[Samba] restore deleted user (ldbrename) on samba 4.9.1 fails

Oliver Heinz o.heinz at schunk.net
Mon Oct 15 13:47:27 UTC 2018


Dear list,

I am trying to restore an deleted user object with samba 4.9.1 (sernet 
packages).  I am aware that the object will lose some attributes without 
recycle bin enabled (enabling it is still not recommended, right?)
I tried to rename the object in order to make the  necessary 
modifications afterward (as documented in Stefan Kania's Samba 4 book). 
But ldbrename already fails.

root at dc1:~# samba-tool user create testuser
New Password:
Retype Password:
User 'testuser' created successfully

root at dc1:~# samba-tool user delete testuser
Deleted user testuser

root at dc1:~# ldbsearch -H ldap://localhost -U administrator 
--password="Passw0rd" --show-deleted "cn=testuser\0ADEL:*"
# record 1
dn: CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted 
Objects,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
instanceType: 4
whenCreated: 20181015123644.0Z
uSNCreated: 4038
objectGUID: d4357200-a367-4601-93df-8c769f1d0e4f
objectSid: S-1-5-21-2104162034-3764151921-3268498227-1112
sAMAccountName: testuser
userAccountControl: 512
isDeleted: TRUE
lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com
isRecycled: TRUE
cn:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg==
name:: dGVzdHVzZXIKREVMOmQ0MzU3MjAwLWEzNjctNDYwMS05M2RmLThjNzY5ZjFkMGU0Zg==
whenChanged: 20181015123702.0Z
uSNChanged: 4041
distinguishedName: 
CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=D
  eleted Objects,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=DomainDnsZones,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/DC=ForestDnsZones,DC=samdom,DC=example,DC=com

# returned 4 records
# 1 entries
# 3 referrals

root at dc1:~# ldbrename -H ldap://localhost -Uadministrator 
--password="Passw0rd" 
"CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted 
Objects,DC=samdom,DC=example,DC=com" 
"CN=testuser,CN=Users,DC=samdom,DC=example,DC=com"
rename of 
'CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted 
Objects,DC=samdom,DC=example,DC=com' to 
'CN=testuser,CN=Users,DC=samdom,DC=example,DC=com' failed - LDAP error 
32 LDAP_NO_SUCH_OBJECT -  <00002030: ldb_wait from 
../source4/ldap_server/ldap_backend.c:487 with LDB_WAIT_ALL: No such 
object (32)> <>

Verbose and trace give no further hint. Any ideas? Seems to have work in 
earlier versions.

With a regular LDAP we can use LDIF dumps  to restore objects, not 
comfortable but working. But this is not working for AD as it is not 
allowed to objects with an objectSid, right?
Is there another (recommended) way to restore deleted objects ( 
particularly users and groups).



TIA,
Oliver




More information about the samba mailing list