samba - May 2023 - ldbrename does not rename container users CN=Deleted Objects

Hello everybody.

When a user or group account is deleted, the user or group account is moved
to CN=Deleted Objects,DC=domain,DC=com

I can find them with the command:

ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U
administrator

Password for [DOMAIN\administrator]:
# record 1
dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
instanceType: 4
whenCreated: 20230502211927.0Z
uSNCreated: 3716
objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
sAMAccountName: user1
userAccountControl: 512
isDeleted: TRUE
lastKnownParent: CN=Users,DC=domain,DC=com
isRecycled: TRUE
cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=name::
dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=whenChanged:
20230502211938.0Z
uSNChanged: 3720
distinguishedName:
CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com

The user account is inside a container "CN=Dele
  ted Objects", has not been removed.

But if I try to move it to the original OU or container to have the user or
group account available again using the ldbrename command, the following
error occurs, for example:

ldbrename -H ldap://localhost --show-deleted
"CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com" "CN=user1,CN= Users,DC=domain,DC=com"
-U
administrator

Password for [DOMAIN\administrator]:

rename of 'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com' to 'CN=user1,CN=Users,DC=domain,DC=com'
failed -
LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
(32)> <>

It is possible to recover the user account, in the way that I demonstrated,
I know that the correct thing is to be careful not to remove user accounts
or groups, but if it happens due to human error, I would like to have a way
to rescue this account or group, after all, as I understand it, after
deleting the user account, it is not removed, but moved and renamed.

The samba version I'm using is 4.17. in the information above I renamed the
domain name to domain.

I appreciate everyone's attention

On 02/05/2023 22:57, Anderson Sampaio Mello via samba
wrote:
> Hello everybody.
> 
> When a user or group account is deleted, the user or group account is moved
> to CN=Deleted Objects,DC=domain,DC=com
> 
> I can find them with the command:
> 
> ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U
administrator
> 
> Password for [DOMAIN\administrator]:
> # record 1
> dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> instanceType: 4
> whenCreated: 20230502211927.0Z
> uSNCreated: 3716
> objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> sAMAccountName: user1
> userAccountControl: 512
> isDeleted: TRUE
> lastKnownParent: CN=Users,DC=domain,DC=com
> isRecycled: TRUE
> cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=>
name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=>
whenChanged: 20230502211938.0Z
> uSNChanged: 3720
> distinguishedName:
> CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> 
> The user account is inside a container "CN=Dele
>    ted Objects", has not been removed.
> 
> But if I try to move it to the original OU or container to have the user or
> group account available again using the ldbrename command, the following
> error occurs, for example:
> 
> ldbrename -H ldap://localhost --show-deleted
> "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com" "CN=user1,CN=
Users,DC=domain,DC=com" -U
> administrator
> 
> Password for [DOMAIN\administrator]:
> 
> rename of
'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com' to
'CN=user1,CN=Users,DC=domain,DC=com' failed -
> LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
> (32)> <>
> 
> It is possible to recover the user account, in the way that I demonstrated,
> I know that the correct thing is to be careful not to remove user accounts
> or groups, but if it happens due to human error, I would like to have a way
> to rescue this account or group, after all, as I understand it, after
> deleting the user account, it is not removed, but moved and renamed.
> 
> The samba version I'm using is 4.17. in the information above I renamed
the
> domain name to domain.
> 
> I appreciate everyone's attention
Sorry, but it just doesn't work, even if you could undelete the user by 
renaming it, most of that users attributes wouldn't be restored.

Rowland

It had been working up to Samba 4.8 and with the recyclebin active you 
could restore every attributre, but since 4.9 it's not working anymore

Am 02.05.23 um 23:57 schrieb Anderson Sampaio Mello via
samba:
> Hello everybody.
> 
> When a user or group account is deleted, the user or group account is moved
> to CN=Deleted Objects,DC=domain,DC=com
> 
> I can find them with the command:
> 
> ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U
administrator
> 
> Password for [DOMAIN\administrator]:
> # record 1
> dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> instanceType: 4
> whenCreated: 20230502211927.0Z
> uSNCreated: 3716
> objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> sAMAccountName: user1
> userAccountControl: 512
> isDeleted: TRUE
> lastKnownParent: CN=Users,DC=domain,DC=com
> isRecycled: TRUE
> cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=>
name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=>
whenChanged: 20230502211938.0Z
> uSNChanged: 3720
> distinguishedName:
> CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> 
> The user account is inside a container "CN=Dele
>    ted Objects", has not been removed.
> 
> But if I try to move it to the original OU or container to have the user or
> group account available again using the ldbrename command, the following
> error occurs, for example:
> 
> ldbrename -H ldap://localhost --show-deleted
> "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com" "CN=user1,CN=
Users,DC=domain,DC=com" -U
> administrator
> 
> Password for [DOMAIN\administrator]:
> 
> rename of
'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com' to
'CN=user1,CN=Users,DC=domain,DC=com' failed -
> LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
> (32)> <>
> 
> It is possible to recover the user account, in the way that I demonstrated,
> I know that the correct thing is to be careful not to remove user accounts
> or groups, but if it happens due to human error, I would like to have a way
> to rescue this account or group, after all, as I understand it, after
> deleting the user account, it is not removed, but moved and renamed.
> 
> The samba version I'm using is 4.17. in the information above I renamed
the
> domain name to domain.
> 
> I appreciate everyone's attention