[Samba] Previously extended schema not working in 4.4.0

Jonathan Hunter jmhunter1 at gmail.com
Thu Apr 14 17:07:14 UTC 2016 

On 14 April 2016 at 13:37, Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> # samba-tool dbcheck --cross-ncs
> Checking 4079 objects
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290001
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0029000a
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00290004
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x0009030e
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00090001
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020119
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020002
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00020001
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk: 0x00000000
>
ERROR: incorrect attributeID values in replPropertyMetaData on
> MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk
>
> Not fixing incorrect value 0x00290004 with 0xbd27f4d3 for myAttr in
> replPropertyMetaData on MYOBJ=value,OU=myou,DC=mydomain,DC=org,DC=uk
>

Going back over the results of 'samba-tool dbcheck', it struck me just now
that the errors flagged up only appear on objects previously created using
my extended schema - these are exactly the same type of errors I am now
getting when trying to create more of these objects.

So I think that 'samba-tool dbcheck' is displaying the symptom, and in fact
running 'samba-tool dbcheck' probably won't help my situation.

What could cause the errors shown via 'samba-tool dbcheck'?

Thanks :)

Jonathan


> On 14 April 2016 at 11:28, Andrew Bartlett <abartlet at samba.org> wrote:
>
>> On Mon, 2016-04-11 at 21:23 +0100, Jonathan Hunter wrote:
>> > Hi,
>> >
>> > About a year ago (I think I was using v4.2.x at the time), I extended
>> > the
>> > schema of my Samba AD. This worked just fine and since then I have
>> > been
>> > able to create and edit objects from my custom schema via ADSIEdit.
>> > This
>> > worked fine under 4.3.x as well - the last such object I successfully
>> > created was just over two months ago, at which point I was running
>> > some
>> > variant of 4.3.x (probably 4.3.5).
>> >
>> > However, last week I upgraded all my DCs to 4.4.0 (to take advantage
>> > of
>> > the LDAP_MATCHING_RULE_IN_CHAIN fix / bug 10493) and now I have found
>> > that
>> > can no longer create my custom objects in AD. ADSIEdit reports that
>> > "A
>> > constraint violation occurred"; I get the same error from Apache
>> > Directory
>> > Studio, too - details are as follows:
>> >
>> > Error while creating entry
>> >  - [LDAP: error code 19 - 0000202F: replmd_add: error during direct
>> > ADD: No
>> > rDN found in replPropertyMetaData for
>> > mytype=abc123,OU=myou,DC=mydomain,DC=org,DC=uk
>> >
>> > I have checked using the 'Active Directory Schema' MMC snap-in, and
>> > my
>> > custom schema classes and attributes do still seem to be showing as
>> > present
>> > and correct, just as I originally added them many months ago - I
>> > can't spot
>> > any problems there.
>> >
>> > It behaves exactly the same when I try to create objects on all four
>> > of my
>> > DCs. I can create other (non-custom) objects with no problems at all,
>> > and
>> > replication seems to work just fine for everything else - if I create
>> > a
>> > regular user, or modify its description, that change propagates
>> > perfectly
>> > well across all DCs.
>> >
>> > I suspect that some Samba database (replPropertyMetaData?) has got
>> > corrupt
>> > or out of sync somehow - but I don't know how to investigate further.
>> > Is
>> > this database in any kind of ldb file that I could dump / look at /
>> > edit ?
>> >
>> > There's a chance that it broke in 4.3.6 (which was the version I used
>> > prior
>> > to 4.4.0) - I upgraded to 4.3.6 about a week after creating the most
>> > recent
>> > object I can find in my AD - but I am now on 4.4.0 and it's
>> > definitely
>> > broken at the moment. If it's important, I could try to spin up an
>> > isolated
>> > VM and restore 4.3.6 from backups.
>> >
>> > Any pointers appreciated - I'm really not sure where to look next.
>>
>> Have you run dbcheck?
>>
>> samba-tool dbcheck --cross-ncs
>>
>> Andrew Bartlett
>>
>> --
>> Andrew Bartlett                       http://samba.org/~abartlet/
>> Authentication Developer, Samba Team  http://samba.org
>> Samba Developer, Catalyst IT
>> http://catalyst.net.nz/services/samba
>>
>>
>>
>>
>
>
> --
> "If we knew what it was we were doing, it would not be called research,
> would it?"
>       - Albert Einstein
>



-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list