[Samba] `samba-tool dbcheck --cross-ncs --fix` fails: governsID already exists as an attributeId or governsId
Rowland penny
rpenny at samba.org
Thu Jul 4 15:20:09 UTC 2019
On 04/07/2019 15:56, Sven Schwedas via samba wrote:
> On 04.07.19 15:54, Rowland penny via samba wrote:>> Still left are the
> three governsId collisions, which are now identical
>>> across all DCs:
>>>
>>>> Checking 3861 objects
>>>> Error: governsID
>>>> CN=ucsUser,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
>>>> 1.3.6.1.4.1.19414.3.2.2 already exists as an attributeId or governsId
>>>> Error: governsID
>>>> CN=taoSharedFolder,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
>>>> 1.3.6.1.4.1.19414.3.2.4 already exists as an attributeId or governsId
>>>> Error: governsID
>>>> CN=taoMailingList,CN=Schema,CN=Configuration,DC=ad,DC=tao,DC=at on
>>>> 1.3.6.1.4.1.19414.3.2.3 already exists as an attributeId or governsId
>>>> Checked 3861 objects (3 errors)
>>> How do I fix those? Can I just edit the old, defunct classes and change
>>> their governsId without breaking something?
>> I do not know, mainly because I have never tried to do something like
>> this on a production server.
> Unsurprisingly, remote ldbedit fails with
> LDAP_INSUFFICIENT_ACCESS_RIGHTS when trying to modify an object's
> governsId.
>
> Is it safe to just leave the defunct objects as they are, or should I
> attempt to directly modify the ldb files on the FSMO role holder?
>
I would ensure that they are all disabled and see how you go on. I get
the feeling you will break your AD if you try to delete them from your
schema, everything I have read says you cannot remove objects from the
AD schema.
Rowland
More information about the samba
mailing list