[Samba] `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId

Rowland penny rpenny at samba.org
Wed Jul 3 16:04:47 UTC 2019

On 03/07/2019 16:26, Sven Schwedas via samba wrote:
> On 03.07.19 17:19, Rowland penny via samba wrote:
>>> All these object classes were tests we did… years ago, and which have
>>> been "deleted" (I don't even remember by what mechanism) for almost as
>>> long. No object should still be using any of these, and on graz-dc-sem
>>> that's true.
>> I would love to know how you deleted something from the schema, it is
>> normally a bit 'Hotel California', you can add to the schema but never
>> remove anything from the schema.
> Hence "deleted", they're still around, just disabled. Which caused the
> ID reuse problem in the first place.
>>> There is, however, a new class called taoUser with the same X500 OID as
>>> ucsUser that's only used in one domain account (mine, of course); on
>>> graz-dc-sem the object correctly has the taoUser class assigned, on the
>>> other servers it's still an ucsUser.
>> That is probably your problem, you cannot have different names for what
>> seems to be the same objectclass.
> That's that, but I can't figure out what's supposed to reuse the other
> two IDs.
>>> All servers seem to replicate without errors according to samba-tool drs
>>> showrepl.
>>> How do I get rid of these bogus Schema entries, and how do I fix the
>>> user account?
>> I do not think you can remove anything from the schema, but I believe
>> you can deactivate schema objects, try reading this:
>> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773309(v=ws.10)
> They already are disabled.

Have you extended the schema to use 'taouser' ?

I ask this because (from what you posted) it uses the same X500 OID as 
'ucsUser', another name for X500 OID is 'governsID', so this may be your 
problem, try deleting 'taouser' from your AD object (this is allowed) 
and see if your problem goes away.


More information about the samba mailing list