[Samba] possible to use ldbedit in a safe way

Andrew Bartlett abartlet at samba.org
Mon Oct 16 18:56:27 UTC 2017 

On Mon, 2017-10-16 at 16:53 +0200, mj via samba wrote:
> Hi,
> 
> dbcheck tells us we have two "dangling forward links" that I am trying 
> to get rid of. On my test domain, I have simply done

Are they breaking anything?

If so, can you get me more detail on exactly what breaks?

> ldbedit -e nano -H ./CN=CONFIGURATION,DC=SAMBA,DC=COMPANY,DC=COM
> 
> to remove them.
> 
> While that seems to have worked nicely, dbcheck report zero errors now, 
> it is something that I should never have done, or do in production, 
> according to Andrew:
> 
> "We realise this is a difficult problem for you and other users, but 
> NEVER, EVER do that."
> 
> So, question: is there a SAFE way to easily get rid of those two 
> "dangling forward links"?
> 
> (they are Replica-Locations for a DC that has been removed years ago)


Unless the link it also a deleted link (in which case I think we
already remove it in dbcheck), as it has been more than the tombstone
lifetime, we can't tell that this link is to something that has been
long deleted, rather than pointing to an unexpectedly missing object in
the directory.

I've always been really nervous about removing data during dbcheck, as
it can be run in --fix --yes mode.

That is, links to objects marked as deleted are easily fixed, but these
have been left as 'too hard' for now.

I've CC'ed Tim and Garming as Tim has been working on improving our
link behaviour, and with Garming we have been discussing the acceptable
and un-acceptable failure modes here. 

If we have painted ourselves into a corner, and can no longer ignore
these dangling forward links, an improved dbcheck rule is probably the
right answer, and I would rather get you a patch than have you edit the
DB.

Finally, for those that have already edited a backend DB, running
'samba-tool dbcheck --reindex' on the sam.ldb is a must, to ensure the
index values are correctly re-calculated.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list