Need urgent help with samba4 DC re-join
Andrew Bartlett
abartlet at samba.org
Mon Oct 1 19:21:43 MDT 2012
On Tue, 2012-09-25 at 10:10 +0200, Andreas Oster wrote:
> Am 08.09.2012 12:17, schrieb Andreas Oster:
> > Am 22.08.2012 13:36, schrieb Andrew Bartlett:
> >> On Wed, 2012-08-01 at 20:28 +0200, Andreas Oster wrote:
> >>> Am 01.08.2012 15:34, schrieb Andrew Bartlett:
> >>>> On Wed, 2012-08-01 at 23:28 +1000, Andrew Bartlett wrote:
> >>>>> On Wed, 2012-08-01 at 13:30 +0200, Andreas Oster wrote:
> >>>>>> Am 18.07.2012 08:03, schrieb Andrew Bartlett:
> >>>>>>> On Wed, 2012-07-18 at 07:10 +0200, Andreas Oster wrote:
> >>>>>>>
> >>>>>>>> Hello Andrew,
> >>>>>>>>
> >>>>>>>> unfortunately dbcheck did not work. The following error messages showed up:
> >>>>>>>>
> >>>>>>>> ERROR: wrong instanceType 11 on DC=DomainDnsZones,DC=novanetwork,DC=loc,
> >>>>>>>> should be 13
> >>>>>>>> ERROR(<type 'exceptions.AttributeError'>): uncaught exception -
> >>>>>>>> 'dbcheck' object has no attribute 'modify_instancetype'
> >>>>>>>> File
> >>>>>>>
> >>>>>>> Thanks. I've updated my branch with what I hope will be a fix. This
> >>>>>>> time I've modified a local DB to replicate your error condition, and
> >>>>>>> confirmed it all works.
> >>>>>>>
> >>>>>>> However, it will only allow the instanceType to be changed, the
> >>>>>>> objectClass can't be fixed yet. But if you can confirm what I have so
> >>>>>>> far works for you, I'll see what I can do about the rest.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>>
> >>>>>>> Andrew Bartlett
> >>>>>>>
> >>>>>> Hello Andrew,
> >>>>>>
> >>>>>> any news regarding adding some code to dbcheck to fix the objectClass
> >>>>>> issue in my samba4 setup ?
> >>>>>>
> >>>>>> Thank you very much.
> >>>>>
> >>>>> You have been incredibly patient over the past more than a month on this
> >>>>> issue. I've not had a chance to look into this properly.
> >>>>>
> >>>>> As to getting your specific database out of this specific situation,
> >>>>> this might work (on a backup!):
> >>>>>
> >>>>> Run (change for your domain):
> >>>>>
> >>>>> ldbedit -H
> >>>>> private/sam.ldb.d/DC=DOMAINDNSZONES,DC=SAMBA,DC=EXAMPLE,DC=COM.ldb -s
> >>>>> base -b DC=DomainDnsZones,DC=samba,DC=example,DC=com
> >>>>>
> >>>>> Change the object to have:
> >>>>> dn: DC=DomainDnsZones,DC=samba,DC=example,DC=com
> >>>>> objectClass: top
> >>>>> objectClass: domain
> >>>>> objectClass: domainDNS
> >>>>> description: Microsoft DNS Directory
> >>>>> instanceType: 13
> >>>>
> >>>> Even better would be to use ldbmodify and create a 'replace' ldif, at
> >>>> least on objectClass. Then re-do the same thing on the sam.ldb (which
> >>>> once the DB is correct, will allow the metadata to be updated).
> >>>>
> >>>>> Then run:
> >>>>>
> >>>>> samba-tool dbcheck -H private/sam.ldb --cross-ncs --reindex
> >>>>> samba-tool dbcheck -H private/sam.ldb --cross-ncs
> >>>>>
> >>>>> This will ensure the indexes and replPropertyMetaData is updated after
> >>>>> this generally NOT RECOMMENDED action of editing the raw database.
> >>>>
> >>>> I don't like suggesting editing the raw backend ldb files, but I do feel
> >>>> I've left you hanging on for a more automated solution for too long
> >>>> now.
