[Samba] attributeID is not known in our schema, not fixing replPropertyMetaData

Sat May 27 07:53:12 UTC 2017

On Sat, 27 May 2017 16:57:29 +1200
Andrew Bartlett via samba <samba at lists.samba.org> wrote:

> On Sat, 2017-05-27 at 03:16 +0200, Karan Blas via samba wrote:
> > > > We found that replPropertyMetaData is uniquie for each user,
> > > > setting it empty "fix the error' but breaks the user object.
> > > 
> > > Correct, if you delete replPropertyMetaData in any way, you
> > > totally break replication. 
> > > 
> > 
> > dbcheck should wipe that part of replPropertyMetaData with --fix
> > but it is not implemented. 
> 
> Correct, with no real-world test case at the time it was not
> reasonable nor safe to implement a --fix behaviour when we added
> these checks to dbcheck.  So we left it with just the check.
> 
> > If that attribute does non replicate, there should be way to
> > recreate it based on the existing data/attributes of the object?
> 
> That might be possible.  However you indicated that this object is
> already deleted.  Have you tried upgrading both DCs and just expunging
> it?
> 
> > On the other Samba (with newer version) where --full-sync was not
> > run before disconnecting Win DC, replPropertyMetaData does not
> > contain this attributeID. (We found some tool that decodes the
> > content of the attribute). Does copying (ldbedit)
> > replPropertyMetaData attribute data only, for each object from the
> > healthy Samba over the damaged one will fix it?
> 
> It is it not safe to manually edit replPropertyMetaData, nor copy it
> between DCs.  
> 
> > OR
> > 
> > samba-tool drs replicate dc-damaged dc-blank DC=DOMAIN,DC=com 
> > 
> > should have flags to skip unknown parts, not to exit on first error
> 
> This would not be safe, because when we safe the 'up to dateness
> vector' and the 'highwatermark' we promise that we have obtained and
> stored each object.  We are already battling other errors ('missing
> objectclass') where objects are skipped unintentionally, and so I wont
> add such functionality intentionally. 
> 
> > 
> > > > How to recreate this attribute properly? How to remove all
> > > > entries about attributeId 0XB7D8382? It was inherited from
> > > > Exchange.
> > > 
> > > Have you tried to remove the exchange schema from Samba?
> > > 
> > 
> > No, is that possible? 
> 
> No, but if you had it might have been a cause.

A bit more searching leads to the conclusion that you cannot, as Andrew
has said, delete anything from the schema. This is not a Samba
prohibition, it is an active directory prohibition. It does seem that
you can sort of turn them off by adding 'isDefunct: True' to the schema
object, see here for more info:

https://technet.microsoft.com/en-us/library/cc961741.aspx

Rowland