[Samba] migrating NT-style domain SID-error

Stefan Kania stefan at kania-online.de
Tue May 15 18:37:34 UTC 2018

Hi Rowland,

after we solved the puzzle today here is what we found:
The Samba PDC with tdbsam backend was installed a loooooong time ago.
Many updates and distributions later, the Samba PDC was still running
with with the same databases and the same smb.conf. The only thing that
someone sometime changed was the hostname and the NetBIOS-Name in
smb.conf. BUT in secrets.tdb was still the old name. Then they used the
iso-8859-15 codepage and  there were som "fullname"-entries wit "ä" "ö"
and "ü". Then there were some local users in passwd-file with the same
ID an name as AD-BUILDIN-Accounts. So with all these funny things it was
hard to get things running. After we saw the errormessage from
"samba-tool dbcheck" I try to let samba-tool fix the problem, but it
didn't worked. Then I try to rebuild the index-dbs and that was the
point where we found the users with "ä" "ö" and"ü". Because of the
character translation there was a lot of garbage inside the AD-database.
So we had set up a new samba-PDC with the original name, so we got a new
clean secrets.tdb. Then we copied the backup from all *.tdb-files to the
new PDC. So that we had an clean running PDC. Then we changed the
"fullname"-entries with "pdbedit" copied alle files to the first AD and
did the classicupgrade. The we found out, that the sysvol-share had the
wrong group set. I went to all the Objects and I found out, that the
group "BUILDIN\administrators" had a ObjectClass PosixAccount and a
GidNumber. With ldbedit I removed the ObjectClass and the GidNumber. Did
a "net chache flush" reseted the permissions and everything was fine.
Now we had a nice running first ADDC, then we installed and joined the
second ADDC, and replication is working and we are happy.
And YES we are using Louis 4.7 packages.


Am 15.05.2018 um 09:39 schrieb Rowland Penny via samba:
> On Tue, 15 May 2018 08:07:27 +0200
> Stefan Kania <stefan at kania-online.de> wrote:
>> Good morning,
>> today we started allover with a new machine, we got the same errors
>> but now we have an errormessage when doing a "samba-tool dbcheck"
>> ---------------
>> root at addc:~# samba-tool dbcheck
>> Checking 664 objects
>> ERROR(runtime): uncaught exception - (31, 'WERR_GENERAL_FAILURE')
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py",
>> line 176, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py",
>> line 157, in run
>>     controls=controls, attrs=attrs)
>>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
>> 198, in check_database
>>     error_count += self.check_object(object.dn, attrs=attrs)
>>   File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line
>> 1803, in check_object
>>     normalised =
>> self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname,
>> [val]) File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line
>> 677, in dsdb_normalise_attributes
>>     return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name,
>> ldif_elements)
> It looks like it is falling over whilst trying to 'normalise' an entry
> in AD, could this be a 'locale' problem ??
> Rowland

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20180515/b32f01f9/signature.sig>

More information about the samba mailing list