Recover deleted objects

Stefan Kania stefan at kania-online.de
Fri Aug 17 11:56:57 UTC 2018 


Am 16.08.2018 um 23:52 schrieb William Brown via samba-technical:
> On Thu, 2018-08-16 at 21:20 +0200, Stefan Kania via samba-technical
> wrote:
>> Hello everyone,
>> maybe my problem is more technically or it maybe a bug? I could not
>> find
>> anything.
>> I try to recover a deleted Object. My Setup:
>> Debian 9
>> bind9
>> samba 4.8.3 the packages from Louis van Belle
>>
>> I created a user:
>> root at sambabuch:~# samba-tool user create del-ohne-bin
>> then I deleted the user:
>> root at sambabuch:~# samba-tool user delete del-ohne-bin
>>
>> Then i searched for the deleted object:
>> ----------------
>> root at sambabuch:~# ldbsearch -H ldap://sambabuch -k yes --show-deleted
>> cn=del-ohne-bin\\0ADEL:*
>> # record 1
>> dn:
>> CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-993845df2b30,CN=Deleted
>> Objects,DC=example,DC=net
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> .
>> .
>> .
>> ----------------
>>
>> Then I try to rename the deleted object:
>> ----------------
>> root at sambabuch:~# ldbrename -H ldap://sambabuch -k yes --show-deleted
>> 'CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-
>> 993845df2b30,CN=Deleted
>> Objects,DC=example,DC=net' "cn=del-ohne-
>> bin,cn=users,dc=example,dc=net"
>> rename of
>> 'CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-
>> 993845df2b30,CN=Deleted
>> Objects,DC=example,DC=net' to
>> 'cn=del-ohne-bin,cn=users,dc=example,dc=net' failed - LDAP error 32
>> LDAP_NO_SUCH_OBJECT -  <00002030: ldb_wait from
>> ../source4/ldap_server/ldap_backend.c:486 with LDB_WAIT_ALL: No such
>> object (32)> <>
>>
>> ----------------
>> And as you can see LDAP error 32 :-(
>>
>> Now it getting real strange. If I try to find the deleted object with
>> it's full DN: got this result:
>> -----------------
>> root at sambabuch:~# ldbsearch -H ldap://sambabuch -k yes --show-deleted
>> 'CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-
>> 993845df2b30,CN=Deleted
>> Objects,DC=example,DC=net'
>> # Referral
>> ref: ldap://example.net/CN=Configuration,DC=example,DC=net
>>
>> # Referral
>> ref: ldap://example.net/DC=DomainDnsZones,DC=example,DC=net
>>
>> # Referral
>> ref: ldap://example.net/DC=ForestDnsZones,DC=example,DC=net
>>
>> # returned 3 records
>> # 0 entries
>> # 3 referrals
>> -----------------
>> So as soon as I use "CN=Deleted Objects" with ldbsearch or ldbrename
>> the
>> object is not found anymore. I tried it with a backslash before the
>> blank, but it's the same.
>>
>> So my question is it not possible anymore to recover deleted objects?
>> Or
>> is there just a different way?
> 
> Hi there,
> 
> If I recall, deleted objects is used for the replication process to
> make the deletion simpler across masters.
> 
> On a single master, this means that the deleted object itself may be
> purged very quickly - and you certainly shouldn't try to tamper with it
> and delete the deleted object as that may affect replication
> consistency!
> 
The time a deleted object can still be recovered is a variable inside
the configuration of the AD.

> As well, schema defines rules as to what attributes are kept on a
> deleted object, so the object may not even be consistent with schema
> anymore.
After renaming (and moving the object to it's original place) you have
to edit the object befor you can resuse it. I know that ;-)
> 
> A better idea would be to read the attributes back from the object and
> create a new one based on it's data.
> 
But if you do so, you can't get the same SID for the new object. It
works up to Samba 4.3 (that was thew last Time I tried). To get back the
old SID that's why it's so important to recycle an deleted object.

> Better again would be to enable the object recycle bin, however, I am
> not sure if S4 supports the recycle bin, so this may be something to
> check with the team proper. 

Yes you can activate the recycle bin, then you get all the attributs
from the deleted object. Without the recycle bin you will just get the
most important attributes.

So I still don't know if Samba is supporting the recovery in the actual
version or not

Stefan
> 
> Hope that helps,
> 
> 
>>
>>
>> Stefan
>>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180817/266c1666/signature.sig>

More information about the samba-technical mailing list