[Samba] Previously extended schema not working in 4.4.0

Rowland penny rpenny at samba.org
Mon Apr 11 21:18:23 UTC 2016 

On 11/04/16 21:23, Jonathan Hunter wrote:
> Hi,
>
> About a year ago (I think I was using v4.2.x at the time), I extended the
> schema of my Samba AD. This worked just fine and since then I have been
> able to create and edit objects from my custom schema via ADSIEdit. This
> worked fine under 4.3.x as well - the last such object I successfully
> created was just over two months ago, at which point I was running some
> variant of 4.3.x (probably 4.3.5).
>
> However, last week I upgraded all my DCs to 4.4.0 (to take advantage of
> the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that
> can no longer create my custom objects in AD. ADSIEdit reports that "A
> constraint violation occurred"; I get the same error from Apache Directory
> Studio, too - details are as follows:
>
> Error while creating entry
>   - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD: No
> rDN found in replPropertyMetaData for
> mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk
>
> I have checked using the 'Active Directory Schema' MMC snap-in, and my
> custom schema classes and attributes do still seem to be showing as present
> and correct, just as I originally added them many months ago - I can't spot
> any problems there.
>
> It behaves exactly the same when I try to create objects on all four of my
> DCs. I can create other (non-custom) objects with no problems at all, and
> replication seems to work just fine for everything else - if I create a
> regular user, or modify its description, that change propagates perfectly
> well across all DCs.
>
> I suspect that some Samba database (replPropertyMetaData?) has got corrupt
> or out of sync somehow - but I don't know how to investigate further. Is
> this database in any kind of ldb file that I could dump / look at / edit ?

Yes, AD is stored in sam.ldb, you can see this with:

ldbedit -e nano -H /usr/local/samba/private/sam.ldb

Replacing 'nano' with your favourite editor, 'usr/local/samba/private' 
with the path to your 'sam.ldb' if yours is in a different place.

This will show most of your AD, if you want to see the DNS records, add 
'--cross-ncs' and if you want fully readable dns records, also add 
'--show-binary'

There are other .ldb files, but I wouldn't try to edit those.

Rowland

>
> There's a chance that it broke in 4.3.6 (which was the version I used prior
> to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most recent
> object I can find in my AD - but I am now on 4.4.0 and it's definitely
> broken at the moment. If it's important, I could try to spin up an isolated
> VM and restore 4.3.6 from backups.
>
> Any pointers appreciated - I'm really not sure where to look next.
>
> Thanks :-)
>
> Jonathan
>

More information about the samba mailing list