[Samba] Sysvol reset
L.P.H. van Belle
belle at bazuin.nl
Wed Sep 11 09:38:44 UTC 2019
A bit late in reaction here but what i suggest.
Your on Centos, that fine, primary goal for you is get latest packages.
And these days like i do the Debian packages are is also someone doing centos/RH packages.
See subject "[Samba] Samba 4.10.8 and 4.9.13 for rhel7/centos7 rpms"
> So do I. The problem I have is what is the command line equivelent of adsi edit?
> If it is ldb search/edit/delete, how does one figure out the correct
> incantation to add/delete/modify things.
> For instance, I have the following record:
> # record 4009
> dn: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> objectClass: top
> objectClass: site
> cn: Default-First-Site-Name
> instanceType: 4
> whenCreated: 20061005105708.0Z
> whenChanged: 20061005105708.0Z
> uSNCreated: 3742
> showInAdvancedViewOnly: TRUE
> name: Default-First-Site-Name
> objectGUID: 206ddbbb-14cf-4f37-bb66-1f2d07bac717
> systemFlags: 1107296256
> objectCategory: CN=Site,CN=Schema,CN=Configuration,DC=mydomain,DC=com
> uSNChanged: 10210
> msExchServerSiteBL: CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIB
> OHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Servi
> distinguishedName: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pht
> Is there a documant that explains all of this in a manor that mear mortals can
Yes, https://docs.microsoft.com/ ( ;-) sorry ... )
> The above server no longer exists. It died before I could remove it gracefully
> so I am left with a mess that I think the only way to clean it up is to
> remove the remaining records by hand.
Try running : samba-tool domain tombstones expunge
> I normally would not care that these orphaned records are there except that
> when I run samba-tool dbcheck --cross-ncs --fix I get 316 errors and none of
> them get repaired. Most if not all appear to be related to the dead server.
> For the record adsi edit will only let me look at the records. If I try to
> delete/modify anything, I get an error that says "Operation Failed error code
> 0x202c. the server does not support the requested critical extensions"
> In case it is useful in fixing the problem the following is a sample of the output
> of samba-tool dbcheck --cross-ncs --fix:
> WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com -
> B:32:A7D2016C83F003458132789EEB127B84:<GUID=5dc1e7ca-2cbc-4318-b250-b7d9126e02f6>;<SID=S-1-5-21-619667644-1604242038-736796184-1619>;CN=Exchange Servers,OU=Microsoft Exchange Security
> Not removing dangling one-way cross-partition link (we might be mid-replication)
> Fix nTSecurityDescriptor on CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y
> Fixed attribute 'nTSecurityDescriptor' of 'CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'
> Fix nTSecurityDescriptor on CN=RpcServices,CN=System,DC=mydomain,DC=com? [YES]
> Fixed attribute 'nTSecurityDescriptor' of 'CN=RpcServices,CN=System,DC=mydomain,DC=com'
> Checked 9880 objects (316 errors)
> As you can see it says that it is fixing things but if I run it again, I get the same results.
First, i saying ignore these errors and upgrade to latest 4.10.
Then run samba-tool domain tombstones expunge again and samba-tool dbcheck --cross-nc --fix
After you upgraded. ( use upgrade steps, 4.8 -> 4.9 -> 4.10 )
If you dont want to upgrade that far, then you could try to remove the faulty records with the windows tools.
Clean up AD-DC data and cleanup the AD-DNS data. If you use the windows tools, enable advanced view.
And its a pain but you must go and check every level/folder record ... Etcetra.
And i know, if you repaet this a few times, you know where to look.
Then stop/start samba and check again with samba-tool dbcheck.
If there are records you removed and your getting these back, then mail the list again.
I see these are related links to MS Exchange servers.
It might be that, your schema is extended and your not able to remove that extended part.
But i cant tell that, i just dont know.
Last, use for example Apache studio and search manualy through ldap :
! Do note, here, remove the wrong things and you might get more problems.
So make very very sure you have good backups before you start.
More information about the samba