4.5.0 upgrade samba-tool dbcheck errors

Rowland Penny repenny241155 at gmail.com
Mon Oct 24 08:32:29 UTC 2016 

On Sat, 22 Oct 2016 09:22:12 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> On Fri, 2016-10-21 at 15:07 +0300, Sergey Urushkin wrote:
> > Tried that patch, tombstones expunge fixed hundreds of errors,
> > thanks! 
> > But there are several left. They are not about deleted users but
> > about 
> > moving user from one OU to another. All errors are the same type.
> > Here are an example:
> > 
> > ERROR: incorrect DN string component for member in object 
> > CN=somegroup,OU=someou,DC=domain,DC=ru - 
> > <GUID=6569ac84354340438c14f7b8b744754e>;<RMD_ADDTIME=1309370274500000
> > 00>;<RMD_CHANGETIME=131190924050000000>;<RMD_FLAGS=1>;<RMD_INVOCID=97
> > c8a71070f8c94c9885831ce70a9243>;<RMD_LOCAL_USN=156511>;<RMD_ORIGINATI
> > NG_USN=156511>;<RMD_VERSION=1>;<SID=0105000000000005150000005828a2110
> > 3556789021ea743330f0000>;CN=someuser,OU=anotherou,DC=domain,DC=ru
> > Not fixing string component mismatch
> > 
> > Some time ago (couple of days/weeks, before upgrading to 4.5)
> > "someuser" 
> > was inside "anotherou", now it is not. When I move "someuser" back
> > to 
> > that OU error disappears, but when I move it back to the current OU
> > the 
> > error appears again.
> > 
> > I'm not sure if it is a part of the same issue or completely
> > another, so 
> > I wrote this text here, not in 12385.
> > 
> > Please, tell me how could I help to solve this problem.
> 
> Once a user is removed from a group, the backlink that we use to track
> and catch user renames is taken away.  That means that the forward
> link has no way of knowing, before a dbcheck, that it is pointing at
> the wrong DN.
> 

Yes, but the OP isn't removing the user from the group, he is moving
the user to another ou, so I suppose the question is, how?

It should be done by a 'rename' operation and this should not only
change the users 'dn' and 'distinguishedName' attributes, it should
also update the users 'member' attribute in the groups object.

i.e.

User 'testuser2' is a member of 'TestGroup', move the user from
'CN=Users' to 'OU=tetsou'

samba-tool user move testuser2 --newou=testou

Before the move the attributes that change, looked like this:

dn: CN=testuser2,CN=Users,DC=samdom,DC=example,DC=com
whenChanged: 20161023123820.0Z
uSNChanged: 44471
distinguishedName: CN=testuser2,CN=Users,DC=samdom,DC=example,DC=com

and after:

dn: CN=testuser2,OU=testou,DC=samdom,DC=example,DC=com
whenChanged: 20161024081015.0Z
uSNChanged: 44519
distinguishedName: CN=testuser2,OU=testou,DC=samdom,DC=example,DC=com

The relevant line in the group object before the move:

member: CN=testuser2,CN=Users,DC=samdom,DC=example,DC=com

and after:

member: CN=testuser2,OU=testou,DC=samdom,DC=example,DC=com

So how is the user getting a deleted object for something that
shouldn't be a deleted object ?

Rowland

More information about the samba-technical mailing list