[PATCH] A script to assist in restoring deleted objects

Andrew Bartlett abartlet at samba.org
Fri Jul 13 22:51:54 UTC 2018

On Fri, 2018-07-13 at 17:50 -0400, Kyle Marek wrote:
> On 05/21/2017 06:35 PM, Andrew Bartlett wrote:
> > I recently worked with a client that needed to restore some objects
> > accidentally deleted in their AD.  They had nightly backups to obtain
> > the old data from, but needed to get the data correctly back into the
> > replication state.
> > 
> > This script may assist others in a similar situation. 
> > 
> > This is a developer script, so there are no tests at this time.
> > 
> > In the future, I think an evolution of this would make a great addition
> > to samba-tool.
> > 
> > Please comment/review/push!
> > 
> > Thanks,
> > 
> > Andrew Bartlett
> (old thread; link: https://lists.samba.org/archive/samba-technical/2017-May/120713.html)
> Hello Andrew,
> I am testing your script for use in a similar situation. My test case is deleting a user named "DontDeleteMe". However, I am having some issues with a fresh domain using Samba 4.8.2 (built from refs/tags/samba-4.8.2):
> Minor formatting issues in the LDIF (See attachment; lines 1-2 should be comment?; lines 4-7 should not be indented)
> After making the above corrections, I cannot seem to actually apply the LDIF (see errors below)
> [kmarek at pdinc-samba-recovery-test2 samba]$ env LDAPTLS_REQCERT=never ldapmodify -H ldaps://localhost -f diff.ldif -Dcn=Administrator,cn=Users,DC=test,DC=internal,DC=gigabyteproductions,DC=net -W
> Enter LDAP Password: 
> modifying rdn of entry "<GUID=a6d1c805-d673-4768-a31d-6aa578125c44>"
> ldap_rename: Server is unwilling to perform (53)
> 	additional info: 00002035: Unwilling to perform. Old RDN must be deleted
> [kmarek at pdinc-samba-recovery-test2 samba]$ sudo env PATH=/usr/local/samba/sbin/:/usr/local/samba/bin/:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin PYTHONPATH=/usr/local/samba/lib64/python2.7/site-packages/ ldbmodify -H /usr/local/samba/private/sam.ldb < diff.ldif
> ERR: (Constraint violation) "modrdn: deleteoldrdn=0 not supported." on DN  at block before line 8
> Modify failed after processing 0 records
> Should these LDIFs still be applicable to newer Samba? If so, how can I apply this one and make my LDAPs match?

This is likely the untested half of the script.  By the time the
customer got to me their objects had expired, and the reason we don't
have it in master is that I never got around to adding the tests.

It could be as simple as changing 

"deleteoldrdn: 0" 


"deleteoldrdn: 1"

If you could add some tests around the patch I would love to see this


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list