[Samba] Previously extended schema not working in 4.4.0

Mon Apr 11 22:02:46 UTC 2016

Thanks Rowland.

In here, I can see the objects I have created using my schema extensions,
but I cannot see the schema classes or attributes themselves; I don't know
if that is the problem.

I'm not sure if by running ldbedit on sam.ldb, this does not include the
contents of CN=Schema,CN=Configuration,DC=mydomain,DC=... or if it does
include this part of the AD tree and these items are somehow missing in my
case.

The 'Active Directory Schema' MMC plug-in does show the classes and
attributes, so that must be reading them from somewhere.

On 11 April 2016 at 22:18, Rowland penny <rpenny at samba.org> wrote:

> On 11/04/16 21:23, Jonathan Hunter wrote:
>
>> Hi,
>>
>> About a year ago (I think I was using v4.2.x at the time), I extended the
>> schema of my Samba AD. This worked just fine and since then I have been
>> able to create and edit objects from my custom schema via ADSIEdit. This
>> worked fine under 4.3.x as well - the last such object I successfully
>> created was just over two months ago, at which point I was running some
>> variant of 4.3.x (probably 4.3.5).
>>
>> However, last week I upgraded all my DCs to 4.4.0 (to take advantage of
>> the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found that
>> can no longer create my custom objects in AD. ADSIEdit reports that "A
>> constraint violation occurred"; I get the same error from Apache Directory
>> Studio, too - details are as follows:
>>
>> Error while creating entry
>>   - [LDAP: error code 19 - 0000202F: replmd_add: error during direct ADD:
>> No
>> rDN found in replPropertyMetaData for
>> mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk
>>
>> I have checked using the 'Active Directory Schema' MMC snap-in, and my
>> custom schema classes and attributes do still seem to be showing as
>> present
>> and correct, just as I originally added them many months ago - I can't
>> spot
>> any problems there.
>>
>> It behaves exactly the same when I try to create objects on all four of my
>> DCs. I can create other (non-custom) objects with no problems at all, and
>> replication seems to work just fine for everything else - if I create a
>> regular user, or modify its description, that change propagates perfectly
>> well across all DCs.
>>
>> I suspect that some Samba database (replPropertyMetaData?) has got corrupt
>> or out of sync somehow - but I don't know how to investigate further. Is
>> this database in any kind of ldb file that I could dump / look at / edit ?
>>
>
> Yes, AD is stored in sam.ldb, you can see this with:
>
> ldbedit -e nano -H /usr/local/samba/private/sam.ldb
>
> Replacing 'nano' with your favourite editor, 'usr/local/samba/private'
> with the path to your 'sam.ldb' if yours is in a different place.
>
> This will show most of your AD, if you want to see the DNS records, add
> '--cross-ncs' and if you want fully readable dns records, also add
> '--show-binary'
>
> There are other .ldb files, but I wouldn't try to edit those.
>
> Rowland
>
>
>> There's a chance that it broke in 4.3.6 (which was the version I used
>> prior
>> to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most
>> recent
>> object I can find in my AD - but I am now on 4.4.0 and it's definitely
>> broken at the moment. If it's important, I could try to spin up an
>> isolated
>> VM and restore 4.3.6 from backups.
>>
>> Any pointers appreciated - I'm really not sure where to look next.
>>
>> Thanks :-)
>>
>> Jonathan
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein