Recover deleted objects
Rowland Penny
rpenny at samba.org
Fri Aug 17 12:48:26 UTC 2018
On Fri, 17 Aug 2018 13:56:57 +0200
Stefan Kania via samba-technical <samba-technical at lists.samba.org>
wrote:
>
>
> Am 16.08.2018 um 23:52 schrieb William Brown via samba-technical:
> > On Thu, 2018-08-16 at 21:20 +0200, Stefan Kania via samba-technical
> > wrote:
> >> Hello everyone,
> >> maybe my problem is more technically or it maybe a bug? I could not
> >> find
> >> anything.
> >> I try to recover a deleted Object. My Setup:
> >> Debian 9
> >> bind9
> >> samba 4.8.3 the packages from Louis van Belle
> >>
> >> I created a user:
> >> root at sambabuch:~# samba-tool user create del-ohne-bin
> >> then I deleted the user:
> >> root at sambabuch:~# samba-tool user delete del-ohne-bin
> >>
> >> Then i searched for the deleted object:
> >> ----------------
> >> root at sambabuch:~# ldbsearch -H ldap://sambabuch -k yes
> >> --show-deleted cn=del-ohne-bin\\0ADEL:*
> >> # record 1
> >> dn:
> >> CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-993845df2b30,CN=Deleted
> >> Objects,DC=example,DC=net
> >> objectClass: top
> >> objectClass: person
> >> objectClass: organizationalPerson
> >> objectClass: user
> >> .
> >> .
> >> .
> >> ----------------
> >>
> >> Then I try to rename the deleted object:
> >> ----------------
> >> root at sambabuch:~# ldbrename -H ldap://sambabuch -k yes
> >> --show-deleted 'CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-
> >> 993845df2b30,CN=Deleted
> >> Objects,DC=example,DC=net' "cn=del-ohne-
> >> bin,cn=users,dc=example,dc=net"
> >> rename of
> >> 'CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-
> >> 993845df2b30,CN=Deleted
> >> Objects,DC=example,DC=net' to
> >> 'cn=del-ohne-bin,cn=users,dc=example,dc=net' failed - LDAP error 32
> >> LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> >> ../source4/ldap_server/ldap_backend.c:486 with LDB_WAIT_ALL: No
> >> such object (32)> <>
> >>
> >> ----------------
> >> And as you can see LDAP error 32 :-(
> >>
> >> Now it getting real strange. If I try to find the deleted object
> >> with it's full DN: got this result:
> >> -----------------
> >> root at sambabuch:~# ldbsearch -H ldap://sambabuch -k yes
> >> --show-deleted 'CN=del-ohne-bin\0ADEL:b16268e9-cba7-4a00-8261-
> >> 993845df2b30,CN=Deleted
> >> Objects,DC=example,DC=net'
> >> # Referral
> >> ref: ldap://example.net/CN=Configuration,DC=example,DC=net
> >>
> >> # Referral
> >> ref: ldap://example.net/DC=DomainDnsZones,DC=example,DC=net
> >>
> >> # Referral
> >> ref: ldap://example.net/DC=ForestDnsZones,DC=example,DC=net
> >>
> >> # returned 3 records
> >> # 0 entries
> >> # 3 referrals
> >> -----------------
> >> So as soon as I use "CN=Deleted Objects" with ldbsearch or
> >> ldbrename the
> >> object is not found anymore. I tried it with a backslash before the
> >> blank, but it's the same.
> >>
> >> So my question is it not possible anymore to recover deleted
> >> objects? Or
> >> is there just a different way?
> >
> > Hi there,
> >
> > If I recall, deleted objects is used for the replication process to
> > make the deletion simpler across masters.
> >
> > On a single master, this means that the deleted object itself may be
> > purged very quickly - and you certainly shouldn't try to tamper
> > with it and delete the deleted object as that may affect replication
> > consistency!
> >
> The time a deleted object can still be recovered is a variable inside
> the configuration of the AD.
>
> > As well, schema defines rules as to what attributes are kept on a
> > deleted object, so the object may not even be consistent with schema
> > anymore.
> After renaming (and moving the object to it's original place) you have
> to edit the object befor you can resuse it. I know that ;-)
> >
> > A better idea would be to read the attributes back from the object
> > and create a new one based on it's data.
> >
> But if you do so, you can't get the same SID for the new object. It
> works up to Samba 4.3 (that was thew last Time I tried). To get back
> the old SID that's why it's so important to recycle an deleted object.
>
> > Better again would be to enable the object recycle bin, however, I
> > am not sure if S4 supports the recycle bin, so this may be
> > something to check with the team proper.
>
> Yes you can activate the recycle bin, then you get all the attributs
> from the deleted object. Without the recycle bin you will just get the
> most important attributes.
>
> So I still don't know if Samba is supporting the recovery in the
> actual version or not
>
> Stefan
> >
> > Hope that helps,
> >
> >
> >>
> >>
> >> Stefan
> >>
>
>
The last time this was raised, I tried to undelete a user and ran into
a few problems. I couldn't rename the user until I deleted these
attributes:
isDeleted
lastKnownParent
isRecycled
I could then rename the object, but it still didn't show up in 'wbinfo
-u' and most of the attributes were missing. When I tried to add them,
this was refused, no matter in what order I tried them.
I gave up at this point.
Rowland
More information about the samba-technical
mailing list