[Samba] ldbadd issue on Samba 4.1.13 AD DC
infractory at gmail.com
Thu Feb 11 08:23:49 UTC 2016
As far as I have understood Rowland is right, objectSid can't be re-used:
objects during deletion are not really deleted but pushed into some recycle
bin (for a time according to tombstoneLifetime).
Perhaps you can force usage of some objectSid during creation or during
modification but I have no idea how that would impact the way next
objectSid will be chosen.
Nevertheless you can modify your users with ldbmodify or ldapmodify, you
can even modify there DN with modrdn as changetype into your LDIF, so there
should be no necessity to re-use objectSid.
2016-02-10 22:39 GMT+01:00 Rowland penny <rpenny at samba.org>:
> On 10/02/16 20:58, Allen Chen wrote:
>> On 2/9/2016 3:48 PM, Rowland penny wrote:
>>> On 09/02/16 19:59, Allen Chen wrote:
>>>> Hi there,
>>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit). Everything is
>>>> working fine.
>>>> Issue: ldbadd cannot re-add a deleted user account.
>>>> What I did:
>>>> 1. save user account
>>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb
>>>> sAMAccountName=krtu > ./user-add.ldif
>>>> 2. delete the user account
>>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb
>>>> This user has been deleted. ldbsearch couldn't find it.
>>>> 2. add it back again
>>>> First remove the following attr from the saved file user-add.ldif
>>>> Then ldbadd gives the error:
>>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb ./user-add.ldif
>>>> ERR: Entry already exists : "../lib/ldb/ldb_tdb/ldb_index.c:1216:
>>>> Failed to re-index objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com -
>>>> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on objectSid in
>>>> CN=krtu,CN=Users,DC=mydomain,DC=com" on DN
>>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>>> Add failed after processing 0 records
>>>> Is it normal?
>>> Two things spring to mind, first, why would you want to delete a user
>>> and then recreate it again.
>>> Secondly, the users SID comes in two parts, the SID (this is used for
>>> for all domain objects) and a RID, this RID comes from a pool and this may
>>> be your problem.
>>> Can we see the ldif you used (suitably sanitized).
>>> Hi Rowland,
>> I just want to try these two command: ldbdel and ldbadd.
>> If ldbadd cannot add a previous existed account, then what's the point of
> The point of ldbadd is to add an ldif to AD, the only problem is that you
> are trying to add a user back that you have deleted. You can do this but
> not as you are trying to do and, as far as windows is concerned, your user
> will not be the same user.
> This ldif will probably work:
> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
> cn: krtu
> sn: Allen
> givenName: Wan
> displayName: Allen Wan
> name: krtu
> homeDirectory: /home/employees/krtu
> scriptPath: logon.bat
> sAMAccountName: krtu
> userPrincipalName: krtu at mydomain.com
> uidNumber: 3029
> gidNumber: 1027
> loginShell: /bin/false
> objectClass: user
> userAccountControl: 512
> You could probably shorten it further and it would still add your user.
> There is one attribute that you tried to add, that you cannot add:
> This value is set by the system when the account is created i.e. AD wants
> to create a new SID
> There are other attributes you shouldn't directly set yourself.
> If you want to add a user, I suggest you use ADUC or samba-tool etc. If
> you delete a user, as far as I am aware, you cannot recreate the exact same
> user, you can only create a new user with the same name.
>> Here is the ldif file created by ldbsearch:
>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb sAMAccountName=krtu
>> > ./user-add.ldif
>> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
>> cn: krtu
>> sn: Allen
>> givenName: Wan
>> instanceType: 4
>> whenCreated: 20160208213002.0Z
>> displayName: Allen Wan
>> uSNCreated: 1978630
>> name: krtu
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> homeDirectory: /home/employees/krtu
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> scriptPath: logon.bat
>> objectSid: S-1-5-21-3939752234-2171877362-3959421765-5590
>> logonCount: 0
>> sAMAccountName: krtu
>> userPrincipalName: krtu at mydomain.com
>> objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=com
>> uidNumber: 3029
>> gidNumber: 1027
>> loginShell: /bin/false
>> objectClass: top
>> objectClass: posixAccount
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> pwdLastSet: 130994406020000000
>> userAccountControl: 512
>> accountExpires: 134466822030000000
>> whenChanged: 20160208213003.0Z
>> uSNChanged: 1978635
>> distinguishedName: CN=krtu,CN=Users,DC=mydomain,DC=com
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba