[Samba] samba 4.7.0 replication errors
Andrew Bartlett
abartlet at samba.org
Sat Oct 14 18:52:18 UTC 2017
On Mon, 2017-10-02 at 09:59 +1300, Garming Sam via samba wrote:
> Can you provide a bit more logs? At first glance, it doesn't seem quite
> related to group memberships.
>
I agree, we need more logs here. Turn up the log level and see what
the error causing that final error is.
However, take care not to publish confidential details like staff names
and sensitive attributes like unicodePwd or supplimentalCredentials to
a public mailing list.
Running 'samba-tool drs clone-dc-database' against one of the DCs would
be very instructive. This does the same thing as a fresh join, but
without adding any DC objects.
The dbcheck errors you mention are interesting. Backlinks are only
implicitly transferred over DRS replication, but if they are very wrong
perhaps the update of them failed. What did the powershell script do?
Did it just delete users, or did it try to remove them from the group
first?
If replication broke only after user/group modification, then this may
be due to a latent DB issue, not detected after the initial upgrade
because nothing read or modified those DB entries. Once they were
touched the issue became 'live'.
In particular, Samba 4.7.0 includes code to sort links like member
within an attribute. The process to modify the group list after the
upgrade to sorted links might fail if the DB wasn't clean.
A downgrade to Samba 4.6 should be safe in the meantime, we haven't
changed the DB format and it is much less strict in this area (the
change was made to improve performance), however we would really like
to understand the issue more.
Thanks!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list