[Samba] Previously extended schema not working in 4.4.0

Jonathan Hunter jmhunter1 at gmail.com
Thu Apr 14 12:37:33 UTC 2016 

Thank you, Andrew - I hadn't done so. (In a good way, I haven't yet had
problems with samba that have caused me to delve quite so deeply into the
DB :) so I'm not as familiar with the range of tools as I could be, sorry!)

This has flagged up quite a few errors, all along the lines of:

# samba-tool dbcheck --cross-ncs
Checking 4079 objects
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290001
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0029000a
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290004
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0009030e
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00090001
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020119
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020002
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020001
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00000000
ERROR: incorrect attributeID values in replPropertyMetaData on
MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk

Not fixing incorrect value 0x00290004 with 0xbd27f4d3 for myAttr in
replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk

[this is repeated many times, for multiple objects]
[ sometimes ERROR: duplicate attributeID values ]

Please use --fix to fix these errors
Checked 4083 objects (110 errors)


Before I run again with --fix...
  - I will take a dump (using ldapsearch) of this OU before I do anything
  - I don't know what the different codes e.g. 0x00290001, represent - or
even why there are multiple of these per object. The actual numbers vary
from one to the next; there is some overlap but also different values given
  - I'm not sure what --fix will do if it finds an "incorrect" values;
where will it get the right value from?

I guess, as long as I have a dump of the OU, at worst I could drop the
entire contents and re-create it, should --fix not do what I expect..

I don't know why this happened; perhaps it was something to do with my
upgrade method from 4.3.x to 4.4.0 (compile 4.4.0; make install; restart
samba). I've used that same recipe many times to go from 4.1.x - 4.2.x -
4.3.x and that has always worked fine, but maybe I have been lucky (or
unlucky?) in some way..
.
Many thanks!

Jonathan

On 14 April 2016 at 11:28, Andrew Bartlett <abartlet at samba.org> wrote:

> On Mon, 2016-04-11 at 21:23 +0100, Jonathan Hunter wrote:
> > Hi,
> >
> > About a year ago (I think I was using v4.2.x at the time), I extended
> > the
> > schema of my Samba AD. This worked just fine and since then I have
> > been
> > able to create and edit objects from my custom schema via ADSIEdit.
> > This
> > worked fine under 4.3.x as well - the last such object I successfully
> > created was just over two months ago, at which point I was running
> > some
> > variant of 4.3.x (probably 4.3.5).
> >
> > However, last week I upgraded all my DCs to 4.4.0 (to take advantage
> > of
> > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found
> > that
> > can no longer create my custom objects in AD. ADSIEdit reports that
> > "A
> > constraint violation occurred"; I get the same error from Apache
> > Directory
> > Studio, too - details are as follows:
> >
> > Error while creating entry
> >  - [LDAP: error code 19 - 0000202F: replmd_add: error during direct
> > ADD: No
> > rDN found in replPropertyMetaData for
> > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk
> >
> > I have checked using the 'Active Directory Schema' MMC snap-in, and
> > my
> > custom schema classes and attributes do still seem to be showing as
> > present
> > and correct, just as I originally added them many months ago - I
> > can't spot
> > any problems there.
> >
> > It behaves exactly the same when I try to create objects on all four
> > of my
> > DCs. I can create other (non-custom) objects with no problems at all,
> > and
> > replication seems to work just fine for everything else - if I create
> > a
> > regular user, or modify its description, that change propagates
> > perfectly
> > well across all DCs.
> >
> > I suspect that some Samba database (replPropertyMetaData?) has got
> > corrupt
> > or out of sync somehow - but I don't know how to investigate further.
> > Is
> > this database in any kind of ldb file that I could dump / look at /
> > edit ?
> >
> > There's a chance that it broke in 4.3.6 (which was the version I used
> > prior
> > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most
> > recent
> > object I can find in my AD - but I am now on 4.4.0 and it's
> > definitely
> > broken at the moment. If it's important, I could try to spin up an
> > isolated
> > VM and restore 4.3.6 from backups.
> >
> > Any pointers appreciated - I'm really not sure where to look next.
>
> Have you run dbcheck?
>
> samba-tool dbcheck --cross-ncs
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT
> http://catalyst.net.nz/services/samba
>
>
>
>


-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list