[Samba] Domain join issues - 4.9.0

Jonathan Hunter jmhunter1 at gmail.com
Fri Nov 23 15:18:47 UTC 2018 

Thanks Rowland.

On Tue, 20 Nov 2018 at 13:56, Rowland Penny via samba
<samba at lists.samba.org> wrote:
> Jonathan Hunter via samba <samba at lists.samba.org> wrote:
> > Does anyone have experience of using ldbedit or similar, to remove the
> > duplicates below? (Is that even the right way for me to go?) Can I
> > perhaps query something using ldbsearch, to find the duplicates,
> > before using ldbedit?
>

Interestingly, I decided to play it safe and create a backup first of
all, using the new samba 4.9.2 backup commands. But (probably as
expected), the online backup reported the exact same errors as a
domain join - i.e. "../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate
attribute value in XXX".. I am therefore not certain if this backup
would actually be useful for a restore, but it seems that 4.9.2 does
not yet contain support for an offline backup (it just has
online/rename/restore)

> Try this to search for computers:
>
> ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s
> sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldif

I ended up using the following variant instead (since I am logged in
with a local user and have no Kerberos tickets)
user at dc2:~ $ sudo ldbsearch -H /usr/local/samba/private/sam.ldb
'(&(cn=laptop1)(objectclass=computer))' servicePrincipalName | less
(where laptop1 is the computer object that had led to the errors about
duplicate values)

The output of this is as follows:
# record 1
dn: CN=laptop1,OU=Laptops,OU=Computers,OU=MyOwnOU,DC=mydomain,DC=org
servicePrincipalName: HOST/LAPTOP1.mydomain.org
servicePrincipalName: RestrictedKrbHost/LAPTOP1.mydomain.org
servicePrincipalName: HOST/LAPTOP1
servicePrincipalName: RestrictedKrbHost/LAPTOP1
servicePrincipalName: TERMSRV/LAPTOP1.mydomain.org
servicePrincipalName: TERMSRV/LAPTOP1
servicePrincipalName: restrictedkrbhost/laptop1
servicePrincipalName: restrictedkrbhost/laptop1.mydomain.org
servicePrincipalName: termsrv/laptop1
servicePrincipalName: termsrv/laptop1.mydomain.org

Which leads me to think that I should be able to use ldbedit to remove
the duplicate entries.. I think... ? Something like this might work..
I just need to work out which entries I can safely delete..
(UPPERCASE? CamelCase? lowercase? etc.) I think if I leave one of
each, ignoring case, then things should mostly be OK.

I think that the following command should work:
user at dc2:~ $ sudo ldbedit -H /usr/local/samba/private/sam.ldb
'(&(cn=laptop1)(objectclass=computer))'

Luckily for me, one of the affected computers (this laptop1 example)
is not actually in existence any longer, so I can use that as my first
test edit before moving onto some of the other duplicate entries which
are still in use..

Thanks

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list