[Samba] Domain join issues - 4.9.0

Rowland Penny rpenny at samba.org
Tue Nov 20 13:55:11 UTC 2018

On Tue, 20 Nov 2018 13:17:58 +0000
Jonathan Hunter via samba <samba at lists.samba.org> wrote:

> Hi,
> Does anyone have experience of using ldbedit or similar, to remove the
> duplicates below? (Is that even the right way for me to go?) Can I
> perhaps query something using ldbsearch, to find the duplicates,
> before using ldbedit?
> On Sun, 18 Nov 2018 at 21:37, Jonathan Hunter <jmhunter1 at gmail.com>
> wrote:
> > [...]
> > In my database, as reported by the domain join command above, I have
> > five duplicates 'for index on servicePrincipalName', plus 107
> > duplicates for index on a custom LDAP attribute I am using. If
> > there's a correct way I can step through these one by one, and
> > remove the duplicates, I am happy to try...
> I guess ldbedit does carry some level of risk with it, but I can't
> seem to add any DCs to my domain at the moment which is unfortunate as
> I had a hardware failure that I now can't recover from.
> I note that this was last discussed on the list on 20 March 2018 at
> 03:14 (message ID
> <1113A703-649B-42D5-BDFC-2842767B31E5 at dignitastechnologies.com>) but
> there was no conclusion to that thread other than a comment that
> 4.9.0pre1 seemed to resolve the issue. However, I am now using 4.9.2
> on one of my DCs and on the DC that is being newly joined, and I am
> still having the problem. (My two other DCs are still on 4.9.0)
> For reference, this is the type of error I'm getting when joining my
> DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in
> CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for
> index on servicePrincipalName, duplicate of objectGUID
> 00000000-1111-2222-3333-444444444444 in
> Cheers
> Jonathan

Try this to search for computers:

ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s
sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldif

Replace 'dc1' with your DC short hostname and
'dc=samdom,dc=example,dc=com' with your ldap info

This actually raises an interesting question, when I run it, it lists
all my computers, but the only ones that have a
'RestrictedKrbHost/PC_NAME' SPN are windows PC's, not one of my Unix
computers has such a line.


More information about the samba mailing list