On Wed, 17 Jul 2024 21:46:35 +0200 Heiko Robert via samba <samba at lists.samba.org> wrote:> >> The only additional output I get from running with debug > >> > >> samba-tool dbcheck --cross-ncs --fix -d 10 > >> > >> is > >> > >> ndr_pull_dom_sid: ndr_pull_error(Range Error): value out of range > >> at ../../librpc/ndr/ndr_sec_helper.c:329 > > OK I think I'm at least a small step further. > > I realized that tdbbackup failed on > 'DC=DOMAINDNSZONES,DC=COMPANY,DC=INTRA.ldb' > > trying to restore a tdbdump failed due to a duplicate key error. I > removed that dup key row and finally was able to tdbrestore and then > tdbbackup all databases. > > I created an domain offline backup via samba-tool and restored the > domain to a new system. > > Trying to join a dc the restored domain now fails with > > DSDB Transaction [rollback] at [Wed, 17 Jul 2024 19:14:50.831149 UTC] > duration [21734458] > {"timestamp": "2024-07-17T19:14:50.831313+0000", "type": > "dsdbTransaction", "dsdbTransaction": {"version": {"major": 1, > "minor": 0}, "action": "rollback", "transactionId": > "cc9ca6f6-d507-42bb-bd21-b8b24ac4c3e2", "duration": 21734458}} > Join failed - cleaning up > ldb_wrap open of secrets.ldb > Could not find machine account in secrets database: Failed to fetch > machine account password for COMPANY from both secrets.ldb (Could not > find entry to match filter: > '(&(flatname=COMPANY)(objectclass=primaryDomain))' base: 'cn=Primary > Domains': No such object: dsdb_search at > source4/dsdb/common/util.c:5435) and from > /var/lib/samba/private/secrets.tdb: NT_STATUS_CANT_ACCESS_DOMAIN_INFO > > dumping the secrets.tdp I can find > key(30) = "SECRETS/MACHINE_PASSWORD/COMPANY" > > any hint is highly welcome >Anything after the 'Join failed' can be ignored, it is just an artefact of the cleanup. I posted this: Do not remove the existing database, well not unless you want to recreate your domain. I will amend it: Do not touch 'DC=DOMAINDNSZONES,DC=COMPANY,DC=INTRA.ldb' (or any of the other files in the same directory) directly, do all changes through sam.ldb, otherwise you have a very good risk of further damaging your database. Rowland
> Anything after the 'Join failed' can be ignored, it is just an > artefact of the cleanup. > > I posted this: > > Do not remove the existing database, well not unless you want to > recreate your domain. > > I will amend it: > > Do not touch 'DC=DOMAINDNSZONES,DC=COMPANY,DC=INTRA.ldb' (or any of the > other files in the same directory) directly, do all changes through > sam.ldb, otherwise you have a very good risk of further damaging your > database. > > RowlandHey Rowland, thanks for your feedback. I did this on a cloned system. Original system is still untouched but I have no idea how to work around the initial issue not beeing able to do a dbcheck or join since something fundamental seams to be broken for this toolchain. The reason I touched the files in the private dir was that even the offline backup failed on this database. I'm afraid I have to recreate the domain from scratch unless you have a better idea? sudo samba-tool dbcheck --cross-ncs -d 5 --fix Checking 3637 objects ndr_pull_dom_sid: ndr_pull_error(Range Error): value out of range at ../../librpc/ndr/ndr_sec_helper.c:329 ERROR(ldb): uncaught exception - ldb_wait from (null) with LDB_WAIT_ALL: Operations error (1) File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/lib/python3/dist-packages/samba/netcmd/dbcheck.py", line 169, in run error_count = chk.check_database(DN=DN, scope=search_scope, File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 255, in check_database error_count += self.check_object(object.dn, requested_attrs=attrs) File "/usr/lib/python3/dist-packages/samba/dbchecker.py", line 2310, in check_object res = self.samdb.search(base=dn, scope=ldb.SCOPE_BASE, Thanks for your patience and help Heiko