[Samba] Replication Problem with Deleted Object on Samba 4.1.17 [SOLVED]

[Michael Angermaier]

Hello List,

 

had the same issue. After upgrading to samba 4.3.4, a samba-tool dbcheck
-cross-ncs showed several errors like:

ERROR: wrong dn[DC=RZBT,CN=Deleted Objects,DC=DomainDnsZones,DC=local]
name='RZBT\nDEL:a7a6bd53-f702-4f2e-a217-4abfa0d343b8'
new_dn[DC=RZBT\0ADEL:a7a6bd53-f702-4f2e-a217-4abfa0d343b8,CN=Deleted
Objects,DC=DomainDnsZones,DC=local]

Not renaming DC=RZBT,CN=Deleted Objects,DC=DomainDnsZones to
DC=RZBT\0ADEL:a7a6bd53-f702-4f2e-a217-4abfa0d343b8,CN=Deleted
Objects,DC=DomainDnsZones,DC=local

 

A -fix was not able to fix the errors.

 

So i tried:

 

./ldbdel -H /usr/local/samba/private/sam.ldb --show-deleted  "<GUID=
a7a6bd53-f702-4f2e-a217-4abfa0d343b8>"

This ended with a:

(Unwilling to perform) Refusing to delete tombstone object
DC=RZBT,CN=Deleted Objects,DC=DomainDnsZones,DC=local.  This check is to
prevent corruption of the replicated state.

 

But I had no DC with a non corrupted database to do a full-sync with :(

After looking into repl_meta_data.c I found a developers comment:
        /*
         * We have to prevent objects being deleted, even if
         * the administrator really wants them gone, as
         * without the tombstone, we can get a partial object
         * from the other DC, causing havoc.
         *
         * The only other valid case is when the 180 day
         * timeout has expired, when relax is specified.
         */
 
So I tried the -relax switch:
root@:/usr/local/samba/bin# ./ldbdel -H /usr/local/samba/private/sam.ldb
"<GUID=a7a6bd53-f702-4f2e-a217-4abfa0d343b8>" --show-deleted --relax
Deleted 1 record
 
And it worked, so if other people have problems with Deleted Objects you may
try the -relax switch
 
Greetings