[Samba] Made a join with a netbios name, which already existed, now replication errors

Rowland Penny rpenny at samba.org
Wed Nov 1 08:42:03 UTC 2017 

On Wed, 01 Nov 2017 13:38:17 +1300
Andrew Bartlett <abartlet at samba.org> wrote:

> On Tue, 2017-10-31 at 17:37 -0500, Matthew Delfino via samba wrote:
> > > 
> > 
> > I’m having a similar problem. I just fixed a bad member of my samba
> > domain - an samba AD DC that wasn’t working. I demoted it,
> > uninstalled Samba and reinstalled, then rejoined the domain.
> > 
> > Everything's replicating nicely. All my users can authenticate. But
> > my samba AD DCs are all on 4.4.16, and I want to be on 4.7.
> > 
> > So, I set up a new server to act as my 4.7. My plan: Join it to the
> > domain, move the FSMO role to this new server, then one-by-one
> > replace my old DCs with new ones running Samba 4.7.
> > 
> > I go to get the new 4.7 samba machine joined and here’s what
> > happens:
> > 
> > -----
> 
> > Partition[CN=Configuration,DC=mydomain,DC=net] objects[402/1636]
> > linked_values[0/0] Partition[CN=Configuration,DC=mydomain,DC=net]
> > objects[804/1636] linked_values[0/0]
> > Partition[CN=Configuration,DC=mydomain,DC=net] objects[1206/1636]
> > linked_values[0/0] Partition[CN=Configuration,DC=mydomain,DC=net]
> > objects[1608/1636] linked_values[0/0]
> > Partition[CN=Configuration,DC=mydomain,DC=net] objects[1636/1636]
> > linked_values[47/0] Unxpectedly got mismatching RDN values when
> > checking RDN against name of CN=NTDS
> > Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=netFailed
> > to convert object CN=NTDS
> > Settings,CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net:
> > WERR_GEN_FAILURE Failed to convert objects: WERR_GEN_FAILURE Join
> > failed - cleaning up
> 
> This is interesting.  Sadly the code checking this doesn't print the
> RDN value and name that it dislikes for comparison, this really wasn't
> expected to be seen in the field. 
> 
> What does dbcheck say?  Once you back it up and fix it on 4.4, if you
> copy the DB to a 4.7 host, does it give any more errors regarding this
> object?
> 
> > -----
> > 
> > ("Ganymede" is the server I just demoted and re-promoted.)
> > 
> > By your thread with gizmo, I take it that my new samba AD DC
> > doesn’t like this deleted record:
> > 
> > -----
> > 
> > sudo ldbsearch --cross-ncs --show-deleted
> > -H /var/lib/samba/private/sam.ldb
> > "distinguishedName=CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net" [sudo]
> > password for svr.matthew.delfino: # record 1 dn:
> > CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
> > 
> 
> > lastKnownParent:
> > CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configurati
> > on,DC=mydomain,DC=net isRecycled: TRUE
> > cn::
> > R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
> > name::
> > R0FOWU1FREUKREVMOjk2NDYyNTJjLThlNGQtNDQ3Zi05MGZhLTNhNTEzNTUyNzZhYw==
> > whenChanged: 20171030231808.0Z uSNChanged: 17728815
> > distinguishedName:
> > CN=GANYMEDE\0ADEL:9646252c-8e4d-447f-90fa-3a51355276ac,CN=S
> > ervers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=lo
> > c
> 
> Yes and no.  This looks normal enough, it actually doesn't like the
> CN=NTDS Settings child of this object.  Can you show that?
> 
> > If I understand you correspondence above, this "tombstone" record
> > needs to be expunged. But, since my version, (4.4.16), has a samba-
> > tool that appears to not be able to do "samba-tool domain
> > tombstones…." I have to wait 180 days for that record to
> > automatically go away and the mismatch to go away in kind? Do I have
> > this right?
> 
> You could upgrade the domain in-place and use the modern tools, or on
> a new host that you will give the same name as the old one (we are not
> fussy about the surrounding OS, just the hostname and to a lesser
> extent the IP). 
> 
> > Do I have any options other than waiting 179 more days? I mean,
> > besides a DeLorean with a Flux Capacitor, or cryogenic stasis… or
> > (gulp) patience?
> 
> You can change the tombstoneLifetime, but please turn it back up once
> you are done. 
> 
> Andrew Bartlett

I think you are going to have to think laterally here, if your DCs
cannot lower the tombstoneLifetime, add a new one that can ;-)

Rowland

More information about the samba mailing list