[Patches] for dbcheck (Re: [Patches] AD Database corruption after upgrade from <= 4.6 to 4.7 (bug #13228))

Stefan Metzmacher metze at samba.org
Tue Jan 30 23:43:29 UTC 2018


Hi Andrew,

>> as a lot of SerNet customers are having trouble with corrupted
>> linked attributes, my colleague Ralph Böhme and I developed
>> patches for 'samba-tool dbcheck' to recover the missing
>> forward links (in most cases missing member attributes).
>>
>> I'm currently running a private autobuild with these patches
>> and my colleague Björn Baumbach is currently testing SAMBA+
>> packages with the patches included, which will be released
>> as soon as possible.
>>
>> As the patches re-add members to groups administrators may want
>> avoid using '--yes' and ack the re-added members explicitly.
>>
>> The patches have enough review tags already, additional
>> review isn't required, we'll wait a bit to collect some feedback
>> from others, before pushing.
> 
> Wow, that is an amazing patch set!  I do want to say a really big
> thank-you for doing this work.

Thanks!

> How do you exclude the case where the forward link is there, but is
> deleted/deactivated (rmd_flags=1)?  In that case we don't want to
> restore the forward link even if the backlink is still there.
> 
> Given the tests we had I'm assuming it is handled implicitly somehow,
> but wanted to ask the question given the sensitivity of this
> processing. 

check_object() use "extended_dn:1:1" and "reveal_internals:0"
which means check_duplicate_links() has all stored links
to check including deactivated ones.

We only re-add a forward link if we don't find any link
with given guid, unique_dict contains all valid existing forward
links and find_missing_forward_links_from_backlinks() gets
that as forward_unique_dict. Note this:
if forward_syntax != ldb.SYNTAX_DN:
    return ...
and
if guidstr in forward_unique_dict:
    continue

Which means we're able to identify missing forward links for
attributes with a plain dn (without binary or string).

> Also, should we restrict the test to run when the DB doesn't have
> sortedLinks set (ie upgraded) so we avoid the expensive search and
> possible re-introduction of links that are both deactivated and
> expunged?

As the duplicates could also happen as consequence of
https://bugzilla.samba.org/show_bug.cgi?id=13095
I think we need to keep them.
Maybe we can skip find_missing_forward_links_from_backlink,
but it can be a patch on top I guess.

Thanks for the feedback!
metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180131/0ed6bf23/signature.sig>


More information about the samba-technical mailing list