How to backup/restore in multipe DCs domain?

Andrew Bartlett abartlet at
Sun Nov 3 23:53:11 MST 2013

On Sun, 2013-11-03 at 14:40 +0800, hyoscar wu wrote:
> Hi list,
>   I refer to do
> backup/restore and my samba4 ADDC machine works well in single-DC doamin.
>   My multiple DCs domain test is as below:
>     machineA : samba-4.0.5 , create domain "abc.test"
>     machineB : samba-4.0.5 , join "abc.test" as additional DC.
>     My scenario is machineA failed , I need to restore it.
>     1. After machineB joining, do backup in machineA.
>     2. create some user accounts on machineA and machineB.
>     3. A few minutes later, check database synchronized, both machine
>       has same user accounts.
>     4. restore machineA.
>     5. A few minutes later, check database synchronized, both machine
>       has same user accounts.
>   After these 5 steps, machineA gets user accounts from machineB but
> machineA can not work well in many situation. For example, machineA can not
> create user.
>     # /usr/local/samba/bin/samba-tool user add aaaq pass123 at aaaq
> ERROR(ldb): Failed to add user 'aaaq':  -
> ../lib/ldb/ldb_tdb/ldb_index.c:1199: Failed to re-index objectSid in
> CN=aaaq,CN=Users,DC=ggg,DC=org - ../lib/ldb/ldb_tdb/ldb_index.c:1131:
> unique index violation on objectSid in CN=aaaq,CN=Users,DC=ggg,DC=org
>    I know that I can do seize role in machineB then machineA rejoin to
> domain. I have some questions about samba4 backup/restore.
>     1. If samba4 backup/restore just for single DC domain?
>     2. If not , how should I do in multiple DCs domain?
>     3. If machineA failed, what is the best way to recover machineA? rejoin
> domain , restore or any other way?

This is very serious.  It should not be possible to create duplicate
SIDs, and this low-level check is the assertion that we have to ensure
this really does not happen. 

Are you able to reproduce this at will?

My best guess is that that a RID set allocation was done, and that when
machineA, the RID master was restored, the RID pool that was (in the
future) allocated to machineB, was instead allocated to machineA.

If you allocated a lot of users, and used an earlier version of Samba
4.0 that had a bug around RID pool allocation (it requested them too
often), then this could be even more likely to happen. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list