[Samba] ldbadd issue on Samba 4.1.13 AD DC

Thu Feb 11 16:43:39 UTC 2016

On 11/02/16 14:53, Allen Chen wrote:
> On 2/10/2016 4:39 PM, Rowland penny wrote:
>> On 10/02/16 20:58, Allen Chen wrote:
>>> On 2/9/2016 3:48 PM, Rowland penny wrote:
>>>> On 09/02/16 19:59, Allen Chen wrote:
>>>>> Hi there,
>>>>>
>>>>> I have Samba 4.1.13 AD DC compiled on CentOS 6.2 (32bit). 
>>>>> Everything is working fine.
>>>>>
>>>>> Issue: ldbadd cannot re-add a deleted user account.
>>>>> What I did:
>>>>> 1. save user account
>>>>> # ./bin/ldbsearch -H /usr/local/samba/private/sam.ldb 
>>>>> sAMAccountName=krtu > ./user-add.ldif
>>>>>
>>>>> 2. delete the user account
>>>>> # ./bin/ldbdel -H /usr/local/samba/private/sam.ldb 
>>>>> "CN=krtu,CN=Users,DC=mydomain,DC=com"
>>>>> This user has been deleted. ldbsearch couldn't find it.
>>>>>
>>>>> 2. add it back again
>>>>> First remove the following attr from the saved file user-add.ldif
>>>>> sAMAccountType
>>>>> memberOf
>>>>> objectGUID
>>>>> primaryGroupID
>>>>>
>>>>> Then ldbadd gives the error:
>>>>> # ./bin/ldbadd -H /usr/local/samba/private/sam.ldb ./user-add.ldif
>>>>> ERR: Entry already exists : "../lib/ldb/ldb_tdb/ldb_index.c:1216: 
>>>>> Failed to re-index objectSid in 
>>>>> CN=krtu,CN=Users,DC=mydomain,DC=com - 
>>>>> ../lib/ldb/ldb_tdb/ldb_index.c:1148: unique index violation on 
>>>>> objectSid in CN=krtu,CN=Users,DC=mydomain,DC=com" on DN 
>>>>> CN=krtu,CN=Users,DC=mydomain,DC=com at block before line 36
>>>>> Add failed after processing 0 records
>>>>>
>>>>> Is it normal?
>>>>>
>>>>> Thanks,
>>>>
>>>> Two things spring to mind, first, why would you want to delete a 
>>>> user and then recreate it again.
>>>> Secondly, the users SID comes in two parts, the SID (this is used 
>>>> for for all domain objects) and a RID, this RID comes from a pool 
>>>> and this may be your problem.
>>>>
>>>> Can we see the ldif you used (suitably sanitized).
>>>>
>>>> Rowland
>>>>
>>> Hi Rowland,
>>> I just want to try these two command: ldbdel and ldbadd.
>>> If ldbadd cannot add a previous existed account, then what's the 
>>> point of ldbadd?
>>
>> The point of ldbadd is to add an ldif to AD, the only problem is that 
>> you are trying to add a user back that you have deleted. You can do 
>> this but not as you are trying to do and, as far as windows is 
>> concerned, your user will not be the same user.
>>
>> This ldif will probably work:
>>
>> dn: CN=krtu,CN=Users,DC=mydomain,DC=com
>> cn: krtu
>> sn: Allen
>> givenName: Wan
>> displayName: Allen Wan
>> name: krtu
>> homeDirectory: /home/employees/krtu
>> scriptPath: logon.bat
>> sAMAccountName: krtu
>> userPrincipalName: krtu at mydomain.com
>> uidNumber: 3029
>> gidNumber: 1027
>> loginShell: /bin/false
>> objectClass: user
>> userAccountControl: 512
>>
>> You could probably shorten it further and it would still add your 
>> user. There is one attribute that you tried to add, that you cannot add:
>>
>> objectSid
>>
>> This value is set by the system when the account is created i.e. AD 
>> wants to create a new SID
>>
>> There are other attributes you shouldn't directly set yourself.
>>
>> If you want to add a user, I suggest you use ADUC or samba-tool etc. 
>> If you delete a user, as far as I am aware, you cannot recreate the 
>> exact same user, you can only create a new user with the same name.
>>
>> Rowland
> It is good to know. Thanks Rowland and mathias for the explanation.
> I thought ldbdel and ldbadd are the two commands to delete and add it 
> back.
> So I can keep objectSid as the same as the deleted one, and the user 
> on client machine can continue to use the profile,

No, *YOU* cannot reuse the objectSid, it is set by the system.
If you delete a user and then recreate the user with virtually the same 
data, it will still be a different user because it will have a new SID 
that has been set by the system, this is just the same as windows.

If you need the user *do not* delete it.

Rowland
> which is what I want.
> The man page doesn't say you cannot add a record back.
>
> In AD world, you cannot add a deleted user back to the system with the 
> same objectSid.
>
> Thanks,
> Allen
>
>
>
>
>
>