[Samba] AD object fix (Re: [Announce] Samba 4.7.5 Available for Download)

Jonathan Hunter jmhunter1 at gmail.com
Wed Feb 7 23:44:39 UTC 2018 

Hi,

Firstly thank you to all the Samba team for continued help & support.. and
thank you to those involved in resolving bug 13228, which might well
explain a number of issues I was having recently (I had thought
coincidentally, after upgrading to 4.7.4)

Can I check the expected behaviour of 'samba-tool dbcheck --cross-ncs
--fix'?

On 7 February 2018 at 08:59, Karolin Seeger via samba <samba at lists.samba.org
> wrote:

> o  BUG 13228: This is a major issue in Samba's ActiveDirectory domain
>    controller code. It might happen that AD objects have missing or broken
>    linked attributes. This could lead to broken group memberships e.g.
>    All Samba AD domain controllers set up with Samba 4.6 or lower and then
>    upgraded to 4.7 are affected. The corrupt database can be fixed with
>    'samba-tool dbcheck --cross-ncs --fix'.
>

What is the expected behaviour of this command if run consecutively?

On my DCs, freshly upgraded from 4.7.4 to 4.7.5, I have run the following
two commands in sequence:
$ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-01 2>&1
$ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-02 2>&1

The files produced by each run are identical in size.. but I would have
instead expected file 02 to be smaller than file 01, since all the issues
should have been fixed first time round..?

Can I first check that I'm not missing something in syntax etc., before I
spam the list with more details?

I'm seeing output along the following lines, during *both* runs of
samba-tool dbcheck:

WARNING: no target object found for GUID component for DN value
msDS-NC-Replica-Locations in object
CN=aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee,CN=Partitions,CN=Configuration,DC=mydomain
[....]
WARNING: target DN is deleted for msDS-NC-Replica-Locations in object [....]
Target GUID points at deleted DN [....]
Remove stale DN link? [YES]
Removed deleted DN on attribute msDS-NC-Replica-Locations

plus many more; the output files are 13KB each on this DC, and contain 47
fixes according to
$ cat samba-fix-01 | grep "[YES]" | wc -l
47

I already know (I think) that I need to run the command on each DC.. but
before going further I just wanted to check I'm at least trying the correct
approach for dbcheck itself.

Thanks,

Jonathan

-- 
"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list