[Samba] `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId

Rowland penny rpenny at samba.org
Wed Jul 3 15:19:43 UTC 2019


On 03/07/2019 15:50, Sven Schwedas via samba wrote:
> It's amazing how long Samba just keeps running even when apparently
> everything's broken.
>
> In preparation of finally upgrading our DCs to 41.0, I ran dbcheck on
> all of them, resulting in:
>
> graz-dc-sem:
>> Checking 3861 objects
>> Error: governsID CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
>> Error: governsID CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
>> Error: governsID CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
>> Checked 3861 objects (3 errors)
> All other DCs:
>> Checking 3861 objects
>> Error: governsID CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
>> Error: governsID CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
>> Error: governsID CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on 1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
>> ERROR(runtime): uncaught exception - objectclass ucsUser marked as isDefunct objectClass in schema - not valid for new objects
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 176, in _run
>>      return self.run(*args, **kwargs)
>>    File "/usr/lib/python2.7/dist-packages/samba/netcmd/dbcheck.py", line 157, in run
>>      controls=controls, attrs=attrs)
>>    File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 198, in check_database
>>      error_count += self.check_object(object.dn, attrs=attrs)
>>    File "/usr/lib/python2.7/dist-packages/samba/dbchecker.py", line 1708, in check_object
>>      normalised = self.samdb.dsdb_normalise_attributes(self.samdb_schema, attrname, obj[attrname])
>>    File "/usr/lib/python2.7/dist-packages/samba/samdb.py", line 677, in dsdb_normalise_attributes
>>      return dsdb._dsdb_normalise_attributes(ldb, ldap_display_name, ldif_elements)
>
> All these object classes were tests we did… years ago, and which have
> been "deleted" (I don't even remember by what mechanism) for almost as
> long. No object should still be using any of these, and on graz-dc-sem
> that's true.
I would love to know how you deleted something from the schema, it is 
normally a bit 'Hotel California', you can add to the schema but never 
remove anything from the schema.
>
> There is, however, a new class called taoUser with the same X500 OID as
> ucsUser that's only used in one domain account (mine, of course); on
> graz-dc-sem the object correctly has the taoUser class assigned, on the
> other servers it's still an ucsUser.

That is probably your problem, you cannot have different names for what 
seems to be the same objectclass.

>
> All servers seem to replicate without errors according to samba-tool drs
> showrepl.
>
> How do I get rid of these bogus Schema entries, and how do I fix the
> user account?

I do not think you can remove anything from the schema, but I believe 
you can deactivate schema objects, try reading this:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10)

Rowland







More information about the samba mailing list