[Samba] A db error that dbcheck tool can't fix

Garming Sam garming at catalyst.net.nz
Tue Feb 13 23:16:40 UTC 2018 

Hi,

It appears to be an error in dbcheck, where we're making assertions on
the primaryGroupID despite the fact that it is dealing with an inactive
link. It should be safe to ignore, and should disappear once the stale
link is deleted permanently after the usual tombstone period. There
probably needs to be a bug filed though, to make sure we fix this
unintended error.


Cheers,

Garming


On 10/02/18 01:34, 徐星亚 via samba wrote:
> Hello, I have 2 samba DCs. DC1 with FSMO role and DC2. These days, when I
> use dbcheck in DC1 ,I got the following error:
>
>  
>
> # samba-tool dbcheck --cross-ncs
>
> Checking 4419 objects
>
> ERROR: incorrect DN SID component for member in object CN=Domain
> Users,CN=Users,DC=adagene,DC=cn -
> <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000>
> ;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1
> 9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599
>> ;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn
> Not fixing SID component mismatch
>
> Please use --fix to fix these errors
>
> Checked 4419 objects (1 errors)
>
> ---In DC2 ,there is no error.
>
>  
>
> And I try to fix that in DC1:
>
>  
>
> # samba-tool dbcheck --cross-ncs --fix
>
> Checking 4419 objects
>
> ERROR: incorrect DN SID component for member in object CN=Domain
> Users,CN=Users,DC=adagene,DC=cn -
> <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<RMD_ADDTIME=131526914300000000>
> ;<RMD_CHANGETIME=131526914750000000>;<RMD_FLAGS=1>;<RMD_INVOCID=4f720a27-5a1
> 9-4fba-8e89-9f59f7c3533e>;<RMD_LOCAL_USN=102599>;<RMD_ORIGINATING_USN=102599
>> ;<RMD_VERSION=1>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn
> Change DN to
> <GUID=c5c33d48-226b-4105-9c69-0506a22d3a15>;<SID=S-1-5-21-570971082-13333576
> 99-3675202899-1007>;CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn?
> [y/N/all/none] all
>
> Failed to fix incorrect DN SID on attribute member : (68, 'samldb: member
> CN=jack,OU=Users,OU=Suzhou,DC=adagene,DC=cn already set via primaryGroupID
> 513')
>
> Checked 4419 objects (1 errors)
>
>  
>
> I check the user Jack’s sid and guid in RSAT tool. His sid is
> S-1-5-21-570971082-1333357699-3675202899-1007 and guid is
> c5c33d48-226b-4105-9c69-0506a22d3a15. All seems matches expectation.
>
>  
>
> And I use the ldap compare tools:
>
>  
>
> # samba-tool ldapcmp ldap://DC1 ldap://DC2 -Uadministrator
>
> Password for [ADAGENE\administrator]:
>
>  
>
> * Comparing [DOMAIN] context...
>
> * Objects to be compared: 761
>
> * Result for [DOMAIN]: SUCCESS
>
> * Comparing [CONFIGURATION] context...
>
> * Objects to be compared: 1615
>
> * Result for [CONFIGURATION]: SUCCESS
>
> * Comparing [SCHEMA] context...
>
> * Objects to be compared: 1550
>
> * Result for [SCHEMA]: SUCCESS
>
> * Comparing [DNSDOMAIN] context...
>
> * Objects to be compared: 241
>
> * Result for [DNSDOMAIN]: SUCCESS
>
> * Comparing [DNSFOREST] context...
>
> * Objects to be compared: 20
>
> * Result for [DNSFOREST]: SUCCESS
>
>  
>
> See that the ldap content in the two DCs are the same. But One got a error
> and the other got none error.
>
>  
>
> So How could I fix the error in DC1 ?
>
>  
>
> Yours Adam.
>

More information about the samba mailing list