[Samba] possible to use ldbedit in a safe way

Andrew Bartlett abartlet at samba.org
Tue Oct 17 09:22:08 UTC 2017

On Tue, 2017-10-17 at 11:04 +0200, mj via samba wrote:
> On 10/16/2017 08:56 PM, Andrew Bartlett wrote:
> > Are they breaking anything?
> Not sure. But in another thread I reported some issues on replication, 
> highwatermark notifications, high COU load, etc.
> My idea was do try several things to fix this. SO I created a 
> virtualised isolated environment, in which I can try out all kinds of 
> things:
> - upgrading the DCs to 4.7 (as suggested by you)
> or
> - add a fresh 4.7 dc, see how that works out
> - try the clone-dc-database
> But also:
> - try to make dbcheck complete without errors, to rule that out.
> > If so, can you get me more detail on exactly what breaks?
> So I'm not sure if there is a relation or not. :-|
> > If we have painted ourselves into a corner, and can no longer ignore
> > these dangling forward links, an improved dbcheck rule is probably the
> > right answer, and I would rather get you a patch than have you edit the
> > DB.
> Understood, but I'm not sure that my dangling link break anything. It's 
> just that in case of an issue, the natural thing is: first try to make 
> dbcheck finish without errors. :-)

Can you please be less vague on what the link is exactly?  A suggestion
around the office from Garming was that we should:
 - remove more during the demote
 - clean up links to removed DCs more aggressively (not as likely to
result in information loss).

In particular, I think it would be quite safe to clean up a dangling
forward link within the same partition in:
 - msDS-masteredBy
 - masteredBy
 - fSMORoleOwner
 - msDS-NC-Replica-Locations

> > Finally, for those that have already edited a backend DB, running
> > 'samba-tool dbcheck --reindex' on the sam.ldb is a must, to ensure the
> > index values are correctly re-calculated.
> I understand that most parts of sam.lbd are replicated between DCs, but 
> from what I can read, some items are also non-replicated, so local-DC-only.

It is some attributes.

> Would I be ok to say: things that are replicated are more dangurous to 
> edit using lbdedit than things that stay local to a specific DC?
> (as long as you run --reindex afterwards)

Yes, because the replPropertMetaData is not updated during a backend

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list