[Samba] attributeID is not known in our schema, not fixing replPropertyMetaData

Andrew Bartlett abartlet at samba.org
Sat May 27 04:57:29 UTC 2017 

On Sat, 2017-05-27 at 03:16 +0200, Karan Blas via samba wrote:
> > > We found that replPropertyMetaData is uniquie for each user, setting
> > > it empty "fix the error' but breaks the user object.
> > 
> > Correct, if you delete replPropertyMetaData in any way, you totally
> > break replication. 
> > 
> 
> dbcheck should wipe that part of replPropertyMetaData with --fix but it is not implemented. 

Correct, with no real-world test case at the time it was not reasonable
nor safe to implement a --fix behaviour when we added these checks to
dbcheck.  So we left it with just the check.

> If that attribute does non replicate, there should be way to recreate it based on the existing data/attributes of the object?

That might be possible.  However you indicated that this object is
already deleted.  Have you tried upgrading both DCs and just expunging
it?

> On the other Samba (with newer version) where --full-sync was not run
> before disconnecting Win DC, replPropertyMetaData does not contain
> this attributeID. (We found some tool that decodes the content of the
> attribute). Does copying (ldbedit) replPropertyMetaData attribute
> data only, for each object from the healthy Samba over the damaged
> one will fix it?

It is it not safe to manually edit replPropertyMetaData, nor copy it
between DCs.  

> OR
> 
> samba-tool drs replicate dc-damaged dc-blank DC=DOMAIN,DC=com 
> 
> should have flags to skip unknown parts, not to exit on first error

This would not be safe, because when we safe the 'up to dateness
vector' and the 'highwatermark' we promise that we have obtained and
stored each object.  We are already battling other errors ('missing
objectclass') where objects are skipped unintentionally, and so I wont
add such functionality intentionally. 

> 
> > > How to recreate this attribute properly? How to remove all entries
> > > about attributeId 0XB7D8382? It was inherited from Exchange.
> > 
> > Have you tried to remove the exchange schema from Samba?
> > 
> 
> No, is that possible? 

No, but if you had it might have been a cause.

> > As you are probably aware by now, it is not permitted to remove schema,
> > it will just break the directory.  Additionally, we have had various
> > bugs around the schema allocation for the ID numbers, and this is
> > probably where things have gone wrong for you.  This is fixed in 4.5.
> > 
> > If this entry is on a deleted object, you could use samba-tool domain
> > tombstones expunge to wipe it by choosing a shorter lifetime than 180
> > days.  That would be the easiest way out of your pickle. 
> > 
> > For others, we hope to support the exchange schema soon, via the 2012
> > schema.
> > 
> 
> Nice. In this case we do not need Exchange anymore. There should be
> wiki for migrating when Exchange already exists. All I can find is
> that Exchange schema is magical and not supported in Samba. 

There should be many wiki articles.  You can apply for edit permission
if you like :-)

> 
> THANKS! Keep up the good work.

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list