[Samba] Invalid data for index DN=@INDEX:OBJECTCLASS:DNSNODE

ash-samba at comtek.co.uk ash-samba at comtek.co.uk
Fri May 13 13:49:37 UTC 2016 

We have a Samba primary domain controller "empire", which seems to have
DNS update issues. We can seem to query all records on empire just fine,
and we can modify IPs for existing records, but it will not delete or
add new records. Attempting to delete via the AD tools shows "Local
security authority database contains an internal inconsistency". Adding
a record on the command line shows:

> samba-tool  dns add empire chester-dc.example.com p-bats A 10.4.4.141
-U ash
> Password for [CHESTER-DC\ash]:
> ERROR(runtime): uncaught exception - (1383, 'WERR_INTERNAL_DB_ERROR')
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line
1067, in run
>     0, server, zone, name, add_rec_buf, None)

We have two other DCs (hawaii and alaska), but we are reluctant to
switch to them, since they are located in another country, and have an
unreliable high latency link. The other two DCs accept DNS record
additions/deletions.

Our plan was to set up a 4th DC locally (v-ward), and ultimately make
that the primary server. Unfortunately, this results in:

>
> samba-tool domain join chester-dc.example.com DC -Uash
--realm=CHESTER-DC.EXAMPLE.COM
> Finding a writeable DC for domain 'chester-dc.example.com'
> Found DC empire.chester-dc.example.com
> Password for [CHESTER-DC\ash]:
> workgroup is CHESTER-DC
> realm is chester-dc.example.com
> checking sAMAccountName
> Adding CN=V-WARD,OU=Domain Controllers,DC=chester-dc,DC=example,DC=com
> Adding
CN=V-WARD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chester-dc,DC=example,DC=com
> Adding CN=NTDS
Settings,CN=V-WARD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chester-dc,DC=example,DC=com
> Adding SPNs to CN=V-WARD,OU=Domain
Controllers,DC=chester-dc,DC=example,DC=com
> Setting account password for V-WARD$
> Enabling account
> Calling bare provision
> No IPv6 address will be assigned
> Provision OK for domain DN DC=chester-dc,DC=example,DC=com
> Starting replication
> Schema-DN[CN=Schema,CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[402/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[804/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[1206/1550] linked_values[0/0]
> Schema-DN[CN=Schema,CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[1550/1550] linked_values[0/0]
> Analyze and apply schema objects
> Partition[CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[402/1634] linked_values[0/0]
> Partition[CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[804/1634] linked_values[0/0]
> Partition[CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[1206/1634] linked_values[0/0]
> Partition[CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[1608/1634] linked_values[0/0]
> Partition[CN=Configuration,DC=chester-dc,DC=example,DC=com]
objects[1634/1634] linked_values[53/0]
> Replicating critical objects from the base DN of the domain
> Partition[DC=chester-dc,DC=example,DC=com] objects[100/100]
linked_values[39/0]
> Partition[DC=chester-dc,DC=example,DC=com] objects[502/723]
linked_values[0/0]
> Partition[DC=chester-dc,DC=example,DC=com] objects[823/723]
linked_values[988/0]
> Done with always replicated NC (base, config, schema)
> Replicating DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[402/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[804/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[1206/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[1608/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[2010/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[2412/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[2814/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[3216/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[3618/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[4020/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[4422/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[4824/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[5226/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[5628/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[6030/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[6432/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[6834/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[7236/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[7638/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[8040/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[8442/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[8844/9093] linked_values[0/0]
> Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[9093/9093] linked_values[0/0]
> Replicating DC=ForestDnsZones,DC=chester-dc,DC=example,DC=com
> Partition[DC=ForestDnsZones,DC=chester-dc,DC=example,DC=com]
objects[27/27] linked_values[0/0]
> Partition[DC=ForestDnsZones,DC=chester-dc,DC=example,DC=com]
objects[54/27] linked_values[0/0]
> Committing SAM database
> descriptor_modify: Could not find SD for
DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com
>
> Join failed - cleaning up
> checking sAMAccountName
> Deleted CN=V-WARD,OU=Domain Controllers,DC=chester-dc,DC=example,DC=com
> Deleted CN=NTDS
Settings,CN=V-WARD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chester-dc,DC=example,DC=com
> Deleted
CN=V-WARD,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chester-dc,DC=example,DC=com
> ERROR(ldb): uncaught exception - operations error at
../source4/dsdb/samdb/ldb_modules/descriptor.c:1147
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/domain.py",
line 555, in run
>     machinepass=machinepass, use_ntvfs=use_ntvfs,
dns_backend=dns_backend)
>   File "/usr/lib/python2.7/dist-packages/

