[Samba] A db error that dbcheck tool can't fix

徐星亚 adam_xu at adagene.com.cn
Fri Feb 9 12:34:55 UTC 2018 

Hello, I have 2 samba DCs. DC1 with FSMO role and DC2. These days, when I
use dbcheck in DC1 ,I got the following error:

 

# samba-tool dbcheck --cross-ncs

Checking 4419 objects

ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=adagene,DC=cn -
<GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000>
;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1
9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599
>;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn

Not fixing SID component mismatch

Please use --fix to fix these errors

Checked 4419 objects (1 errors)

---In DC2 ,there is no error.

 

And I try to fix that in DC1:

 

# samba-tool dbcheck --cross-ncs --fix

Checking 4419 objects

ERROR: incorrect DN SID component for member in object CN=Domain
Users,CN=Users,DC=adagene,DC=cn -
<GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000>
;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1
9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599
>;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn

Change DN to
<GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<SID=S-1-5-21-570971082-13333576
99-3675202899-1007>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn?
[y/N/all/none] all

Failed to fix incorrect DN SID on attribute member : (68, 'samldb: member
CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn already set via primaryGroupID
513')

Checked 4419 objects (1 errors)

 

I check the user Jack’s sid and guid in RSAT tool. His sid is
S-1-5-21-570971082-1333357699-3675202899-1007 and guid is
c5c33d48-226b-4105-9c69-0506a22d3a15. All seems matches expectation.

 

And I use the ldap compare tools:

 

# samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator

Password for [ADAGENE\administrator]:

 

* Comparing [DOMAIN] context...

* Objects to be compared: 761

* Result for [DOMAIN]: SUCCESS

* Comparing [CONFIGURATION] context...

* Objects to be compared: 1615

* Result for [CONFIGURATION]: SUCCESS

* Comparing [SCHEMA] context...

* Objects to be compared: 1550

* Result for [SCHEMA]: SUCCESS

* Comparing [DNSDOMAIN] context...

* Objects to be compared: 241

* Result for [DNSDOMAIN]: SUCCESS

* Comparing [DNSFOREST] context...

* Objects to be compared: 20

* Result for [DNSFOREST]: SUCCESS

 

See that the ldap content in the two DCs are the same. But One got a error
and the other got none error.

 

So How could I fix the error in DC1 ?

 

Yours Adam.

More information about the samba mailing list