[Samba] samba 4.7.0 replication errors

Andrej Gessel Andrej.Gessel at janztec.com
Tue Oct 17 11:16:48 UTC 2017 

Hello Andrew,

I cannot run complete domain join without this option, because of my hardware limitations. The join ends with " Committing SAM database" and python exception, because no more memory is available.

if I run ldbsearch with --extended-dn I got this error message:

search failed - Unsupported critical extension 1.2.840.113556.1.4.529

If I run ldbsearch without this option no memberOf attribute but 2 member attributes were found. And notice, that it is not a user, it is a group.


Andrej

-----Ursprüngliche Nachricht-----
Von: Andrew Bartlett [mailto:abartlet at samba.org] 
Gesendet: Dienstag, 17. Oktober 2017 12:12
An: Andrej Gessel <Andrej.Gessel at janztec.com>; samba at lists.samba.org
Betreff: Re: [Samba] samba 4.7.0 replication errors

On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:
> Hello list,
> 
> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:

Does it change if you don't use that option?

> Failed to apply records: 
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to 
> remove backlink of memberOf when deleting 
> CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted 
> Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base 
> dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted 
> Objects,DC=DOMAIN,DC=intern (0 results): Operations error Failed to 
> commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
> 
> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.
> 
> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.
> 
> Some other notes:
> 
> If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
> 
> ERROR: missing backlink attribute 'memberOf' in 
> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in 
> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
> Fix missing backlink memberOf [YES]
> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf': 
> value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern' 
> already exists")

Can you show me the memberOf value son that user?

ldbsearch -s base -b
CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern
--reveal --extended-dn

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list