I have noticed that the the DNS ldb file is rather large (300M):

> total 347988
> -rw------- 1 root root  10383360 May 13 14:13
CN%3DCONFIGURATION,DC%3DCHESTER-DC,DC%3DEXAMPLE,DC%3DCOM.ldb
> -rw------- 1 root root  10383360 May 13 14:13
CN%3DSCHEMA,CN%3DCONFIGURATION,DC%3DCHESTER-DC,DC%3DEXAMPLE,DC%3DCOM.ldb
> -rw------- 1 root root  17158144 May 13 14:13
DC%3DCHESTER-DC,DC%3DEXAMPLE,DC%3DCOM.ldb
> -rw------- 1 root root 313745408 May 13 14:13
DC%3DDOMAINDNSZONES,DC%3DCHESTER-DC,DC%3DEXAMPLE,DC%3DCOM.ldb
> -rw------- 1 root root   4247552 May 13 14:13
DC%3DFORESTDNSZONES,DC%3DCHESTER-DC,DC%3DEXAMPLE,DC%3DCOM.ldb
> -rw-r----- 1 root root    421888 May 13 14:09 metadata.tdb

Investigating further:

> 0 root at empire:~[0] /usr/bin/samba-tool drs replicate
empire.chester-dc.example.com alaska.chester-dc.example.com
DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com --local
Partition[DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com]
objects[402/15688] linked_values[0/0]
> Invalid data for index  DN=@INDEX:OBJECTCLASS:DNSNODE
>
> replmd_replicated_request rename
DC=DEELR013\0ADEL:08ae6b71-9b11-4003-9daf-f2e2ed3a58be,CN=Deleted
Objects,DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com =>
DC=DEELR013\0ACNF:08ae6b71-9b11-4003-9daf-f2e2ed3a58be\0ADEL:08ae6b71-9b11-4003-9daf-f2e2ed3a58be,CN=Deleted
Objects,DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com failed -
ldb_wait: > Operations error (1)
>
> Failed to apply records: ldb_wait: Operations error (1): Other
> Failed to commit objects: WERR_GENERAL_FAILURE
> ERROR(<type 'exceptions.TypeError'>): Error replicating DN
DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com - Failed to process
chunk: NT_STATUS_UNSUCCESSFUL
>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/drs.py", line
269, in drs_local_replicate
>     repl.replicate(NC, source_dsa_invocation_id, destination_dsa_guid)
>   File "/usr/lib/python2.7/dist-packages/samba/drs_utils.py", line
256, in replicate
>     schema=schema, req_level=req_level, req=req)

This pointed us at the DEELR013 record, so, I tried:

> 0 root at empire:~[0] ldbdel -H
/var/lib/samba/private/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DCHESTER-DC,DC%3DEXAMPLE,DC%3DCOM.ldb
DC=DEELR013,DC=chester-dc.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com
> Invalid data for index  DN=@INDEX:OBJECTCLASS:DNSNODE
>
> delete of
'DC=DEELR013,DC=chester-dc.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=chester-dc,DC=example,DC=com'
failed - (Operations error) ldb_wait: Operations error (1)
>

Finally, stumbling around blindly I ran tdbbackup on the DOMAINDNSZONES
ldb file (which shrunk a few megabytes - no errors though), and I
managed to ldbedit and delete the file index, then it allowed me to
ldbdel. I Copied the newly modified file on top of the original one,
restarted Samba, and at that point I realised that the file was now over
700mb. Samba had hung and stopped accepting connections (I couldn't even
get a share list with smbclient). Unfortunately I can't give accurate
detail about this paragraph, because I rolled back to last night's LXC
snapshot.

Can anybody please give us advice on how to proceed from here?

> 0 root at empire:~[0] samba-tool -V
> 4.1.11-Debian
> 0 root at empire:~[0] dpkg -s samba |grep ^Ver
> Version: 2:4.1.11+dfsg-1
> 0 root at empire:~[0] uname -a
> Linux empire 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt25-2 (2016-04-08)
x86_64 GNU/Linux


-- 
/---------------------------------------------------------------------\
|Ashley Griffiths                     Phone: +44 (0)1244 280 390      |
|IT manager                           Web:http://www.comtek.co.uk/  |
|Comtek Group                                                         |
\---------------------------------------------------------------------/

More information about the samba mailing list