[Samba] Duplicate (not so) single-valued attributes on some DCs?

[Andrew Bartlett]

On Wed, 2015-01-07 at 15:01 +0100, Sven Schwedas wrote:
> We've run into a small issue over the holidays (I can't pinpoint it due
> to nobody being in the office for the past three weeks and thus not
> noticing anything): At least one LDAP entry has an (single-valued!)
> attribute duplicated on *some* DCs, but not all of them – and said
> attribute hasn't been modified in six months.
> 
> Microsoft's ADSI just crashes when trying to open the entry on these
> servers (servers that see only one value open fine).
> 
> ldbedit doesn't let me delete the second value (It reports "0 adds  0
> modifies  0 deletes" when trying), modifying one value changes either or
> both values, but never deletes any. The changes are correctly replicated
> back to the other nodes, which only see the changed value. If I try to
> change both values, I correctly get an "<0000200D: SINGLE-VALUE
> attribute … specified more than once>" error message.
> 
> 
> Is this a known (replication?) issue? How can I fix it? Re-join the DCs
> to the domain? How would I do this without fucking up other things?

It may be possible to fix it with LDIF, by using the 'replace' operation
in the modify rather than add/delete.  However, I'm much more curious as
to what the attribute is, how it got like that, and what we need to do
to have dbcheck find and potentially fix such issues.

Can you file a bug with more detail, and let me know the bug ID?

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba