[Samba] [Patches] for dbcheck (Re: [Patches] AD Database corruption after upgrade from <= 4.6 to 4.7 (bug #13228))

Stefan Metzmacher metze at samba.org
Wed Jan 31 13:36:25 UTC 2018 

Hi Harsh,

sorry, but you're problem is not related to my patches.

This may need further investigation.

metze

Am 31.01.2018 um 12:45 schrieb Harsh Kukreja:
> Hi Stefan
> 
> I am also one of the Sernet customer. Can you guide me how to run the patch
> to fix the bug.
> 
> I am running 2 DC's Sernet Samba 4.7.4 with 2 RODC's running Sernet Samba
> 4.7.4. Whenever I run samba-tool drs replicate --fix --yes command on the
> DC it shows the below errors which cannot be fixed:
> 
> Failed to remove deleted DN attribute fromServer : (65, "objectclass_attrs:
> at least one mandatory attribute ('fromServer') on entry
> 'CN=79fbbaa2-a6b5-4dfd-a7f4-26aaa568f74e,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> wasn't specified!")
> ERROR: no target object found for GUID component for link lastKnownParent
> in object
> CN=79fbbaa2-a6b5-4dfd-a7f4-26aaa568f74e,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> - <GUID=fbd5524d-78fb-4313-a62a-96dc802dd9e2>;CN=NTDS
> Settings\0ADEL:fbd5524d-78fb-4313-a62a-96dc802dd9e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> ERROR: target DN is deleted for lastKnownParent in object
> CN=79fbbaa2-a6b5-4dfd-a7f4-26aaa568f74e,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> - <GUID=fbd5524d-78fb-4313-a62a-96dc802dd9e2>;CN=NTDS
> Settings\0ADEL:fbd5524d-78fb-4313-a62a-96dc802dd9e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> Target GUID points at deleted DN
> '<GUID=fbd5524d-78fb-4313-a62a-96dc802dd9e2>;CN=NTDS
> Settings\\0ADEL:fbd5524d-78fb-4313-a62a-96dc802dd9e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> Remove DN link? [YES]
> Failed to remove deleted DN attribute lastKnownParent : (65,
> "objectclass_attrs: at least one mandatory attribute ('fromServer') on
> entry
> 'CN=79fbbaa2-a6b5-4dfd-a7f4-26aaa568f74e,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> wasn't specified!")
> WARNING: no target object found for GUID component for DN value fromServer
> in object
> CN=6eba8ddc-5f5b-4bf5-8025-772ec80a29e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> - <GUID=3da7e1da-33b5-428b-9313-2ae48ddfee10>;CN=NTDS
> Settings,CN=IUMONGDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=iumnet,DC=edu,DC=na
> WARNING: target DN is deleted for fromServer in object
> CN=6eba8ddc-5f5b-4bf5-8025-772ec80a29e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> - <GUID=3da7e1da-33b5-428b-9313-2ae48ddfee10>;CN=NTDS
> Settings,CN=IUMONGDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=iumnet,DC=edu,DC=na
> Target GUID points at deleted DN
> '<GUID=3da7e1da-33b5-428b-9313-2ae48ddfee10>;CN=NTDS
> Settings,CN=IUMONGDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> Remove stale DN link? [YES]
> Failed to remove deleted DN attribute fromServer : (65, "objectclass_attrs:
> at least one mandatory attribute ('fromServer') on entry
> 'CN=6eba8ddc-5f5b-4bf5-8025-772ec80a29e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> wasn't specified!")
> ERROR: no target object found for GUID component for link lastKnownParent
> in object
> CN=6eba8ddc-5f5b-4bf5-8025-772ec80a29e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> - <GUID=fbd5524d-78fb-4313-a62a-96dc802dd9e2>;CN=NTDS
> Settings\0ADEL:fbd5524d-78fb-4313-a62a-96dc802dd9e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> ERROR: target DN is deleted for lastKnownParent in object
> CN=6eba8ddc-5f5b-4bf5-8025-772ec80a29e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> - <GUID=fbd5524d-78fb-4313-a62a-96dc802dd9e2>;CN=NTDS
