[Samba] samba-tool dbcheck on 4.7.5, after bug 13228

Jonathan Hunter jmhunter1 at gmail.com
Fri Feb 16 11:44:49 UTC 2018


Replying to my own query, for those following along at home (or reading the
archives in the future). Thanks very much to Garming for giving me these

My initial query probably wasn't very clear - apologies - but what it
boiled down to was that "samba-tool dbcheck --cross-ncs" identified a
number of errors, but these were *NOT* fixed when I ran the same command
with "--yes".

The answer was that I needed to run dbcheck *without* the "--yes" argument,
and instead manually specify y / all during the check itself. *These have
slightly different behaviours*, particularly if there is an error in the
middle which might be happening.

This successfully fixed the errors I had in my DB (actually, I still had
some group membership issues with some newer users I had added to Domain
Users / Domain Guests) but the bulk of the problems are now gone. I did
also run the dbcheck on each DC individually; each had a slightly different
set of errors, but most of my DCs are now reporting no errors via dbcheck,
which is good :-)

I'm therefore not sure if the "samba-tool dbcheck --help" wording for
"--yes" should be updated.
Currently the help text for --yes is:
  "don't confirm changes, just do them all as a single transaction".

Should it say something like:
  "don't confirm changes individually, do them all as a single transaction,
this has different behaviour to answering yes each time, and may fail in
case of some errors"

(The other pointer I was given was to raise the debug level (maybe to level
3) using -d3 and seeing if there are any error messages presented in those
logs. I didn't need to use this, but it might help others having similar



On 9 February 2018 at 10:20, Jonathan Hunter <jmhunter1 at gmail.com> wrote:

> On 7 February 2018 at 23:44, Jonathan Hunter <jmhunter1 at gmail.com> wrote:
>> Hi,
>> Firstly thank you to all the Samba team for continued help & support..
>> and thank you to those involved in resolving bug 13228, which might well
>> explain a number of issues I was having recently (I had thought
>> coincidentally, after upgrading to 4.7.4)
>> Can I check the expected behaviour of 'samba-tool dbcheck --cross-ncs
>> --fix'?
>> On 7 February 2018 at 08:59, Karolin Seeger via samba <
>> samba at lists.samba.org> wrote:
>>> o  BUG 13228: This is a major issue in Samba's ActiveDirectory domain
>>>    controller code. It might happen that AD objects have missing or
>>> broken
>>>    linked attributes. This could lead to broken group memberships e.g.
>>>    All Samba AD domain controllers set up with Samba 4.6 or lower and
>>> then
>>>    upgraded to 4.7 are affected. The corrupt database can be fixed with
>>>    'samba-tool dbcheck --cross-ncs --fix'.
>> What is the expected behaviour of this command if run consecutively?

"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein

More information about the samba mailing list