Samba4 index errors, and upgrade challenges
oowolabi at qrios.com
oowolabi at qrios.com
Sat Aug 21 01:20:13 MDT 2010
Thank you so very much Matthieu. I guess the answer was right under our noses all the time!
We edited the .ldb files as you advised, but it didn't work until we tracked and deleted down every instance of the problematic CN's index and data(the CN showing up in the log snippet earlier). We believe power outage on samba4-alpha9 plus a faulty user creation caused this.
We've tried our hands at upgradeprovision, but it didn't work. What we did: copied an existing samba4-alpha12 samba-master folder to the machine, and ran upgradeprovision as you suggested (and as we saw in the help file included in the source4 folder). It appeared to upgrade, but we believe parts of the db didn't upgrade. We had SPNEGO errors when trying to use ADUC to connect to the samba4 instance, and 'unknown username & password' on the WinXP when trying to connect. Unfortunately we are unable to put the logs here right now. We attempted a second time with upgradeprovision, with '--full' but it complains about uncompleted ldb transactions. We ended up reinstalling the alpha9 and replacing etc, private and var directories from backup before it would restart and function properly.
We intend to attempt it again this weekend. But then, do you have any idea why that happened? So sorry about not being able to attach logs, this email is being composed on a handheld.
Thank you again, very, very much, for your help, and we hope to hear from you again!
very best regards,
Sent from my BlackBerry wireless device from MTN
From: Matthieu Patou <mat at samba.org>
Date: Fri, 20 Aug 2010 01:06:13
To: <oowolabi at qrios.com>
Reply-To: mat at samba.org
Cc: Mosebolatan Adetoro<madetoro at qrios.com>; Stefan Metzmacher<metze at SerNet.DE>; <samba-technical at samba.org>; Johannes Loxen<jl at sernet.de>; <samba at SerNet.DE>
Subject: Re: Samba4 index errors, and upgrade challenges
On 19/08/2010 16:50, oowolabi at qrios.com wrote:
> Hi, Matthieu.
> We at Qrios were referred to you by Stefan Metzmacher regarding our issues with samba-4(alpha-9), running on a RHEL 5.3 64-bit server, which we have currently deployed for a friendly company willing to try out open source domain services, in lieu of AD.
> In a nutshell, ADUC (and all other ldap browser tools we have tried to utilize) complains 'an operational error has occurred' (classic MSFT empty error message!), and is unable to enumerate the objects and directories in the domain. Strangely enough, most domain user objects are still searchable and modifiable to a large extent. (It cannot search and find all of them, though. )
> On viewing the samba logs, we see this little snippet when ADUC (and other tools) attempt to browse the tree:
> [Thu Aug 12 20:59:41 2010 WAT, 1 lib/ldb_wrap.c:68:ldb_wrap_debug()]
>> ldb: Invalid data for index CN=Esther O. Tewogbola,DC=skyebankzm,DC=net
> We have found several .ldb files in the /usr/local/samba/private/sam.ldb.d/ directory and discovered which one holds the errant index record. We have tried to delete the index and related ones (this index is for a user that was created badly) using samba-4's tdbtool (after exhaustively searching for any tool that can modify an .ldb file. Deleting the index does not solve the problem.
Well it's highly recommended to use ldbedit/ldbsearch/ldbmodify to
modify ldb files and it's __very__ recommended to modify them under the
control of the samdb (that is to say do something like ldbedit -H
private/sam.ldb rather than ldbedit -H private/sam.ldb.d/DC=sambaorg,
> Stefan informs us you have had such index problems in the last few days and you have been successful in solving them. Can you please share with us what you have been able to do, so we can sanitize the database?
Well I had a couple of index pb last week but they were due to the fact
that ldb wanted to reindex my provision after upgrade.
I made the following patch 2651c2f98841a3521b6893ae5158bbb81832b7ee in
my upgradeprovsion-wip branch on
But I'm pretty sure it won't work for you. My advice is to trash the
index and to force ldb to recreate it.
If I were you here is what I would do:
1) Stop samba
2) Take a backup (or 2) of the samba provision
3) copy 1 backup somewhere else and modify the smb.conf to point to the
folder. Ie if you put the provision in /usr/local/backupprovision, the
file /usr/local/backupprovision/etc/smb.conf must have an entry private
dir with the following content: /usr/local/backupprovision/private, and
a lock dir with the following value /usr/local/backupprovision (modify
also the path for the sysvol and netlogon although not mandatory it's
better that everything is coherent)
4) ldbedit -H /usr/local/backupprovision/private/sam.ldb -o modules:, it
will open the file sam.ldb without loading the modules (otherwise you
have the module loaded and it looks different)
5) Locate the entries @INDEXLIST remove all the IDXATTR entries, save
and exit, this should force samdb to reindex the whole database
6) ldbedit -H /usr/local/backupprovision/private/sam.ldb, it will take
some time as ldb is reindexing your provision (it can take up to 20
minutes for a 20 000 users/contacts/computer provision)
Hopefully it should manage to remove the dirty index and rebuild it. If
not well let me know !
After to check that every thing is ok you have to make a search on the
user with a pb:
ldbsearch -H /usr/local/backupprovision/private/sam.ldb -b "CN=Esther
If every thing is ok then copy the sam.ldb file and the sam.ldb.d folder
back to the initial place.
> Also, we would like very much to be able to upgrade from alpha-9 to 12, and run samba-4 in at least a replicated (if not completely clustered) mode, in order to accommodate increased connections to the samba-4 service (more users).
I'm not 100% sure I understand your term of replicated/clustered. Do you
speak about file system served by S4 in this case you won't gain much
from using 2 or 3 samba4 servers as it didn't support the clustering
mode (yet) nor ms-dfs for share different from sysvol and netlogon (this
two are working with ms-dfs). If you speak about Directory services, yes
it can help although I'm surprised that you have problems, how many
users are in your AD ? In a normal mode the active directory server is
used with burst in the morning (when everybody log in) and then it is
pretty calm unless users are connecting all day long to tons and tons of
servers (so that it will require a lot of verification for the AD).
Well in anycase the only good solution is to have replicated DCs
> What we have done in attempting to upgrade was to setup alpha-12 without provisioning, and then rsync -avHk the samba etc and private directories.
As I said the only good solution is to have replicated DCs, here what
you are doing is duplicating the information of the 1st DC so you'll end
with 2 server with the same server information, it's not too great as
password are not replicated and client can get confused.
> It seems to work, but the logs show that alpha-12 is not altogether happy with that. We've also tried to vampire from 9 to 12, without success(following the howto). Please, what works?
Well show us the log.
Once you fixed your index you can try upgradeprovision with from the git
tree: upgradeprovsion -s /usr/local/backupprovision/etc/smb.conf, test
it with a copy of your provision somewhere else, it should work (I've
been able to upgrade my production which is an alpha3 updated to several
milestone up to alpha9/10).
Then try to vampire with the help of the howto.
If needed send email to the samba-technical list or join irc channel on
> Hope to hear from you soon.
> Very best regards,
> Sina Owolabi
> ------Original Message------
> From: Mosebolatan Adetoro
> To: Stefan Metzmacher
> Cc: Johannes Loxen
> Cc: samba at SerNet.DE
> Cc: oowolabi
> Subject: Re: Invalid data for index error [TT#65245]
> Sent: Aug 19, 2010 7:39 AM
> Hi Stefan,
> Thanks for this useful information!
Samba Team http://samba.org
More information about the samba-technical