[Samba] dbtool --cross-ncs and undeletable errors..

vincent at cojot.name vincent at cojot.name
Wed Jan 23 23:08:33 UTC 2019 

Hi all, Hi Rowland,

No such luck. I temporarily set the tombstonelifetime to just 1 day (I'll 
set it back to 180 days later) but the records still show up:

[root at dc00 ~]#  samba-tool dbcheck --cross-ncs --fix --yes
Checking 3572 objects
ERROR: no target object found for GUID component for link fromServer in 
object 
CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn 
- <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
ERROR: target DN is deleted for fromServer in object 
CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn 
- <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
Target GUID points at deleted DN 
'<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
Remove DN link? [YES]
ERROR: Failed to remove deleted DN attribute fromServer : (65, 
"objectclass_attrs: at least one mandatory attribute ('fromServer') on 
entry 
'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' 
wasn't specified!")

Any ideas?

Vincent

On Tue, 22 Jan 2019, Rowland Penny via samba wrote:

> On Tue, 22 Jan 2019 15:19:10 -0500 (EST)
> "Vincent S. Cojot via samba" <samba at lists.samba.org> wrote:
>
>> On Tue, 22 Jan 2019, Rowland Penny via samba wrote:
>> 
>> > On Tue, 22 Jan 2019 14:20:21 -0500 (EST)
>> > "Vincent S. Cojot via samba" <samba at lists.samba.org> wrote:
>> >
>> >> 
>> >> Hi All,
>> >> 
>> >> On my two-DC setup (dc00 and dc01 - Used to be a 4-Dc setup but 02
>> >> and 03 are gone), I've noticed the following errors which I am
>> >> unable to fix.. Any hints?
>> >> 
>> >> * Basic dbcheck is clean.
>> >> 
>> >> [root at dc00 ~]# samba-tool dbcheck
>> >> Checking 327 objects
>> >> Checked 327 objects (0 errors)
>> >> 
>> >> * Cross-NCS shows two errors related to a de-comissionned DC (dc02)
>> >> and cannot auto-fix this.. How do I fix those errors?
>> >> 
>> >> [root at dc00 ~]# samba-tool dbcheck --cross-ncs --fix --yes
>> >> Checking 3574 objects
>> >> ERROR: no target object found for GUID component for link
>> >> fromServer in object 
>> >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn 
>> >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
>> >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> >> ERROR: target DN is deleted for fromServer in object 
>> >> CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn 
>> >> - <GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
>> >> Settings\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn
>> >> Target GUID points at deleted DN 
>> >> '<GUID=c8bf60b8-c3b9-442f-a330-d706221bc889>;CN=NTDS 
>> >> Settings\\0ADEL:c8bf60b8-c3b9-442f-a330-d706221bc889,CN=DC02\\0ADEL:53a02791-a186-4a2f-aef9-6e180b814d8a,CN=Servers,CN=Krynn,CN=Sites,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn'
>> >> Remove DN link? [YES]
>> >> ERROR: Failed to remove deleted DN attribute fromServer : (65, 
>> >> "objectclass_attrs: at least one mandatory attribute ('fromServer')
>> >> on entry 
>> >> 'CN=4b3f95b1-7774-42cf-8bc0-755c7d29f6cc,CN=LostAndFoundConfig,CN=Configuration,DC=ad,DC=lasthome,DC=solace,DC=krynn' 
>> >> wasn't specified!")
>> >> 
>> >> 
>> >> Thanks for any hints/pointers.
>> >> 
>> >> Vincent
>> >> 
>> >
>> > This isn't an error, if you look very carefully at the 'link' you
>> > will see 'DEL'. This means the record is a 'DELETED' record, you
>> > cannot delete a 'DELETED' record ;-)
>> >
>> > If you wait for 180 days minus the number of days since you
>> > decommissioned the DC, the record will just go away.
>> >
>> > Rowland
>> 
>> Hi Rowland,
>> Thank you for your quick reply. Is there a way to force an expire on
>> those things so I can get past those errors and only consider new
>> errors as 'new'? It's been about 4-5 months since I removed those DCs
>> but an ldbsearch shows more objects in need of purge (Computers that
>> were removed, users too).
>> If I wanted to clean this manually, I guess I could do the following
>> (but I'm sure I'd -want- to do that):
>> 
>> export LDB_MODULES_PATH=/usr/lib64/samba/ldb
>> ldbedit -e nano -H /var/lib/samba/private/sam.ldb --cross-ncs  \
>> --show-deleted --show-deactivated-link --extended-dn
>> (and then light a few candles, I guess)..
>> 
>> Is there a way to do that saefly using RSAT?
>> 
>> Thanks,
>> 
>> Vincent
>> 
>
> These are 'Tombstone' records and can be ignored, they will go away of
> their own accord, but if you want them to go away sooner, you are going
> to have to change something in AD.
>
> Run this as root on a DC:
>
> ldbedit -e nano -H /var/lib/samba/private/sam.ldb -s base -b
> "CN=Directory Service,CN=Windows
> NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com"
>
> Alter it to match your ldap domain.
>
> Amongst the output, there will be a line like this:
>
> tombstoneLifetime: 180
>
> Change the '180' to whatever number of days you want.
> Close and save with 'Ctl-x'
>
> Now wait the number of days you set.
>
> Once your deleted records have gone away, I would repeat the process
> and reset the attribute back to 180
>
> Rowland
>
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list