[Samba] Database errors after join to DC as part of AD Forest
Andrey Cherepanov
cas at altlinux.ru
Fri Jun 19 07:21:08 MDT 2015
Stand contains two DC with Windows 2003 Std SP2 En:
- root domain company.local
- child domain filial1.company.local
I have Linux (ALT Linux) with Samba AD DC 4.2.2. After join to
filial1.company.local by command
samba-tool domain join filial1.company.local DC \
-Uadministrator%P at ssw0rd --realm=filial1.company.local \
--parent-domain=filial1.company.local -d 10
(verbose log is stored)
I get 4 error:
Checking 296 objects
ERROR: description not present on Deleted Objects container CN=Deleted
Objects,DC=DomainDnsZones,DC=filial1,DC=company,DC=local
Not fixing missing/incorrect attributes on CN=Deleted
Objects,DC=DomainDnsZones,DC=filial1,DC=company,DC=local
ERROR: wrong instanceType 13 on DC=filial1,DC=company,DC=local, should
be 5
Not changing instanceType from 13 to 5 on DC=filial1,DC=company,DC=local
DC=filial1,DC=company,DC=local == DC=company,DC=local
ERROR: parent object not found for DC=filial1,DC=company,DC=local
Not moving object DC=filial1,DC=company,DC=local into LostAndFound
ERROR: incorrect GUID component for member in object
CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local -
<GUID=ee583875-40b5-49dc-ab6a-e5528efd47c8>;<SID=S-1-5-21-1917456030-2356434423-194994843-519>;CN=Enterprise
Admins,CN=Users,DC=company,DC=local
unable to find object for DN CN=Enterprise
Admins,CN=Users,DC=company,DC=local - (No such Base DN: CN=Enterprise
Admins,CN=Users,DC=company,DC=local)
Not removing dangling forward link
Please use --fix to fix these errors
Checked 296 objects (4 errors)
First two errors are fixed if --fix is used. But last two error if fatal.
1. 'parent object not found' because sam.ldb contains
rootDomainNamingContext 'DC=company,DC=local', but this dn is not
available during join.
2. 'incorrect GUID component for member' external object
'CN=Enterprise Admins,CN=Users,DC=company,DC=local'. Reason is same:
database is not replicated.
I see # ls -1 /var/lib/samba/private/sam.ldb.d/
CN=CONFIGURATION,DC=COMPANY,DC=LOCAL.ldb
CN=SCHEMA,CN=CONFIGURATION,DC=COMPANY,DC=LOCAL.ldb
DC=DOMAINDNSZONES,DC=FILIAL1,DC=COMPANY,DC=LOCAL.ldb
DC=FILIAL1,DC=COMPANY,DC=LOCAL.ldb
DC=FORESTDNSZONES,DC=COMPANY,DC=LOCAL.ldb
metadata.tdb
Look at record with second fatal error:
dn: CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local
...
member: CN=Enterprise Admins,CN=Users,DC=company,DC=local
I think while retrieving suffix from "external" databases (outside
joined domain filial1.company.local) is not work with dn in attributes
member.
If I try to remove attribute with unresolved dn:
# ldbmodify -H sam.ldb
dn: CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local
changetype: modify
delete: member
member: CN=Enterprise Admins,CN=Users,DC=company,DC=local
ERR: (Unwilling to perform) "Unable to find GUID for DN CN=Enterprise
Admins,CN=Users,DC=company,DC=local
" on DN CN=Administrators,CN=Builtin,DC=filial1,DC=company,DC=local at
block before line 5
Modify failed after processing 0 records
This is new error: why GUID for _removed_ attribute is checked? BTW
ldbedit is allows to remove this attribute.
Anyone knows how to fix this errors? I try to prepare patch for second
fatal error at least, but I'm newbie for Samba code.
--
Andrey Cherepanov
ALT Linux
cas at altlinux.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20150619/bcc77aaa/attachment.pgp>
More information about the samba
mailing list