4.5.0 upgrade samba-tool dbcheck errors

Andrew Bartlett abartlet at samba.org
Mon Oct 24 21:44:53 UTC 2016 

On Mon, 2016-10-24 at 18:53 +0100, Rowland Penny wrote:
> On Mon, 24 Oct 2016 20:44:48 +0300
> Sergey Urushkin <urushkin at telros.ru> wrote:
> 
> > Rowland Penny писал 2016-10-24 11:32:
> > > On Sat, 22 Oct 2016 09:22:12 +1300
> > > Andrew Bartlett <abartlet at samba.org> wrote:
> > 
> > > > Once a user is removed from a group, the backlink that we use
> > > > to
> > > > track and catch user renames is taken away.  That means that
> > > > the
> > > > forward link has no way of knowing, before a dbcheck, that it
> > > > is
> > > > pointing at the wrong DN.
> > > > 
> > > 
> > > Yes, but the OP isn't removing the user from the group, he is
> > > moving
> > > the user to another ou, so I suppose the question is, how?
> > > 
> > 
> > Well, actually I did remove user from group that gives error, but
> > it
> > was before upgrade to samba 4.5. After reading your comments I've
> > tried to add and then remove users from the groups with errors -
> > and
> > that has fixed all mentioned errors!
> > 
> 
> Removing a user from a group shouldn't produce that error either. You
> remove a user from a group by deleting the 'member' attribute
> containing the users DN from the groups object, this will also delete
> the 'memberof' line from the users object. As far as I am aware,
> neither of these deletions should end up tombstoned because they are
> not 'objects'

The link (the member attribute) also has metadata and is tombstoned for
similar reasons.  In Windows 2000 links were just attributes, but in
2003 and later functional levels, they became more like objects, with
metadata, separate replication and (now implemented in Samba 4.5.1)
logic to expunge them 180 days after a delete.

The backlink is removed directly from the DB on 'delete', which then
impacts on Samba's code that would otherwise keep the DN in the forward
link updated in the tombstone.  That is why moving the user around
'fixes' the error.  

I hope this clarifies things,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list