4.5.0 upgrade samba-tool dbcheck errors

Andrew Bartlett abartlet at samba.org
Fri Oct 21 20:22:12 UTC 2016 

On Fri, 2016-10-21 at 15:07 +0300, Sergey Urushkin wrote:
> Tried that patch, tombstones expunge fixed hundreds of errors,
> thanks! 
> But there are several left. They are not about deleted users but
> about 
> moving user from one OU to another. All errors are the same type.
> Here are an example:
> 
> ERROR: incorrect DN string component for member in object 
> CN=somegroup,OU=someou,DC=domain,DC=ru - 
> <GUID=6569ac84354340438c14f7b8b744754e>;<RMD_ADDTIME=1309370274500000
> 00>;<RMD_CHANGETIME=131190924050000000>;<RMD_FLAGS=1>;<RMD_INVOCID=97
> c8a71070f8c94c9885831ce70a9243>;<RMD_LOCAL_USN=156511>;<RMD_ORIGINATI
> NG_USN=156511>;<RMD_VERSION=1>;<SID=0105000000000005150000005828a2110
> 3556789021ea743330f0000>;CN=someuser,OU=anotherou,DC=domain,DC=ru
> Not fixing string component mismatch
> 
> Some time ago (couple of days/weeks, before upgrading to 4.5)
> "someuser" 
> was inside "anotherou", now it is not. When I move "someuser" back
> to 
> that OU error disappears, but when I move it back to the current OU
> the 
> error appears again.
> 
> I'm not sure if it is a part of the same issue or completely another,
> so 
> I wrote this text here, not in 12385.
> 
> Please, tell me how could I help to solve this problem.

Once a user is removed from a group, the backlink that we use to track
and catch user renames is taken away.  That means that the forward link
has no way of knowing, before a dbcheck, that it is pointing at the
wrong DN.

So the error is harmless, but if you take the suggested action to 'fix
it', it will either error out or incorrectly restore the group
membership, both of which are not great.

I'll see if I can fix that up to just print a notice in this case, and
not do anything other than confirm the backlink is indeed removed.  We
only need to keep the forward link, and then only the GUID around, and
we can ignore the string. 

Andrew Bartlett

> Andrew Bartlett писал 2016-10-21 13:16:
> > 
> > On Fri, 2016-10-21 at 11:06 +0300, Sergey Urushkin wrote:
> > > 
> > > Hello!
> > > 
> > > We run dbcheck every week by cron, and parse output like this:
> > >    grep -q 'Checked [0-9]* objects (0 errors)'
> > > Since upgrading to 4.5 we have exactly the same issue, so this
> > > check
> > > is 
> > > broken now. That would be great if we could fix this errors
> > > manually
> > > or 
> > > at least have an ability to skip them while checking.
> > > 
> > > Thanks for attention!
> > 
> > Please see https://bugzilla.samba.org/show_bug.cgi?id=12385
> > 
> > That patch (on master or v4-5-test) should fix the issue, once you
> > run
> > 'samba-tool domain tombstones expunge' from the built tree (no need
> > to
> > install it).  Please confirm by advising us on the bug, so we can
> > push
> > this to master and then to 4.5 (sadly probably too late for 4.5.1).
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list