[Samba] Made a join with a netbios name, which already existed, now replication errors

Andrew Bartlett abartlet at samba.org
Wed Nov 1 00:38:17 UTC 2017 

On Tue, 2017-10-31 at 17:37 -0500, Matthew Delfino via samba wrote:
> > 
> 
> I’m having a similar problem. I just fixed a bad member of my samba
> domain - an samba AD DC that wasn’t working. I demoted it,
> uninstalled Samba and reinstalled, then rejoined the domain.
> 
> Everything's replicating nicely. All my users can authenticate. But
> my samba AD DCs are all on 4.4.16, and I want to be on 4.7.
> 
> So, I set up a new server to act as my 4.7. My plan: Join it to the
> domain, move the FSMO role to this new server, then one-by-one
> replace my old DCs with new ones running Samba 4.7.
> 
> I go to get the new 4.7 samba machine joined and here’s what happens:
> 
> -----

> Partition[CN=Configuration,DC=mydomain,DC=net] objects[402/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[804/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[1206/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[1608/1636] linked_values[0/0]
> Partition[CN=Configuration,DC=mydomain,DC=net] objects[1636/1636] linked_values[47/0]
> Unxpectedly got mismatching RDN values when checking RDN against name of CN=NTDS Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=netFailed to convert object CN=NTDS Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net: WERR_GEN_FAILURE
> Failed to convert objects: WERR_GEN_FAILURE
> Join failed - cleaning up

This is interesting.  Sadly the code checking this doesn't print the
RDN value and name that it dislikes for comparison, this really wasn't
expected to be seen in the field. 

What does dbcheck say?  Once you back it up and fix it on 4.4, if you
copy the DB to a 4.7 host, does it give any more errors regarding this
object?

> -----
> 
> ("Ganymede" is the server I just demoted and re-promoted.)
> 
> By your thread with gizmo, I take it that my new samba AD DC doesn’t like this deleted record:
> 
> -----
> 
> sudo ldbsearch --cross-ncs --show-deleted -H /var/lib/samba/private/sam.ldb "distinguishedName=CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net"
> [sudo] password for svr.matthew.delfino: 
> # record 1
> dn: CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
> 

> lastKnownParent: CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
>  on,DC=mydomain,DC=net
> isRecycled: TRUE
> cn:: R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
> name:: R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
> whenChanged: 20171030231808.0Z
> uSNChanged: 17728815
> distinguishedName: CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=S
>  ervers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lo
>  c

Yes and no.  This looks normal enough, it actually doesn't like the
CN=NTDS Settings child of this object.  Can you show that?

> If I understand you correspondence above, this "tombstone" record
> needs to be expunged. But, since my version, (4.4.16), has a samba-
> tool that appears to not be able to do "samba-tool domain
> tombstones…." I have to wait 180 days for that record to
> automatically go away and the mismatch to go away in kind? Do I have
> this right?

You could upgrade the domain in-place and use the modern tools, or on a
new host that you will give the same name as the old one (we are not
fussy about the surrounding OS, just the hostname and to a lesser
extent the IP). 

> Do I have any options other than waiting 179 more days? I mean, besides a DeLorean with a Flux Capacitor, or cryogenic stasis… or (gulp) patience?

You can change the tombstoneLifetime, but please turn it back up once
you are done. 

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba mailing list