[Samba] Samba Join as DC failed

Andrew Bartlett abartlet at samba.org
Thu Oct 17 20:57:14 MDT 2013 

On Thu, 2013-10-17 at 12:50 +0000, Donaldson Jeff wrote:
> Attempted to join domain via
> 
> ./bin/samba-tool domain join ncs.k12.de.us<http://ncs.k12.de.us> DC -Uadministrator --realm=ncs.k12.de.us<http://ncs.k12.de.us>
> 
> But this failed with
> 
> Committing SAM database
> Failed to apply linked attribute change 'attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0'
> dn: <GUID=4d560497-5f00-4d97-96a0-47ae1799ba92>;<SID=S-1-5-21-276688905-1455118844-2751846679-67110292>;CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us
> 
> Join failed - cleaning up
> checking sAMAccountName
> ERROR(ldb): uncaught exception - attribute 'isRecycled': invalid modify flags on 'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us': 0x0
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/domain.py", line 552, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs, dns_backend=dns_backend)
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1169, in join_DC
>     ctx.do_join()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 1074, in do_join
>     ctx.join_replicate()
>   File "/usr/local/samba/lib/python2.7/site-packages/samba/join.py", line 848, in join_replicate
>     ctx.local_samdb.transaction_commit()
> 
> As suggestion found here https://irclog.samba.org/2013/09/20130908-Sun.log:  is to use
> 
> ldbedit -H /usr/local/samba/private/sam.ldb --show-deleted
> '(isDeleted=*)'

This is not good advise for the general case.  Deleting the objects
manually breaks replication (because the purpose of the deleted object
is to replicate the fact that it is deleted!), and should be a last
resort.  

> to manually delete all the accounts with this attribute. When doing
> this I should stop samba on all DCs and then edit the local sam.ldb on
> each. Then restart samba on the DC and re-try joining the domain after
> deleting all files /usr/local/samba/private on the DC I am attempting
> to join to the domain as a DC?
> 
> Also saw on Samba list Nikos Mita had similar issue. It was suggested
> to try using samba-tool dbcheck -fix. Should I try this first? I'm
> just concerned whether this would complete or not. I have 94,443
> records and this server only has 8GB of memory.
> 
> I want to make certain I get the sequence correct.
> 
> Also, before doing any of the above, I will make a copy of the private
> directories on the DC just in case ...
> 
> Any help is appreciated. Thanks!

G'Day,

It seems to be the week for very, very large Samba installations!

I've looked at the code, and I know the line that fails, but don't I
know why this happens.  Can you show me the failing object with
ldbsearch?

ldbsearch --show-deleted -H /usr/local/samba/private/sam.ldb -s base -b
'CN=test_user,CN=Deleted Objects,DC=ncs,DC=k12,DC=de,DC=us'

The thing is, an object that has isRecycled set on it should not be able
to get to the line of code that fails, so I'm quite puzzled.  I can fix
the 'error' simply (just need to create a new blank modification, rather
than re-using a search result), but I first want to know why it is
wrong.  

Can you also let me know the full history of this domain?  A user that
is deleted should have a name with "DEL" and a GUID in it.

The second part, once I have that is working out why our tests didn't
cover this code path, and working out how to make them do that. 

But while you won't need to run dbcheck now, you will at some point in
the future.  What we clearly do need is for a few of our very large
installations to club together and work on/isolate the remaining issues
at the scale you have.  

Thank you so much for taking Samba to the extreme, and I will do what I
can to best assist you.  

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Catalyst IT                   http://catalyst.net.nz

More information about the samba mailing list