TDB corruption on sam.ldb tdb files

[Andrew Bartlett]

On Sat, 2012-09-22 at 14:06 +1200, Andrew Walters wrote:
> Resending as I used a non list subscribed from address previously. Sorry for the duplicate message.
> 
> ----- Original Message -----
> > From: "Andrew Bartlett" <abartlet at samba.org>
> > 
> > I doubt this will work.  As soon as you have to read that failed
> > record, it will fail.  Aside from tdbbackup, we don't have any
> > automatic tools to help here.
> 
> Ok I'll shelve that idea.
> 
> > Have you looked at the binary tdb to work out what the bad magic is?
> 
> Using this as a reference: tdb_rec_read bad magic 0x6863733d at offset=1773572
> failed to copy DC=AD,DC=(domain name).ldb
> 
> Viewing and trying to make sense of the binary content of a file is pushing my level of understanding, but I'll have a go.
> 
> Using ghex2, and going to byte 1773572, I see the it has the value 0x74 which is the letter 't' in a reference to a machine account, CN=(computer name), CN=Computers,DC=(domain name). Byte 1773572 is the 't' in 'Computers'. So it's in the middle of a record. 124-127 bytes earlier is the string "@IDX" so I guess it's part of the index that I'm looking at.
> 
> Between @IDX and the above computer name is one more computer name, and after it are four more computer names, all intact, no unexpected characters. After that is a partial UUID, CN=c88227bc-fcca-4b58 (it stops there).
> 
> 0x6863733d spells out "hcs=", but if I search that file for that phrase I don't get a result.
> 
> Am I looking for the right stuff here?
> 
> Andrew B, would it be worth me sending you the ldb file to have a look at?

I'm always cautious about accepting these, as the files contain quite
sensitive data, but it may come to that.

I've CC'ed rusty, our TDB maintainer, who is keen to help get to the
bottom of this. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org