> >>>>
> >>>> Andrew Bartlett
> >>>>
> >>> Hello Andrew,
> >>>
> >>> changing/adding the objectClass values did work. The only remaining
> >>> difference is the objectCategory. In my setup I have:
> >>>
> >>> objectCategory: CN=Top,CN=Schema,CN=Configuration,DC=novanetwork,DC=loc
> >>>
> >>> but I think it should be:
> >>>
> >>> objectCategory:
> >>> CN=Domain-DNS,CN=Schema,CN=Configuration,DC=novanetwork,DC=loc
> >>>
> >>> is this something that needs to be fixed ?
> >>
> >> It probably should be. Can you just edit it (perhaps with --relax)?
> >>
> >> If not, what I need is to find the rules (probably in MS-ADTS
> >> http://download.microsoft.com/download/a/e/6/ae6e4142-aa58-45c6-8dcf-a657e5900cd3/%5BMS-ADTS%5D.pdf that tells me what objectCategory is valid for any set of objectClasses. I can then find that this value is wrong, and correct it in dbcheck.)
> >>
> >> Andrew Bartlett
> >>
> > Hello Andrew,
> >
> > I have tried to change the objectClass manually but failed to do so
> > because of the following error:
> >
> > ../bin/ldbedit --relax -H sam.ldb -s base -b
> > dc=domaindnszones,DC=novanetwork,DC=loc
> >
> > failed to modify DC=DomainDnsZones,DC=novanetwork,DC=loc -
> > objectclass_attrs: attribute 'dc' on entry
> > 'DC=DomainDnsZones,DC=novanetwork,DC=loc' does not exist in the
> > specified objectclasses!
> >
> >
> >
> > I have tried to add the following:
> >
> > objectClass: domain
> > objectClass: domainDNS
> >
> > and tried to change:
> > objectCategory: CN=Top,CN=Schema,CN=Configuration,DC=novanetwork,DC=loc
> >
> > to
> >
> > objectCategory:
> > CN=Domain-DNS,CN=Schema,CN=Configuration,DC=novanetwork,DC=loc
> >
> >
> > This is what I have at the moment in the productive system
> > (about the same for ForestDnsZones):
> >
> > # editing 1 records
> > # record 1
> > dn: DC=DomainDnsZones,DC=novanetwork,DC=loc
> > description: Microsoft DNS Directory
> > uSNCreated: 4050
> > name: DomainDnsZones
> > objectGUID: a1e40623-4805-4e11-9471-9cb0b49b1dc8
> > msDS-NcType: 0
> > dc: DomainDnsZones
> > wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS
> > Quotas,DC=Doma
> > inDnsZones,DC=novanetwork,DC=loc
> > wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
> > Objects,DC=
> > DomainDnsZones,DC=novanetwork,DC=loc
> > wellKnownObjects:
> > B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=D
> > omainDnsZones,DC=novanetwork,DC=loc
> > wellKnownObjects:
> > B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=Dom
> > ainDnsZones,DC=novanetwork,DC=loc
> > msDs-masteredBy: CN=NTDS
> > Settings,CN=NOVADC01,CN=Servers,CN=Standardname-des-e
> > rsten-Standorts,CN=Sites,CN=Configuration,DC=novanetwork,DC=loc
> > objectClass: top
> > whenCreated: 20120422140706.0Z
> > objectCategory: CN=Top,CN=Schema,CN=Configuration,DC=novanetwork,DC=loc
> > instanceType: 13
> > whenChanged: 20120908101317.0Z
> > uSNChanged: 91627
> > distinguishedName: DC=DomainDnsZones,DC=novanetwork,DC=loc
> >
> >
> > This is what I have on my test system:
> >
> > # editing 1 records
> > # record 1
> > dn: DC=DomainDnsZones,DC=novanetwork,DC=loc
> > objectClass: top
> > objectClass: domain
> > objectClass: domainDNS
> > description: Microsoft DNS Directory
> > instanceType: 13
> > whenCreated: 20120603170244.0Z
> > uSNCreated: 3620
> > name: DomainDnsZones
> > objectGUID: 02e8e887-eced-4501-bee8-40a3f777e27d
> > objectCategory:
> > CN=Domain-DNS,CN=Schema,CN=Configuration,DC=novanetwork,DC=loc
> > msDS-NcType: 0
> > dc: DomainDnsZones
> > wellKnownObjects: B:32:6227F0AF1FC2410D8E3BB10615BB5B0F:CN=NTDS
> > Quotas,DC=Doma
> > inDnsZones,DC=novanetwork,DC=loc
> > wellKnownObjects: B:32:18E2EA80684F11D2B9AA00C04F79F805:CN=Deleted
> > Objects,DC=
> > DomainDnsZones,DC=novanetwork,DC=loc
> > wellKnownObjects:
> > B:32:2FBAC1870ADE11D297C400C04FD8D5CD:CN=Infrastructure,DC=D
> > omainDnsZones,DC=novanetwork,DC=loc
> > wellKnownObjects:
> > B:32:AB8153B7768811D1ADED00C04FD8D5CD:CN=LostAndFound,DC=Dom
> > ainDnsZones,DC=novanetwork,DC=loc
> > whenChanged: 20120603170245.0Z
> > uSNChanged: 3632
> > msDs-masteredBy: CN=NTDS
> > Settings,CN=NOVADC01,CN=Servers,CN=Default-First-Site
> > -Name,CN=Sites,CN=Configuration,DC=novanetwork,DC=loc
> > msDs-masteredBy: CN=NTDS
> > Settings,CN=NOVADC02,CN=Servers,CN=Default-First-Site
> > -Name,CN=Sites,CN=Configuration,DC=novanetwork,DC=loc
> > replUpToDateVector::
> > AgAAAAAAAAABAAAAAAAAAMvd5kNgzFpOpMOwTZYQyr20DgAAAAAAAIDX6
> > mwneM0B
> > repsFrom::
> > AQAAAAAAAAALAQAAAAAAAMuTNwYDAAAAy5M3BgMAAAAAAAAA0AAAADsAAAB0AAAAERE
> > RERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERERER
> > ERERERERERERERERERERERERERERERERAAAAALQOAAAAAAAAAAAAAAAAAAC0DgAAAAAAAGEge//aF
> > 8NIufZtCi2jJiDL3eZDYMxaTqTDsE2WEMq9AAAAAAAAAAAAAAAAAAAAADcAAABmZjdiMjA2MS0xN2
> > RhLTQ4YzMtYjlmNi02ZDBhMmRhMzI2MjAuX21zZGNzLnRoZXRpY2suZGUA
> > repsTo::
> > AQAAAAAAAAALAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0AAAADsAAAAcAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGEge//aF8N
> > IufZtCi2jJiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADcAAABmZjdiMjA2MS0xN2Rh
> > LTQ4YzMtYjlmNi02ZDBhMmRhMzI2MjAuX21zZGNzLnRoZXRpY2suZGUA
> > distinguishedName: DC=DomainDnsZones,DC=novanetwork,DC=loc
> >
> >
> > Thank you for your kind help
> >
> > best regards
> >
> > Andreas
> >
> >
> Hello Andrew,
>
> unfortunately I am not able to fix this issue by myself and hope that
> you can help me to finally resolve it. Thanks to your kind help the
> wrong instanceType has been fixed but I am still not able to re-join a
> demoted DC to the primary DC because of the messed up objectClasses.
>
> Thank you for your patience and kind help
This is what I did on my test database (I just used the one from make
test):
[abartlet at jesse samba]$ bin/ldbmodify -H st/dc//private/sam.ldb.d/DC
\=DOMAINDNSZONES\,DC\=SAMBA\,DC\=EXAMPLE\,DC\=COM.ldb < fix-dns.ldif
Modified 1 records successfully
[abartlet at jesse samba]$ bin/samba-tool dbcheck -H st/dc/private/sam.ldb
--cross-ncs --fix
Checking 3427 objects
ERROR: missing GUID component for objectCategory in object
DC=DomainDnsZones,DC=samba,DC=example,DC=com -
CN=Domain-DNS,CN=Schema,CN=Configuration,DC=SAMBA,DC=EXAMPLE,DC=COM
Change DN to
<GUID=bf75dcc6-0751-4b2a-88c1-72c163b79b13>;CN=Domain-DNS,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com? [y/N/all/none] y
Fixed missing GUID on attribute objectCategory
Checked 3427 objects (1 errors)
[abartlet at jesse samba]$ bin/samba-tool dbcheck -H st/dc/private/sam.ldb
--cross-ncs --fix --reindex
It is normally not recommended to edit the files in sam.ldb.d, but this
is a special case and so there is no other way to override the normal
checks.
Naturally, you will need to modify the commands and ldif to suit your
db.
I'm sorry it took so long to get back to you with this.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: fix-dns.ldif
Type: text/x-ldif
Size: 230 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121002/9967aecc/attachment.bin>
More information about the samba-technical
mailing list