[Samba] Sysvol reset

L.P.H. van Belle belle at bazuin.nl
Wed Sep 11 09:38:44 UTC 2019 

Hai Tom, 

A bit late in reaction here but what i suggest. 

Your on Centos, that fine, primary goal for you is get latest packages. 
And these days like i do the Debian packages are is also someone doing centos/RH packages. 
See subject "[Samba] Samba 4.10.8 and 4.9.13 for rhel7/centos7 rpms" 

> So do I. The problem I have is what is the command line equivelent of adsi edit?
> If it is ldb search/edit/delete, how does one figure out the correct
> incantation to add/delete/modify things.
> 
> For instance, I have the following record:
> 
> # record 4009
> dn: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> objectClass: top
> objectClass: site
> cn: Default-First-Site-Name
> instanceType: 4
> whenCreated: 20061005105708.0Z
> whenChanged: 20061005105708.0Z
> uSNCreated: 3742
> showInAdvancedViewOnly: TRUE
> name: Default-First-Site-Name
> objectGUID: 206ddbbb-14cf-4f37-bb66-1f2d07bac717
> systemFlags: 1107296256
> objectCategory: CN=Site,CN=Schema,CN=Configuration,DC=mydomain,DC=com
> uSNChanged: 10210
> msExchServerSiteBL: CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIB
>   OHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Servi
>   ces,CN=Configuration,DC=mydomain,DC=com
> distinguishedName: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pht
>   ool,DC=com
> 
> Is there a documant that explains all of this in a manor that mear mortals can
> understand? 

Yes, https://docs.microsoft.com/  ( ;-) sorry ... ) 

> The above server no longer exists. It died before I could remove it gracefully
> so I am left with a mess that I think the only way to clean it up is to
> remove the remaining records by hand.
> 
Try running :  samba-tool domain tombstones expunge

> 
> 
> I normally would not care that these orphaned records are there except that
> when I run samba-tool dbcheck --cross-ncs --fix I get 316 errors and none of
> them get repaired. Most if not all appear to be related to the dead server.
> For the record adsi edit will only let me look at the records. If I try to
> delete/modify anything, I get an error that says "Operation Failed error code
> 0x202c. the server does not support the requested critical extensions"
> 
> In case it is useful in fixing the problem the following is a sample of the output
> of samba-tool dbcheck --cross-ncs --fix:
> 
> WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com -
> B:32:A7D2016C83F003458132789EEB127B84:<GUID=5dc1e7ca-2cbc-4318-b250-b7d9126e02f6>;<SID=S-1-5-21-619667644-1604242038-736796184-1619>;CN=Exchange Servers,OU=Microsoft Exchange Security
> Groups,DC=mydomain,DC=com
> Not removing dangling one-way cross-partition link (we might be mid-replication)
> 
> ...
> 
> Fix nTSecurityDescriptor on CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y
> Fixed attribute 'nTSecurityDescriptor' of 'CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'
> 
> ...
> 
> Fix nTSecurityDescriptor on CN=RpcServices,CN=System,DC=mydomain,DC=com? [YES]
> Fixed attribute 'nTSecurityDescriptor' of 'CN=RpcServices,CN=System,DC=mydomain,DC=com'
> 
> Checked 9880 objects (316 errors)
> 
> As you can see it says that it is fixing things but if I run it again, I get the same results.
> 
> Suggestions?

A few, 

First, i saying ignore these errors and upgrade to latest 4.10. 
Then run samba-tool domain tombstones expunge again and samba-tool dbcheck --cross-nc --fix
After you upgraded. ( use upgrade steps, 4.8 -> 4.9 -> 4.10 )

If you dont want to upgrade that far, then you could try to remove the faulty records with the windows tools. 
Clean up AD-DC data and cleanup the AD-DNS data. If you use the windows tools, enable advanced view.
And its a pain but you must go and check every level/folder record ... Etcetra. 
And i know, if you repaet this a few times, you know where to look. 
Then stop/start samba and check again with samba-tool dbcheck.
If there are records you removed and your getting these back, then mail the list again. 

I see these are related links to MS Exchange servers. 
It might be that, your schema is extended and your not able to remove that extended part. 
But i cant tell that, i just dont know.

Last, use for example Apache studio and search manualy through ldap :
https://directory.apache.org/studio/ 
! Do note, here, remove the wrong things and you might get more problems.

So make very very sure you have good backups before you start. 


Greetz, 

Louis

More information about the samba mailing list