samba - May 2023 - ldbrename does not rename container users CN=Deleted Objects

It had been working up to Samba 4.8 and with the recyclebin active you 
could restore every attributre, but since 4.9 it's not working anymore

Am 02.05.23 um 23:57 schrieb Anderson Sampaio Mello via
samba:
> Hello everybody.
> 
> When a user or group account is deleted, the user or group account is moved
> to CN=Deleted Objects,DC=domain,DC=com
> 
> I can find them with the command:
> 
> ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U
administrator
> 
> Password for [DOMAIN\administrator]:
> # record 1
> dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> instanceType: 4
> whenCreated: 20230502211927.0Z
> uSNCreated: 3716
> objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> sAMAccountName: user1
> userAccountControl: 512
> isDeleted: TRUE
> lastKnownParent: CN=Users,DC=domain,DC=com
> isRecycled: TRUE
> cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=>
name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=>
whenChanged: 20230502211938.0Z
> uSNChanged: 3720
> distinguishedName:
> CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> 
> The user account is inside a container "CN=Dele
>    ted Objects", has not been removed.
> 
> But if I try to move it to the original OU or container to have the user or
> group account available again using the ldbrename command, the following
> error occurs, for example:
> 
> ldbrename -H ldap://localhost --show-deleted
> "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com" "CN=user1,CN=
Users,DC=domain,DC=com" -U
> administrator
> 
> Password for [DOMAIN\administrator]:
> 
> rename of
'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com' to
'CN=user1,CN=Users,DC=domain,DC=com' failed -
> LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
> (32)> <>
> 
> It is possible to recover the user account, in the way that I demonstrated,
> I know that the correct thing is to be careful not to remove user accounts
> or groups, but if it happens due to human error, I would like to have a way
> to rescue this account or group, after all, as I understand it, after
> deleting the user account, it is not removed, but moved and renamed.
> 
> The samba version I'm using is 4.17. in the information above I renamed
the
> domain name to domain.
> 
> I appreciate everyone's attention

On 03/05/2023 09:50, Stefan Kania via samba wrote:
> It had been working up to Samba 4.8 and with the recyclebin active you 
> could restore every attributre, but since 4.9 it's not working anymore
> 
> 
Are you sure it ever worked ?

I cannot remember it ever working, plus there is the problem that if you 
did rename a deleted user, most of the original attributes would be missing.

The main problem (renaming wise) is that everything has to be done at 
once, move the deleted object back to its original position and remove 
'isdeleted' etc. If you got this far. you then have the problem of the 
missing attributes to deal with.

It is probably a lot easier to create a new user.

Rowland

Sadly the AD recycle bin isn't known to be reliably working in Samba.

The main effect that was noticed is that for some reason when enabled,
from memory, it caused the object to vanish almost instantly, rather
than remain as a tombstone for a time (eg, it did the opposite).

I've had investigating this properly on my wish-list for some time, but
it is one of those annoying tasks that I know will be tricky enough not
to start without a paying customer (sadly) to cover enough time to both
understand it, but also fix and write the automated tests.

I don't want this to dissuade others of course, the beauty of open
source is that anybody can have a go, and I think this is more likely
'fiddly' than 'difficult', if you get my meaning.?

In the meantime, yes, tombstone renanimation, where you supply almost
all the attributes again, is meant to work, and is essentially is about
removing the deleted marker and setting the DN, but in an odd way (not
a rename!).  See restore_deleted_object() in
source4/dsdb/tests/python/tombstone_reanimation.py for some code.

We have a 'samba-tool domain tombstones' command, but with only a
'expunge' subcommand. ?A 'reanimate' subcommand would be great -
I'm
sure I remember a script in the past, but I can't find it with a quick
glance.?

Andrew Bartlett

On Wed, 2023-05-03 at 10:50 +0200, Stefan Kania via samba
wrote:
> --------------ms050102020202000702010109
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit
> 
> It had been working up to Samba 4.8 and with the recyclebin active you 
> could restore every attributre, but since 4.9 it's not working anymore
> 
> Am 02.05.23 um 23:57 schrieb Anderson Sampaio Mello via samba:
> > Hello everybody.
> > 
> > When a user or group account is deleted, the user or group account is
moved
> > to CN=Deleted Objects,DC=domain,DC=com
> > 
> > I can find them with the command:
> > 
> > ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U
administrator
> > 
> > Password for [DOMAIN\administrator]:
> > # record 1
> > dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > instanceType: 4
> > whenCreated: 20230502211927.0Z
> > uSNCreated: 3716
> > objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> > objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> > sAMAccountName: user1
> > userAccountControl: 512
> > isDeleted: TRUE
> > lastKnownParent: CN=Users,DC=domain,DC=com
> > isRecycled: TRUE
> > cn::
dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=> > name::
dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ=> >
whenChanged: 20230502211938.0Z
> > uSNChanged: 3720
> > distinguishedName:
> > CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com
> > 
> > The user account is inside a container "CN=Dele
> >    ted Objects", has not been removed.
> > 
> > But if I try to move it to the original OU or container to have the
user or
> > group account available again using the ldbrename command, the
following
> > error occurs, for example:
> > 
> > ldbrename -H ldap://localhost --show-deleted
> > "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com" "CN=user1,CN=
Users,DC=domain,DC=com" -U
> > administrator
> > 
> > Password for [DOMAIN\administrator]:
> > 
> > rename of
'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com' to
'CN=user1,CN=Users,DC=domain,DC=com' failed -
> > LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> > ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such
object
> > (32)> <>
> > 
> > It is possible to recover the user account, in the way that I
demonstrated,
> > I know that the correct thing is to be careful not to remove user
accounts
> > or groups, but if it happens due to human error, I would like to have
a way
> > to rescue this account or group, after all, as I understand it, after
> > deleting the user account, it is not removed, but moved and renamed.
> > 
> > The samba version I'm using is 4.17. in the information above I
renamed the
> > domain name to domain.
> > 
> > I appreciate everyone's attention
> 
> 
> 
> --------------ms050102020202000702010109--
> 
-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba