[Samba] [samba] 4.2.1 Indexing attributes

Andrew Bartlett abartlet at samba.org
Fri May 15 23:22:10 MDT 2015

On Thu, 2015-05-07 at 11:47 +0200, mathias dufresne wrote:
> Hi all,
> System is Centos 7 and Samba is 4.2.1 sernet version.
> The database contains 120k users and 150k computers. It's size is 3.3GB on
> DC01 where the imports were performed and 2.8GB on the second DC.

Wow!  That is a very, very large domain!

> I was trying to index uid attribute and I have a strange behaviour.
> According to
> https://msdn.microsoft.com/en-us/library/ms679765%28v=vs.85%29.aspx it is
> the "searchFlags" attribute of "dn:
> CN=uid,CN=Schema,CN=Configuration,DC=domain,DC=tld" I have to modify.
> Looking at that attribute on
> "sam.ldb.d/CN\=SCHEMA\,CN\=CONFIGURATION\,DC\=DOMAIN\,DC\=TLD.ldb" ldb
> file, this attribute is set to 8 which should mean "uid value is not
> re-usable" ("Preserve this attribute in the tombstone object for deleted
> objects." in MSDN doc).
> I tried to set "searchFlags" to 47, 15, 1 and finally 9. Each time
> ldbmodify answered "Modified 1 records successfully" but ldbsearch then
> shows this attribute value was not modified.
> Here are the commands and their results:
> samba4-dc01:~# cat uid_searchflags_modification.ldif
> dn: CN=uid,CN=Schema,CN=Configuration,DC=domain,DC=tld
> changetype: modify
> replace: searchFlags
> searchFlags: 8
> serachFlags: 47
> samba4-dc01:~# ldbmodify -H
> /var/lib/samba/private/sam.ldb.d/CN\=SCHEMA\,CN\=CONFIGURATION\,DC\=DOMAIN\,DC\=TLD.ldb
> uid_searchflags_modification.ldif
> Modified 1 records successfully

Please do not modify the backend database files directly.  You need to
do all modifications via sam.ldb, because otherwise the modifications
will not propagate (using sam.ldb.d files means all the ldb modules,
consistency, metadata recording and safety checks are bypassed). 

I realise this may make things difficult in this particular situation
(if the reindex was to happen during the connection, and timeout or
such), but I need to emphasise the general rule.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list