[Samba] one day AD use -> samba-tool dbcheck reports "Normalisation error for attribute 'objectClass'"

Andrew Bartlett abartlet at samba.org
Fri May 30 04:37:15 MDT 2014 

On Fri, 2014-05-30 at 10:50 +0100, Rowland Penny wrote:
> On 30/05/14 05:58, Andrew Bartlett wrote:
> > On Sat, 2014-03-29 at 17:09 +0100, mourik jan heupink - merit wrote:
> >> Hi all,
> >>
> >> Our migration is coming along nicely, everything seems to work like it
> >> should... I thought...  Only samba-tool dbcheck reports five errors:
> >>
> >> root at dc1:~# samba-tool dbcheck
> >> Checking 1143 objects
> >> ERROR: Normalisation error for attribute 'objectClass' in
> >> 'CN=phdseminar,CN=Users,DC=my,DC=samba,DC=domain'
> >> Values/Order of values do/does not match: ['top', 'securityPrincipal',
> >> 'posixAccount', 'person', 'organizationalPerson', 'user']/['top',
> >> 'posixAccount', 'securityPrincipal', 'person', 'organizationalPerson',
> >> 'user']!
> >> Not fixing attribute 'objectClass'
> >> ERROR: Normalisation error for attribute 'objectClass' in
> >> 'CN=postmaster,CN=Users,DC=my,DC=samba,DC=domain'
> >> Values/Order of values do/does not match: ['top', 'securityPrincipal',
> >> 'posixAccount', 'person', 'organizationalPerson', 'user']/['top',
> >> 'posixAccount', 'securityPrincipal', 'person', 'organizationalPerson',
> >> 'user']!
> >> Not fixing attribute 'objectClass'
> >> ERROR: Normalisation error for attribute 'objectClass' in
> >> 'CN=opac,CN=Users,DC=my,DC=samba,DC=domain'
> >> Values/Order of values do/does not match: ['top', 'securityPrincipal',
> >> 'posixAccount', 'person', 'organizationalPerson', 'user']/['top',
> >> 'posixAccount', 'securityPrincipal', 'person', 'organizationalPerson',
> >> 'user']!
> >> Not fixing attribute 'objectClass'
> >> ERROR: Normalisation error for attribute 'objectClass' in
> >> 'CN=seminar,CN=Users,DC=my,DC=samba,DC=domain'
> >> Values/Order of values do/does not match: ['top', 'securityPrincipal',
> >> 'posixAccount', 'person', 'organizationalPerson', 'user']/['top',
> >> 'posixAccount', 'securityPrincipal', 'person', 'organizationalPerson',
> >> 'user']!
> >> Not fixing attribute 'objectClass'
> >> ERROR: Normalisation error for attribute 'objectClass' in
> >> 'CN=heupink,CN=Users,DC=my,DC=samba,DC=domain'
> >> Values/Order of values do/does not match: ['top', 'securityPrincipal',
> >> 'posixAccount', 'person', 'organizationalPerson', 'user']/['top',
> >> 'posixAccount', 'securityPrincipal', 'person', 'organizationalPerson',
> >> 'user']!
> >> Not fixing attribute 'objectClass'
> >> Please use --fix to fix these errors
> >> Checked 1143 objects (5 errors)
> >> root at dc1:~#
> >>
> >> Are these errors something to worry about? This morning, right after the
> >> classicupgrade, I also ran the dbcheck, and it reported 1 error, and
> >> adding --fix did NOT cure anything.
> >>
> >> So, is my AD database corrupt, after it's first day of being alive??
> >>
> >> Errors are on both DC's, both are running btrfs, virtual machines, on
> >> hardware raid, no errors in syslog etc.
> >
> > So, I've looked into this a little, and offline you mentioned you use
> > LAM, which is adding securityPrincipal.  securityPrincipal is not
> > require for samAccountName, but of course LAM is perfectly valid to
> > specify it.  The issue is that posixAccount and securityPrincipal appear
> > to be equal in weight, and so sort order is not deterministic.
> >
> > This appears to match MS-ADTS 3.1.1.2.4.6
> > Auxiliary Class
> > 1. Class top remains as the first value;
> > 2. Then it is followed by the set of dynamic auxiliary classes and the
> > classes in their superclass
> > chains, excluding those already present in the superclass chain of the
> > most specific structural
> > class. There is no specific order among the classes in this set, and no
> > class is listed more than
> > once.
> >
> > So, what this leaves is that we need to make this deterministic, so our
> > tests and dbcheck do not fail spuriously.
> >
> > I'll look into that.
> >
> > Andrew Bartlett
> Hi Andrew, do you think that this could be fixed by not adding the 
> posixAccount objectClass when doing the classicupgrade ? After all the 
> objectClass in question is not actually needed and wouldn't be added by 
> windows.

It was added by LAM.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list