[Samba] Samba Join as DC failed

dahopkins at comcast.net dahopkins at comcast.net
Mon Oct 21 17:31:43 MDT 2013 


----- Original Message -----
On Mon, 2013-10-21 at 10:43 +0000, dahopkins at comcast.net wrote:
> > Perhaps another hint...ran the following against the offending user
> > account. Noticed that it shows up on a list of users with the
> > --show-deleted flag. Also dbcheck without --fix flags this account on
> > the PDC, but on the other DC it does not show up. We also saw that
> > samba-tool drs showrepl indicates that the servers are properly
> > replicating. The fact that dbcheck shows two different outputs is
> > confusing as replication is working properly.  
> > 
> > ncssamba1:~# ldbsearch -H /usr/local/samba/private/sam.ldb -s base -b 'CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us'
> > # returned 0 records
> > # 0 entries
> > # 0 referrals
> > ncssamba1:~# ldbsearch --show-deleted -H /usr/local/samba/private/sam.ldb -s base -b 'CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us'
> > # record 1
> > dn: CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
> > cn: test_user
> > instanceType: 4
> > whenCreated: 20130726175012.0Z
> > uSNCreated: 13699
> > objectGUID: 4d560497-5f00-4d97-96a0-47ae1799ba92
> > badPwdCount: 0
> > badPasswordTime: 0
> > lastLogoff: 0
> > lastLogon: 0
> > objectSid: S-1-5-21-276688905-1455118844-2751846679-67110292
> > logonCount: 0
> > sAMAccountName: test_user
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > manager: CN=jdonaldson,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
> > memberOf: CN=Teachers,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
> > userAccountControl: 66048
> > userParameters:: IA==
> > whenChanged: 20131011151907.0Z
> > isDeleted: TRUE
> > uSNChanged: 142163
> > name:: dGVzdF91c2VyCkRFTDo0ZDU2MDQ5Ny01ZjAwLTRkOTctOTZhMC00N2FlMTc5OWJhOTI=
> > lastKnownParent: CN=Users,DC=ncs,DC=k12,DC=de,DC=us
> > isRecycled: TRUE
> > distinguishedName: CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
> 
> >This is very, very odd.  Clearly the user has been subject to faulty
> >conflict resolution prior to our fix to ensure deleted objects stay
> >deleted.  I guess we will need to add logic to fix this into dbcheck. 
> 
> Should we run samba-tool dbcheck --fix at this point on both servers to try and correct this?

>I'm not aware of any code in dbcheck that will fix this, so perhaps let
>me know what dbcheck is proposing to do, or what it does on a backup (it
>has a --verbose mode) when we --fix it. 

I ran dbcheck on both servers, they reported different issues. On one server, I also ran the --fix since all the issues were/are related to a server that we had tried to demote from its role as an AD DC. On the server that the above issue, I checked with the verbose option and the information was the same (for the errors) as shown below (ncsamba1 output).

Another issue (mentioned initiall) is that we built a 4.1 server that we tried to join as another AD DC but although it claimed that the join failed, that system is still listed in ADUC as a member server, and replication (samba-tool drs showrepl) shows that both current AD DC show that server as in inbound replication partner. In fact, the verbose output includes the line
 
Checking object CN=NCSAUTH2,OU=Domain Controllers,DC=ncs,DC=k12,DC=de,DC=us

So .. if the join says it failed, but samba/private seems to be populated on this new system and there is output from the dbcheck .. how do we either complete the join or clean up the system (e.g. just delete the samba/private data on ncsauth2) so that we can correctly join the domain once we have the test_user issue and the DNS issues resolved.

The following is the output requested.

--------------------------------------------
run on ncssamba3

/usr/local/samba/var# samba-tool dbcheck --fix
Checking 2163 objects
ERROR: target DN is deleted for masteredBy in object DC=ncs,DC=k12,DC=de,DC=us - <GUID=4ce872f9-90c4-4255-9d85-18903249f8a2>;CN=NTDS Settings,CN=NCSSAMBA2\0ADEL:831b85aa-87cf-40fc-9410-3574bc7456a4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us
Target GUID points at deleted DN CN=NTDS Settings,CN=NCSSAMBA2\0ADEL:831b85aa-87cf-40fc-9410-3574bc7456a4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us
Remove DN link? [y/N/all/none] y
Removed deleted DN on attribute masteredBy
ERROR: target DN is deleted for msDS-IsDomainFor in object DC=ncs,DC=k12,DC=de,DC=us - <GUID=4ce872f9-90c4-4255-9d85-18903249f8a2>;CN=NTDS Settings,CN=NCSSAMBA2\0ADEL:831b85aa-87cf-40fc-9410-3574bc7456a4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us
Target GUID points at deleted DN CN=NTDS Settings,CN=NCSSAMBA2\0ADEL:831b85aa-87cf-40fc-9410-3574bc7456a4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us
Remove DN link? [y/N/all/none] y
Removed deleted DN on attribute msDS-IsDomainFor
ERROR: target DN is deleted for msDs-masteredBy in object DC=ncs,DC=k12,DC=de,DC=us - <GUID=4ce872f9-90c4-4255-9d85-18903249f8a2>;CN=NTDS Settings,CN=NCSSAMBA2\0ADEL:831b85aa-87cf-40fc-9410-3574bc7456a4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us
Target GUID points at deleted DN CN=NTDS Settings,CN=NCSSAMBA2\0ADEL:831b85aa-87cf-40fc-9410-3574bc7456a4,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ncs,DC=k12,DC=de,DC=us
Remove DN link? [y/N/all/none] y
Removed deleted DN on attribute msDs-masteredBy
Checked 2163 objects (3 errors)
---------------------------------------------------------
run on ncssamba1
ncssamba1:~# samba-tool dbcheck
Checking 2163 objects
ERROR: incorrect RMD_FLAGS value 0 for attribute 'manager' in CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us for link <GUID=0ac90a0d-9275-4032-962d-447b2f564bd1>;<RMD_ADDTIME=130193455900000000>;<RMD_CHANGETIME=130193455900000000>;<RMD_FLAGS=0>;<RMD_INVOCID=83af4e4e-38f9-4ddf-b3e4-4c694e7b26dc>;<RMD_LOCAL_USN=13723>;<RMD_ORIGINATING_USN=13723>;<RMD_VERSION=0>;<SID=S-1-5-21-276688905-1455118844-2751846679-6922>;CN=jdonaldson,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
Not fixing incorrect RMD_FLAGS 0
ERROR: target DN is deleted for member in object CN=Teachers,CN=Users,DC=ncs,DC=k12,DC=de,DC=us - <GUID=4d560497-5f00-4d97-96a0-47ae1799ba92>;<SID=S-1-5-21-276688905-1455118844-2751846679-67110292>;CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
Target GUID points at deleted DN CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
Not removing
ERROR: target DN is deleted for directReports in object CN=jdonaldson,CN=Users,DC=ncs,DC=k12,DC=de,DC=us - <GUID=4d560497-5f00-4d97-96a0-47ae1799ba92>;<SID=S-1-5-21-276688905-1455118844-2751846679-67110292>;CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
Target GUID points at deleted DN CN=test_user,CN=Users,DC=ncs,DC=k12,DC=de,DC=us
Not removing
Please use --fix to fix these errors
Checked 2163 objects (2 errors)
----------------------------------------------------------

Sincerely,
Dave Hopkins

More information about the samba mailing list