 objects (6365 errors) >> with >> in log 3 types of errors: >> >> ERROR: incorrect attributeID values in replPropertyMetaData >> >> ERROR: unsorted attributeID values in replPropertyMetaData >> >> ERROR: linked attribute 'member' is present on deleted object >> >> >> but samba-tool dbcheck --reindex runs successfully [completed re- >> index OK] >> > So now run 'samba-tool dbcheck --cross-ncs --fix --yes' to fix those > errors. > >> do you think AD will be fully functionnal with this copied data (as >> for >> in place upgrade)? > To be clear, this is an in-place upgrade, as far as Samba is concerned, > as you copied over the private directory files. So yes, it shows that > an in-place upgrade on the original server would work. > > Just make sure you run that 'samba-tool dbcheck --cross-ncs --fix -- > yes' to tidy up our historical errors in replPropertyMetaData and avoid > a future duplicate allocation of that rouge SID. > > I wish you all the best with your upgrade and encourage a move to a > fully supported version ASAP, as there are a number of security issues > still in 4.13 (unless someone other than Samba has been backporting). > > Andrew Bartlett >-- Arnaud FLORENT IRIS Technologies