[PATCH] A script to assist in restoring deleted objects

Jason Pyeron jpyeron at pdinc.us
Fri Jul 13 23:51:36 UTC 2018 

> -----Original Message-----
> From: Andrew Bartlett
> Sent: Friday, July 13, 2018 18:52
> Subject: Re: [PATCH] A script to assist in restoring deleted objects
> 
> On Fri, 2018-07-13 at 17:50 -0400, Kyle Marek wrote:
> > On 05/21/2017 06:35 PM, Andrew Bartlett wrote:
> > > I recently worked with a client that needed to restore some objects
> > > accidentally deleted in their AD.  They had nightly backups to obtain
<snip/>
> > > 
> > > Please comment/review/push!
> > > 
> > > Thanks,
> > > 
> > > Andrew Bartlett
> >  
> > (old thread; link: 
> https://lists.samba.org/archive/samba-technical/2017-May/120713.html)
> > 
> > Hello Andrew,
> > 
> > I am testing your script for use in a similar situation. My 
> test case is deleting a user named "DontDeleteMe". However, I 
> am having some issues with a fresh domain using Samba 4.8.2 
> (built from refs/tags/samba-4.8.2):
> > Minor formatting issues in the LDIF (See attachment; lines 
> 1-2 should be comment?; lines 4-7 should not be indented)
> > After making the above corrections, I cannot seem to 
> actually apply the LDIF (see errors below)
> > [kmarek at pdinc-samba-recovery-test2 samba]$ env 
> LDAPTLS_REQCERT=never ldapmodify -H ldaps://localhost -f 
> diff.ldif 
> -Dcn=Administrator,cn=Users,DC=test,DC=internal,DC=gigabytepro
> ductions,DC=net -W
> > Enter LDAP Password: 
> > modifying rdn of entry "<GUID=a6d1c805-d673-4768-a31d-6aa578125c44>"
> > ldap_rename: Server is unwilling to perform (53)
> > 	additional info: 00002035: Unwilling to perform. Old 
> RDN must be deleted
> > 
> > [kmarek at pdinc-samba-recovery-test2 samba]$ sudo env 
> PATH=/usr/local/samba/sbin/:/usr/local/samba/bin/:/usr/local/s
> bin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin 
> PYTHONPATH=/usr/local/samba/lib64/python2.7/site-packages/ 
> ldbmodify -H /usr/local/samba/private/sam.ldb < diff.ldif
> > ERR: (Constraint violation) "modrdn: deleteoldrdn=0 not 
> supported." on DN  at block before line 8
> > Modify failed after processing 0 records
> > 
> > Should these LDIFs still be applicable to newer Samba? If 
> so, how can I apply this one and make my LDAPs match?
> 
> This is likely the untested half of the script.  By the time the
> customer got to me their objects had expired, and the reason we don't
> have it in master is that I never got around to adding the tests.
> 
> It could be as simple as changing 
> 
> "deleteoldrdn: 0" 
> 
> to 
> 
> "deleteoldrdn: 1"

I tried to do the same with before Kyle on a unilateral script (no backup) but I was sure I was making some other mistake.

The output I get with deleteoldrdn: 1 is:

# ldbmodify -H /usr/local/samba/private/sam.ldb < test.ldif
ERR: (No such object) "Base-DN '<GUID=xxxxxxxxxxxxxxxxxxxxxxxx>' not found" on DN  at block before line 6
Modify failed after processing 0 records
# ldapmodify -H ldaps://127.0.0.1 -W -D cn=Administrator,cn=Users,dc=xxxxxxxxxxxxxxxxxxxxxxxx < test.ldif
Enter LDAP Password:
modifying rdn of entry "<GUID=xxxxxxxxxxxxxxxxxxxxxxxx>"
ldap_rename: No such object (32)
        additional info: Base-DN '<GUID=xxxxxxxxxxxxxxxxxxxxxxxx>' not found



> 
> If you could add some tests around the patch I would love to see this
> merged. 
> 

If we get there...

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-                                                               -
- Jason Pyeron                      PD Inc. http://www.pdinc.us -
- Principal Consultant              10 West 24th Street #100    -
- +1 (443) 269-1555 x333            Baltimore, Maryland 21218   -
-                                                               -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

More information about the samba-technical mailing list