> Settings\0ADEL:fbd5524d-78fb-4313-a62a-96dc802dd9e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na
> Target GUID points at deleted DN
> '<GUID=fbd5524d-78fb-4313-a62a-96dc802dd9e2>;CN=NTDS
> Settings\\0ADEL:fbd5524d-78fb-4313-a62a-96dc802dd9e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> Remove DN link? [YES]
> Failed to remove deleted DN attribute lastKnownParent : (65,
> "objectclass_attrs: at least one mandatory attribute ('fromServer') on
> entry
> 'CN=6eba8ddc-5f5b-4bf5-8025-772ec80a29e2,CN=LostAndFoundConfig,CN=Configuration,DC=iumnet,DC=edu,DC=na'
> wasn't specified!")
> Checked 5920 objects (13 errors)
> 
> Can you please suggest if this patch is going to fix these errors.
> 
> Thanks n Regards
> 
> Harsh
> 
> *Harsh Kukreja *Systems Administrator
> *International University of Namibia *Tel: 061-4336000 - E-mail: h.kukreja
> @ium.edu.na - Web:
> *http://www.ium.edu.na <http://www.ium.edu.na/>*Private Bag
> 14005,Bachbrech. 21-31 Hercules Street, Dorado Park, Windhoek, NAMIBIA
> 
> 
> 
> 
> 
> 
> On Tue, Jan 30, 2018 at 8:56 PM, Stefan Metzmacher via samba <
> samba at lists.samba.org> wrote:
> 
>> Hi,
>>
>> as a lot of SerNet customers are having trouble with corrupted
>> linked attributes, my colleague Ralph Böhme and I developed
>> patches for 'samba-tool dbcheck' to recover the missing
>> forward links (in most cases missing member attributes).
>>
>> I'm currently running a private autobuild with these patches
>> and my colleague Björn Baumbach is currently testing SAMBA+
>> packages with the patches included, which will be released
>> as soon as possible.
>>
>> As the patches re-add members to groups administrators may want
>> avoid using '--yes' and ack the re-added members explicitly.
>>
>> The patches have enough review tags already, additional
>> review isn't required, we'll wait a bit to collect some feedback
>> from others, before pushing.
>>
>> Once the patches are reviewed for master, we'll also release
>> a new upstream 4.7 release with the fixes included.
>>
>> More technical details:
>>
>> As we lost the replication meta data for the forward link,
>> we create them using a special invocationId
>> ffffffff-4700-4700-4700-000000b13228 and an originating_usn
>> of 1. The add/changetime/local_usn are the one from the last
>> 'objectClass' modification (which typically never changes and therefor
>> matches the object creation time). We also use version = 0
>> in order to match the link creation of 4.7 and older releases.
>>
>> This way we can easily identify recreated forward links
>> and we avoid a new meta data stamp and incrementing of
>> the highestCommitedUSN. So each affected dc will just recover
>> the value in the local database. And any incoming
>> replication should overwrite the value again.
>>
>> See also https://bugzilla.samba.org/show_bug.cgi?id=13228
>>
>> metze
>>
>> Am 22.01.2018 um 10:49 schrieb Stefan Metzmacher via samba-technical:
>>> Hi,
>>>
>>> here're patches to avoid a database corruption with linked attributes,
>>> e.g. member/memberOf.
>>>
>>> See https://bugzilla.samba.org/show_bug.cgi?id=13228
>>>
>>> As a temporary solution admins can add "server services = -kcc" to the
>>> global section of smb.conf.
>>>
>>> Also DO NOT repair the following errors with samba-tool dbcheck!
>>> "Remove duplicate links in attribute"
>>> and
>>> "ERROR: orphaned backlink"
>>> as this removes the ability to repair the database
>>> in the next round of patches!
>>>
>>> Please review and push:-)
>>>
>>> Thanks!
>>> metze
>>>
>>
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180131/0a4e08a2/signature.sig>

More information about the samba mailing list