[Samba] ldbadd issue on Samba 4.1.13 AD DC

Allen Chen achen at harbourfrontcentre.com
Thu Feb 11 14:53:23 UTC 2016 

On 2/10/2016 4:39 PM, Rowland penny wrote:
> On 10/02/16 20:58, Allen Chen wrote:
>> On 2/9/2016 3:48 PM, Rowland penny wrote:
>>> On 09/02/16 19:59, Allen Chen wrote:
>>>> Hi there,
>>>>
>>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit). 
>>>> Everything is working fine.
>>>>
>>>> Issue: ldbadd cannot re-add a deleted user account.
>>>> What I did:
>>>> 1. save user account
>>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>>>> sAMAccountName=krtu > ./user-add.ldif
>>>>
>>>> 2. delete the user account
>>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb 
>>>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>>>> This user has been deleted. ldbsearch couldn't find it.
>>>>
>>>> 2. add it back again
>>>> First remove the following attr from the saved file user-add.ldif
>>>> sAMAccountType
>>>> memberOf
>>>> objectGUID
>>>> primaryGroupID
>>>>
>>>> Then ldbadd gives the error:
>>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb ./user-add.ldif
>>>> ERR: Entry already exists : "../lib/ldb/ldb_tdb/ldb_index.c:1216: 
>>>> Failed to re-index objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com 
>>>> - ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on 
>>>> objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com" on DN 
>>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>>> Add failed after processing 0 records
>>>>
>>>> Is it normal?
>>>>
>>>> Thanks,
>>>
>>> Two things spring to mind, first, why would you want to delete a 
>>> user and then recreate it again.
>>> Secondly, the users SID comes in two parts, the SID (this is used 
>>> for for all domain objects) and a RID, this RID comes from a pool 
>>> and this may be your problem.
>>>
>>> Can we see the ldif you used (suitably sanitized).
>>>
>>> Rowland
>>>
>> Hi Rowland,
>> I just want to try these two command: ldbdel and ldbadd.
>> If ldbadd cannot add a previous existed account, then what's the 
>> point of ldbadd?
>
> The point of ldbadd is to add an ldif to AD, the only problem is that 
> you are trying to add a user back that you have deleted. You can do 
> this but not as you are trying to do and, as far as windows is 
> concerned, your user will not be the same user.
>
> This ldif will probably work:
>
> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
> cn: krtu
> sn: Allen
> givenName: Wan
> displayName: Allen Wan
> name: krtu
> homeDirectory: /home/employees/krtu
> scriptPath: logon.bat
> sAMAccountName: krtu
> userPrincipalName: krtu at mydomain.com
> uidNumber: 3029
> gidNumber: 1027
> loginShell: /bin/false
> objectClass: user
> userAccountControl: 512
>
> You could probably shorten it further and it would still add your 
> user. There is one attribute that you tried to add, that you cannot add:
>
> objectSid
>
> This value is set by the system when the account is created i.e. AD 
> wants to create a new SID
>
> There are other attributes you shouldn't directly set yourself.
>
> If you want to add a user, I suggest you use ADUC or samba-tool etc. 
> If you delete a user, as far as I am aware, you cannot recreate the 
> exact same user, you can only create a new user with the same name.
>
> Rowland
It is good to know. Thanks Rowland and mathias for the explanation.
I thought ldbdel and ldbadd are the two commands to delete and add it back.
So I can keep objectSid as the same as the deleted one, and the user on 
client machine can continue to use the profile, which is what I want.
The man page doesn't say you cannot add a record back.

In AD world, you cannot add a deleted user back to the system with the 
same objectSid.

Thanks,
Allen

More information about the samba mailing list