[Samba] [samba] AD, 4.5.0, DRS or deletion question

mathias dufresne infractory at gmail.com
Thu Dec 22 15:32:03 UTC 2016 

2016-12-19 23:03 GMT+01:00 Andrew Bartlett <abartlet at samba.org>:

> On Thu, 2016-12-15 at 14:25 +0100, mathias dufresne via samba wrote:
> > No answer from anyone from the community so I managed by myself,
> > answering
> > also questions by myself.
> >
> > So...
> > Question 1: How can a DC relies on deleted object to perform
> > replication?
> > That is a bug from Samba (the new KCC?).
> > Sorry to say that but what else? Deleted object are objects which are
> > not
> > in use. They have something to do perhaps with replication but they
> > MUST
> > NOT be used as valid source (or destination) for replication. So, a
> > bug.
>
> It just means that it has in the past replicated from this DC, as the
> repsFrom entry is by GUID.  It is transformed into a DN at presentation
> time for display.
>
> >
> > Question 2: as previously said I don't want to have to modify the
> > tombstoneLifetime because this implies modifying the schema which is
> > not
> > something to perform regularly.
> > What if:
> > - object deletion can't be performed
> > - removal of this replication path is not possible because the path
> > does
> > not really exist (not listed into KCC CONNECTION OBJECTS section of
> > drs
> > showrepl, not existing into "AD sites and services" MSC)
> > - forcing replication between DC does not solve the issue
> > ?
> >
> > To solve this issue I stopped Samba service on DC having the issue
> > and then
> > I copied manually (using a simple "scp") the DIT files from one
> > working DC
> > to this broken DC.
> > After restarting the Samba service this DC has no issue.
>
> You now have a CORRUPT database, will experience EXTREME pain in the
> near future as you try and untangle this mess.  NEVER copy sam.ldb
> files between different hosts, as it contains non-replicated metadata.
>
> Please shut down the "DC having the issue" at once, and remove it from
> the domain using 'samba-tool domain demote --remove-other-dead-server='
> from your other working DC.
>
> To be clear, I use such strong words to ensure that others do not
> follow in your footprints.
>
> The only circumstances in which a sam.ldb file should be copied between
> hosts is when simply doing a life-and-shift move of the whole Samba
> installation onto a new host with the same name.  You can not copy the
> DB between replicas.
>
> Sorry,
>
> Andrew Bartlett
>
>
You are right, after few days the DB starts to go crazy on almost all DC.
Fortunately "samba-tool dbcheck" helped to clean some of them but not all.
I expect the ones which was keeping errors despite the dbcheck were the DCs
on which I copied DIT from other DC.

I do believe I had again this issue with "samba-tool drs replicate" showing
errors related to deleted DCs during the phase of reinstalling broken DCs.
I say that because I also believe a simple dbcheck solve that, which was my
initial issue...

More information about the samba mailing list