[Samba] how to remove an (offline) DC from Samba 4 ?

Bram Matthys syzop at vulnscan.org
Wed Feb 19 02:23:46 MST 2014

Hi Andrew,

Andrew Bartlett wrote, on 19-2-2014 1:47:
> On Mon, 2014-02-17 at 21:29 +0100, Bram Matthys wrote:
>> Hi Denis,
>> Denis Cardon wrote, on 17-2-2014 19:14:
>>>> What would be the recommended way to remove an old offline DC from Samba4?
>>>> --snip--
>>>> Given that both samba-tool and the using the ADUC tools are a dead end, what
>>>> should I do?
>>>> Should I start messing with ldbedit/ldbdel? I'm worried to mess up things,
>>>> especially dead references to the old DC. Or is this the way to go.
>> I ended up running ldbedit on:
>> /usr/local/samba/private/sam.ldb.d/DC=COMPANY,DC=NET.ldb
>> /usr/local/samba/private/sam.ldb.d/CN=CONFIGURATION,DC=COMPANY,DC=NET.ldb
>> etc..
> We realise this is a difficult problem for you and other users, but
> NEVER, EVER do that.
> Editing the raw database will cause corruption (because the indices are
> not correctly loaded), particularly when combined with DRS replication
> (because objects deleted that way will never become deleted objects). 

I'm on a single server setup (no replication) at the moment, so I thought I
could just as well use ldbedit. I didn't know indices were not updated
though, thanks for letting me know!
I shut down samba and ran "samba-tool dbcheck --reindex" and it said
"completed re-index OK".
I searched on the mailing list how to check manually to see any indices, and
both before and after (re)indexing I checked the *.ldb files with "ldbedit
-H sam.ldb -o modules:" to search for @INDEXLIST or @IDX, but couldn't find any.
Actually "ldbsearch -H sam.ldb -o modules:" shows 0 records
Checked on the backup sam.ldb before I removed the DC, and it's the same.
Strange? Or did the way to see the index change?
"samba-tool dbcheck --cross-ncs --fix" did find and fix 6 errors though.

Should be OK & safe now?

I'll use LDAP for any modifications from now on ;)

Thanks again for the warning,


Bram Matthys
Software developer/IT consultant        syzop at vulnscan.org
Website:                                  www.vulnscan.org
PGP key:                       www.vulnscan.org/pubkey.asc
PGP fp: EBCA 8977 FCA6 0AB0 6EDB  04A7 6E67 6D45 7FE1 99A6

More information about the samba mailing list