[Samba] samba 4.7.0 replication errors

Arthur Ramsey arthur_ramsey at mediture.com
Tue Oct 17 13:51:30 UTC 2017 

I wasn't using the domain-critical-only setting when I had the backlink 
issues.

Thanks,
Arthur

On 10/17/2017 6:16 AM, Andrej Gessel via samba wrote:
> Hello Andrew,
>
> I cannot run complete domain join without this option, because of my hardware limitations. The join ends with " Committing SAM database" and python exception, because no more memory is available.
>
> if I run ldbsearch with --extended-dn I got this error message:
>
> search failed - Unsupported critical extension 1.2.840.113556.1.4.529
>
> If I run ldbsearch without this option no memberOf attribute but 2 member attributes were found. And notice, that it is not a user, it is a group.
>
>
> Andrej
>
> -----Ursprüngliche Nachricht-----
> Von: Andrew Bartlett [mailto:abartlet at samba.org]
> Gesendet: Dienstag, 17. Oktober 2017 12:12
> An: Andrej Gessel <Andrej.Gessel at janztec.com>; samba at lists.samba.org
> Betreff: Re: [Samba] samba 4.7.0 replication errors
>
> On Mon, 2017-10-16 at 13:07 +0000, Andrej Gessel via samba wrote:
>> Hello list,
>>
>> maybe I saw the same error with backlinks. I try to use Samba 4.7.0 as rodc and perform join with "domain-critical-only"-option. Smb.conf is generated by samba. After starting joined samba I got error like this:
> Does it change if you don't use that option?
>
>> Failed to apply records:
>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:4218: Failed to
>> remove backlink of memberOf when deleting
>> CN=USER\0ADEL:a1f2a2cc-1179-4734-b753-c121ed02a34c,CN=Deleted
>> Objects,DC=DOMAIN,DC=intern: dsdb_module_search_dn: did not find base
>> dn CN=USERSGROUP\0ADEL:030d0be1-3ada-4b93-8371-927f20923116,CN=Deleted
>> Objects,DC=DOMAIN,DC=intern (0 results): Operations error Failed to
>> commit objects: WERR_GEN_FAILURE/NT_STATUS_INVALID_NETWORK_RESPONSE
>>
>> USER is member of the USERSGROUP. If I run ldbsearch and try to find USERGROUP it will be displayed. Replicating single-object with full-sync do not solved this issue. Only removing the USERGROUP object with ldbdel and rerun replication with --local --full-sync --single-object solved this.
>>
>> If I run samba-tool drs replication --local ... I load about 40000 objects (~50% of AD), but only 15000 are in the ldb(DC=DOMAIN,DC=intern). Then I see the error above and replication starts again, so I run into endless replication loop.
>>
>> Some other notes:
>>
>> If I run dbcheck with --cross-ncs and --fix I got some other errors like this:
>>
>> ERROR: missing backlink attribute 'memberOf' in
>> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern for link member in
>> CN=PROJ,OU=otherou,DC=GROUPS,DC=DOMAIN,DC=intern
>> Fix missing backlink memberOf [YES]
>> Failed to fix missing backlink memberOf : (20, "attribute 'memberOf':
>> value #17 on 'CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern'
>> already exists")
> Can you show me the memberOf value son that user?
>
> ldbsearch -s base -b
> CN=PROJ,OU=PROJACCESS,DC=GROUPS,DC=DOMAIN,DC=intern
> --reveal --extended-dn
>
> Thanks,
>
> Andrew Bartlett


This e-mail and any attachments may contain CONFIDENTIAL information, including PROTECTED HEALTH INFORMATION. If you are not the intended recipient, any use or disclosure of this information is STRICTLY PROHIBITED; you are requested to delete this e-mail and any attachments, notify the sender immediately, and notify the Mediture Privacy Officer at privacyofficer at mediture.com.

More information about the samba mailing list