[Samba] Failed to re-index objectSid after botched DLZ back-end update
mdelfino.list.samba at KNOCKinc.com
Tue Apr 12 22:08:47 UTC 2016
Alright, I'm taking the plunge: We're switching our three AD DCs from Samba internal to BIND_DLZ back end.
I needed a version of BIND with DLZ, as it appears support for that is not so ubiquitous.
I went here first: https://wiki.samba.org/index.php/Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates
We use Ubuntu 14.04 here, and the Debian/Ubuntu instructions fail on apt-get installing "libpcap2-dev". And, unsurprisingly, the "dget -x http://ftp.de.debian.org/debian/pool/main/b/bind9/bind9_9.9.5.dfsg-7.dsc" command is out of date, so I went into that FTP server to find the source, but found myself too trepidatious to continue without the "libpcap2-dev" library installed, so I looked for someone else's instructions.
I found this: http://askubuntu.com/questions/630875/how-to-install-bind9-with-dlz-unbuntu-server-14-04
These instructions were more helpful, especially when combined with some of the info about options included on "Using_BIND_DLZ_backend_with_secured_/_signed_DNS_updates."
I got some deb packages compiled (v9.9.5) and brought them to one of my DCs.
I shut that DC down and snapshot it (I'm using vSphere here) and then proceeded to attempt to switch it to DLZ backend.
It seemed to work, but later in the process I started having issues which prompted me to rewind my snapshot.
Now, no matter what, every time I try to move forward again, I get this:
# sudo samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/private/dns/knockinc.loc.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-rhea account
Traceback (most recent call last):
File "/usr/sbin/samba_upgradedns", line 438, in <module>
"DNSNAME" : dnsname }
File "/usr/lib/python2.7/dist-packages/samba/provision/common.py", line 55, in setup_add_ldif
File "/usr/lib/python2.7/dist-packages/samba/__init__.py", line 225, in add_ldif
_ldb.LdbError: (68, '../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in CN=dns-rhea,CN=Users,DC=knockinc,DC=loc - ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in CN=dns-rhea,CN=Users,DC=knockinc,DC=loc')
As best I can tell, a "dns-rhea" user (Rhea is the DC I'm trying to upgrade) got made, the ojectSid ID got ticked up, the other DCs have that number, but my rewound DC doesn't know it was ever made and I'm stumped.
What can I do to get out of this mess?
©2016 KNOCK, inc. All rights reserved. KNOCK is a registered trademark of KNOCK, inc. This message and any attachments contain information, which is confidential and/or privileged. If you are not the intended recipient, please refrain from any disclosure, copying, distribution or use of this information. Please be aware that such actions are prohibited. If you have received this transmission in error, kindly notify the sender by e-mail. Your cooperation is appreciated.
More information about the samba