[Samba] [samba] AD, 4.5.0, DRS or deletion question

Andrew Bartlett abartlet at samba.org
Mon Dec 19 22:03:36 UTC 2016 

On Thu, 2016-12-15 at 14:25 +0100, mathias dufresne via samba wrote:
> No answer from anyone from the community so I managed by myself,
> answering
> also questions by myself.
> 
> So...
> Question 1: How can a DC relies on deleted object to perform
> replication?
> That is a bug from Samba (the new KCC?).
> Sorry to say that but what else? Deleted object are objects which are
> not
> in use. They have something to do perhaps with replication but they
> MUST
> NOT be used as valid source (or destination) for replication. So, a
> bug.

It just means that it has in the past replicated from this DC, as the
repsFrom entry is by GUID.  It is transformed into a DN at presentation
time for display.

> 
> Question 2: as previously said I don't want to have to modify the
> tombstoneLifetime because this implies modifying the schema which is
> not
> something to perform regularly.
> What if:
> - object deletion can't be performed
> - removal of this replication path is not possible because the path
> does
> not really exist (not listed into KCC CONNECTION OBJECTS section of
> drs
> showrepl, not existing into "AD sites and services" MSC)
> - forcing replication between DC does not solve the issue
> ?
> 
> To solve this issue I stopped Samba service on DC having the issue
> and then
> I copied manually (using a simple "scp") the DIT files from one
> working DC
> to this broken DC.
> After restarting the Samba service this DC has no issue.

You now have a CORRUPT database, will experience EXTREME pain in the
near future as you try and untangle this mess.  NEVER copy sam.ldb
files between different hosts, as it contains non-replicated metadata. 

Please shut down the "DC having the issue" at once, and remove it from
the domain using 'samba-tool domain demote --remove-other-dead-server=' 
from your other working DC.

To be clear, I use such strong words to ensure that others do not
follow in your footprints.

The only circumstances in which a sam.ldb file should be copied between
hosts is when simply doing a life-and-shift move of the whole Samba
installation onto a new host with the same name.  You can not copy the
DB between replicas. 

Sorry,

Andrew Bartlett

More information about the samba mailing list