[Samba] samba 4.7.0 replication errors

Andrew Bartlett abartlet at samba.org
Tue Oct 17 10:12:18 UTC 2017 

On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:
> Hello list,
> 
> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:

Does it change if you don't use that option?

> Failed to apply records: ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to remove backlink of memberOf when deleting CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted Objects,DC=DOMAIN,DC=intern (0 results): Operations error
> Failed to commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> 
> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.
> 
> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.
> 
> Some other notes:
> 
> If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
> 
> ERROR: missing backlink attribute 'memberOf' in
> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in
> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
> Fix missing backlink memberOf [YES]
> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' already exists")

Can you show me the memberOf value son that user?

ldbsearch -s base -b
CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern
--reveal --extended-dn

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list