[Samba] Directory Corruption Problem

Wayne Andersen waynea at clima-tech.com
Mon Feb 2 12:15:08 MST 2015 

I have three samba 4.1.6 servers, all three are domain controllers.

A, B , C, where A is has the FSMO role.

I am getting the following error:

[2015/02/02 11:49:42.359246,  0]
../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3664(replmd_op_possible_c
onflict_callback)
  ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:3664: Unable to find
replPropertyMetaData for conflicting record
'CN=ypServ30,CN=RpcServices,CN=System,DC=corp,DC=mydomain,DC=com'
[2015/02/02 11:49:42.359542,  0]
../source4/dsdb/repl/replicated_objects.c:783(dsdb_replicated_objects_commit
)
  Failed to apply records: Entry
CN=ypServ30,CN=RpcServices,CN=System,DC=corp,DC=mydomain,DC=com already
exists: Entry already exists
[2015/02/02 11:49:42.361528,  0]
../source4/dsdb/repl/drepl_out_helpers.c:725(dreplsrv_op_pull_source_apply_c
hanges_trigger)
  Failed to commit objects:
WERR_GENERAL_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE

If I use adsiedit I can navigate to the RpcServices container on server B
and C, but server A gives me an operations failed error 0x80072020, which
after research has led me to believe that it is a permissions error.

If I try to search for the GUID of the RpcServices object by GUID using
ldp.exe I get this error.

***Searching...
ldap_search_s(ld, "<GUID=5c62034b-a978-4d75-8102-e8c94f0eb780>", 2,
"(objectclass=*)", attrList,  0, &msg)
Error: Search: Operations Error. <1>
Server error: acl_read: cannot get descriptor of
CN=bynumber,CN=rpc,CN=ypServ30,CN=RpcServices,CN=System,DC=CORP,DC=MYDOMAIN,
DC=COM: insufficient access rights

Result <1>: acl_read: cannot get descriptor of
CN=bynumber,CN=rpc,CN=ypServ30,CN=RpcServices,CN=System,DC=CORP,DC=MYDOMAIN,
DC=COM: insufficient access rights

Getting 0 entries:

It works fine on B and C again but not on A.

It appears to me that the permissions on the directory records on A are
corrupted. 
I can access any of these DN's using ldbsearch or ldbedit just fine,
although and I am assuming the these tools bypass the permissions check.

If I try to add read permissions for my user to the RpcServices DN on server
B and C it allows me to do so with no problems.
If I try it on server A I get 

'Unable to save permission changes on RpcServices, an operations error
occurred.'

Is there a way to clean this up by resetting the permissions, or copying the
records from one of the working servers to the corrupted one?

Or last resort, I suppose that I could seize the fsmo role say to B, demote
and delete A then rebuild it.

More information about the samba mailing list