[Samba] Invalid data for index DN=@INDEX:OBJECTCLASS:DNSNODE

Andrew Bartlett abartlet at samba.org
Sat May 14 10:01:30 UTC 2016 

On Fri, 2016-05-13 at 14:49 +0100, ash-samba at comtek.co.uk wrote:
> We have a Samba primary domain controller "empire", which seems to
> have
> DNS update issues. We can seem to query all records on empire just
> fine,
> and we can modify IPs for existing records, but it will not delete or
> add new records. Attempting to delete via the AD tools shows "Local
> security authority database contains an internal inconsistency".
> Adding
> a record on the command line shows:

> This pointed us at the DEELR013 record, so, I tried:
> 
> > 0 root at empire:~[0] ldbdel -H
> /var/lib/samba/private/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3DCHESTER
> -DC,DC%3DEXAMPLE,DC%3DCOM.ldb
> DC=DEELR013,DC=chester
> -dc.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=chester
> -dc,DC=example,DC=com
> > Invalid data for index  DN=@INDEX:OBJECTCLASS:DNSNODE
> > 
> > delete of
> 'DC=DEELR013,DC=chester
> -dc.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=chester
> -dc,DC=example,DC=com'
> failed - (Operations error) ldb_wait: Operations error (1)
> > 
> 
> Finally, stumbling around blindly I ran tdbbackup on the
> DOMAINDNSZONES
> ldb file (which shrunk a few megabytes - no errors though), and I
> managed to ldbedit and delete the file index, then it allowed me to
> ldbdel. I Copied the newly modified file on top of the original one,
> restarted Samba, and at that point I realised that the file was now
> over
> 700mb. Samba had hung and stopped accepting connections (I couldn't
> even
> get a share list with smbclient). Unfortunately I can't give accurate
> detail about this paragraph, because I rolled back to last night's
> LXC
> snapshot.
> 
> Can anybody please give us advice on how to proceed from here?

This certainly sounds stressful.

Another way to (on a backup, particularly given your history above) remove the index is with samba-tool dbcheck --reindex.

The missing ntSecurityDescriptor is a curious issue.  Can you check if
it or the whole record is really missing?  I'm guessing it is another
index issue, stopping us finding the record rather than the record not
being there.  Look over an ldbdump of the backend DB in sam.ldb.d/ if
you have to, to confirm that.
Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list