[Samba] ldbadd issue on Samba 4.1.13 AD DC

Rowland penny rpenny at samba.org
Wed Feb 10 21:39:38 UTC 2016 

On 10/02/16 20:58, Allen Chen wrote:
> On 2/9/2016 3:48 PM, Rowland penny wrote:
>> On 09/02/16 19:59, Allen Chen wrote:
>>> Hi there,
>>>
>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit). Everything 
>>> is working fine.
>>>
>>> Issue: ldbadd cannot re-add a deleted user account.
>>> What I did:
>>> 1. save user account
>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>>> sAMAccountName=krtu > ./user-add.ldif
>>>
>>> 2. delete the user account
>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb 
>>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>>> This user has been deleted. ldbsearch couldn't find it.
>>>
>>> 2. add it back again
>>> First remove the following attr from the saved file user-add.ldif
>>> sAMAccountType
>>> memberOf
>>> objectGUID
>>> primaryGroupID
>>>
>>> Then ldbadd gives the error:
>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb ./user-add.ldif
>>> ERR: Entry already exists : "../lib/ldb/ldb_tdb/ldb_index.c:1216: 
>>> Failed to re-index objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com 
>>> - ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on 
>>> objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com" on DN 
>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>> Add failed after processing 0 records
>>>
>>> Is it normal?
>>>
>>> Thanks,
>>
>> Two things spring to mind, first, why would you want to delete a user 
>> and then recreate it again.
>> Secondly, the users SID comes in two parts, the SID (this is used for 
>> for all domain objects) and a RID, this RID comes from a pool and 
>> this may be your problem.
>>
>> Can we see the ldif you used (suitably sanitized).
>>
>> Rowland
>>
> Hi Rowland,
> I just want to try these two command: ldbdel and ldbadd.
> If ldbadd cannot add a previous existed account, then what's the point 
> of ldbadd?

The point of ldbadd is to add an ldif to AD, the only problem is that 
you are trying to add a user back that you have deleted. You can do this 
but not as you are trying to do and, as far as windows is concerned, 
your user will not be the same user.

This ldif will probably work:

dn: CN=krtu,CN=Users,DC=mydomain,DC=com
cn: krtu
sn: Allen
givenName: Wan
displayName: Allen Wan
name: krtu
homeDirectory: /home/employees/krtu
scriptPath: logon.bat
sAMAccountName: krtu
userPrincipalName: krtu at mydomain.com
uidNumber: 3029
gidNumber: 1027
loginShell: /bin/false
objectClass: user
userAccountControl: 512

You could probably shorten it further and it would still add your user. 
There is one attribute that you tried to add, that you cannot add:

objectSid

This value is set by the system when the account is created i.e. AD 
wants to create a new SID

There are other attributes you shouldn't directly set yourself.

If you want to add a user, I suggest you use ADUC or samba-tool etc. If 
you delete a user, as far as I am aware, you cannot recreate the exact 
same user, you can only create a new user with the same name.

Rowland
>
> Here is the ldif file created by ldbsearch:
> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
> sAMAccountName=krtu > ./user-add.ldif
> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
> cn: krtu
> sn: Allen
> givenName: Wan
> instanceType: 4
> whenCreated: 20160208213002.0Z
> displayName: Allen Wan
> uSNCreated: 1978630
> name: krtu
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> homeDirectory: /home/employees/krtu
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> scriptPath: logon.bat
> objectSid: S-1-5-21-3939752234-2171877362-3959421765-5590
> logonCount: 0
> sAMAccountName: krtu
> userPrincipalName: krtu at mydomain.com
> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
> uidNumber: 3029
> gidNumber: 1027
> loginShell: /bin/false
> objectClass: top
> objectClass: posixAccount
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> pwdLastSet: 130994406020000000
> userAccountControl: 512
> accountExpires: 134466822030000000
> whenChanged: 20160208213003.0Z
> uSNChanged: 1978635
> distinguishedName: CN=krtu,CN=Users,DC=mydomain,DC=com
>
> Thanks,
> Allen
>
>

More information about the samba mailing list