[PATCH] samba-tool dbcheck: handle missing objectClass

Andrew Bartlett abartlet at samba.org
Fri Feb 28 11:49:32 MST 2014

On Fri, 2014-02-28 at 14:49 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> please see my inline comments.

Thanks, I can fix that up.  Any comments as to the concept?  Do you
think this is a valid check?

My other theory is that, looking at the bug:
and the code, a different possible cause is is around USNs.

get_nc_changes_build_object() has this code in it:

		/* if the attribute has not changed, and it is not the
		   instanceType then don't include it */
		if (md.ctr.ctr1.array[i].local_usn < highest_usn &&
		    extended_op != DRSUAPI_EXOP_REPL_SECRET &&
		    md.ctr.ctr1.array[i].attid != DRSUAPI_ATTID_instanceType) continue;

The purpose of this chunk is to avoid re-sending changes that the client
already has.  This would be particularly important for jpegPhoto, for

However, if the highest USN the client thought it had seen was actually
higher than the one for which it had seen all objects, then a 'new'
object could be downloaded without all it's attributes.

If that is how this corruption happens, then while disturbing, this also
suggests that the fix is to force re-replication, not to delete the
object, as on at least one DC, the whole correct object exists.  Anyway,
the new assertions in the patches should help with detecting this, as we
won't accept the object without an objectclass any more. 


Does this only happen on domains with additional objectclasses, or also
on domains with stock schema?  Is the corruption across ALL DCs, or just


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list