[Samba] unique index violation on objectSid
mathias dufresne
infractory at gmail.com
Tue Jun 28 11:50:22 UTC 2016
Hi Valery,
First thank you for this detailed information about your searches. I find
them very interesting.
Here I'm thinking of two workarounds. The first one would be to list
deleted objects RIDs, to verify RID=2002 is really the last one used, being
sure there is no deleted object with RID=2003 and so on. Then once you get
the last RID used, you could change RidNextRid to match this maximum value
of used RID.
The second would be a lazy action: change tombstoneLifetime which is by
default 180 days to only 1 day. Doing that tomorrow all deleted objects
will be deleted and if you are lucky - I can't guaranty that will work -
you will able to reuse these RIDs.
Hoping this helps...
M.
2016-06-28 13:05 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>:
> I'm understand, why I get error about unique index violation on objectSid:
>
> samba-tool fsmo show
> RidAllocationMasterRole owner: CN=NTDS
>
> Settings,CN=PDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,...
>
> Last created object have objectSid
> S-1-5-21-763247336-2482037999-3416227170-2001 (it is record for computer)
> Last symbols is 2001, and last assigned RID is 2001:
>
> [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb CN="RID Set"
> # record 3
> dn: CN=RID Set,CN=PDC,OU=Domain Controllers,...
> rIDNextRID: 2001
> rIDPreviousAllocationPool: 1600-2099
> rIDUsedPool: 1
> rIDAllocationPool: 2600-3099
>
> https://support.microsoft.com/en-us/kb/305475
> RidNextRid The RID that was assigned to the last security principal that
> was created on the local domain controller.
> RidPreviousAllocationPool The pool from which RIDs are currently taken
> RidAllocationPool Each domain controller has two pools: the one that
> they are currently acting on, and the pool that they will use next. It
> is the next pool
>
> I think, next RID is 2002?
> Try to search:
> [root at pdc ~]# ldbsearch -H /var/lib/samba/private/sam.ldb.d/DC\=AD\,...
> objectSid
> dn: CN=username\0ADEL:a230f645-268d-4ea9-8993-da3ae7032b4a,CN=Deleted
> Objects,DC=ad,...
> objectSid: S-1-5-21-763247336-2482037999-3416227170-2002
> it is deleted, but exists.
>
> What I can do to solve my problem? May be change rIDNextRID to 2099 on
> RID Master?
>
> Valery
>
> 28.06.2016 10:00, Zhuchenko Valery:
> > 27.06.2016 18:45, mathias dufresne:
> >> Perhaps you don't have yet duplicate objectSid as that's not supposed
> to be
> >> possible.
> >> Rather than scripting something to look for objectSid used twice I would
> >> start with dbcheck and other tools to verify that your database is
> >> consistent and identical on all servers.
> >
> > [root at pdc ~]# samba-tool dbcheck
> > Checking 3346 objects
> > Checked 3346 objects (0 errors)
> >
> > [root at bdc ~]# samba-tool dbcheck
> > Checking 3346 objects
> > Checked 3346 objects (0 errors)
> >
> > [root at dc46 ~]# samba-tool dbcheck
> > Checking 3346 objects
> > Checked 3346 objects (0 errors)
> >
> >
> > [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://bdc -Uadministrator
> > --filter=msDS-NcType,serverState,subrefs,whenChanged
> > Password for [administrator]:
> > * Comparing [DOMAIN] context...
> > * Objects to be compared: 3207
> > * Result for [DOMAIN]: SUCCESS
> > * Comparing [CONFIGURATION] context...
> > * Objects to be compared: 1621
> > * Result for [CONFIGURATION]: SUCCESS
> > * Comparing [SCHEMA] context...
> > * Objects to be compared: 1550
> > * Result for [SCHEMA]: SUCCESS
> > * Comparing [DNSDOMAIN] context...
> > * Objects to be compared: 196
> > * Result for [DNSDOMAIN]: SUCCESS
> > * Comparing [DNSFOREST] context...
> > * Objects to be compared: 19
> > * Result for [DNSFOREST]: SUCCESS
> >
> > [root at pdc ~]# samba-tool ldapcmp ldap://pdc ldap://dc46 -Uadministrator
> > --filter=msDS-NcType,serverState,subrefs,whenChanged
> > Password for [administrator]:
> > * Comparing [DOMAIN] context...
> > * Objects to be compared: 3207
> > * Result for [DOMAIN]: SUCCESS
> > * Comparing [CONFIGURATION] context...
> > * Objects to be compared: 1621
> > * Result for [CONFIGURATION]: SUCCESS
> > * Comparing [SCHEMA] context...
> > * Objects to be compared: 1550
> > * Result for [SCHEMA]: SUCCESS
> > * Comparing [DNSDOMAIN] context...
> > * Objects to be compared: 196
> > * Result for [DNSDOMAIN]: SUCCESS
> > * Comparing [DNSFOREST] context...
> > * Objects to be compared: 19
> > * Result for [DNSFOREST]: SUCCESS
> >
> >>
> >> 2016-06-27 15:21 GMT+02:00 Zhuchenko Valery <zvn at belkam.com>:
> >>
> >>> Hi all!
> >>>
> >>> Today, after two years of production, I get this error:
> >>>
> >>> samba-tool user create test20160627 testpassword
> >>>
> >>> ERROR(ldb): Failed to add user 'test20160627': -
> >>> ../lib/ldb/ldb_tdb/ldb_index.c:1216: Failed to re-index objectSid in
> >>> CN=test20160627,CN=Users,DC=ad... -
> ../lib/ldb/ldb_tdb/ldb_index.c:1148:
> >>> unique index violation on objectSid in
> CN=test20160627,CN=Users,DC=ad...
> >>>
> >>> Help me please, how to find which objectSid is not unique?
> >>> I have 3 DC's on centos 7, samba 4.1 (I know, old version).
> >>>
> >>> Valery
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list