[Samba] samba 4.7.0 replication errors

Andrej Gessel Andrej.Gessel at janztec.com
Mon Oct 16 13:07:47 UTC 2017

Hello list,

maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:

Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted Objects,DC=DOMAIN,DC=intern (0 results): Operations error

USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.

If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.

Some other notes:

If I run dbcheck with --cross-ncs and --fix I got some other errors like this:

ERROR: missing backlink attribute 'memberOf' in CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
Fix missing backlink memberOf [YES]
Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' already exists")

I didn’t see it for USER object, but a lot of other objects.


-----Ursprüngliche Nachricht-----
Von: samba [mailto:samba-bounces at lists.samba.org] Im Auftrag von Andrew Bartlett via samba
Gesendet: Samstag, 14. Oktober 2017 20:52
An: Garming Sam <garming at catalyst.net.nz>; thom_schu at gmx.de; samba at lists.samba.org
Betreff: Re: [Samba] samba 4.7.0 replication errors

On Mon, 2017-10-02 at 09:59 +1300, Garming Sam via samba wrote:
> Can you provide a bit more logs? At first glance, it doesn't seem 
> quite related to group memberships.

I agree, we need more logs here.  Turn up the log level and see what the error causing that final error is.  

However, take care not to publish confidential details like staff names and sensitive attributes like unicodePwd or supplimentalCredentials to a public mailing list. 

Running 'samba-tool drs clone-dc-database' against one of the DCs would be very instructive.  This does the same thing as a fresh join, but without adding any DC objects. 

The dbcheck errors you mention are interesting.  Backlinks are only implicitly transferred over DRS replication, but if they are very wrong perhaps the update of them failed.  What did the powershell script do? 
Did it just delete users, or did it try to remove them from the group first?

If replication broke only after user/group modification, then this may be due to a latent DB issue, not detected after the initial upgrade because nothing read or modified those DB entries.  Once they were touched the issue became 'live'.

In particular, Samba 4.7.0 includes code to sort links like member within an attribute.  The process to modify the group list after the upgrade to sorted links might fail if the DB wasn't clean.

A downgrade to Samba 4.6 should be safe in the meantime, we haven't changed the DB format and it is much less strict in this area (the change was made to improve performance), however we would really like to understand the issue more.


Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list