[Samba] Sysvol reset

L.P.H. van Belle belle at bazuin.nl
Wed Sep 11 09:38:44 UTC 2019

Hai Tom, 

A bit late in reaction here but what i suggest. 

Your on Centos, that fine, primary goal for you is get latest packages. 
And these days like i do the Debian packages are is also someone doing centos/RH packages. 
See subject "[Samba] Samba 4.10.8 and 4.9.13 for rhel7/centos7 rpms" 

> So do I. The problem I have is what is the command line equivelent of adsi edit?
> If it is ldb search/edit/delete, how does one figure out the correct
> incantation to add/delete/modify things.
> For instance, I have the following record:
> # record 4009
> dn: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=com
> objectClass: top
> objectClass: site
> cn: Default-First-Site-Name
> instanceType: 4
> whenCreated: 20061005105708.0Z
> whenChanged: 20061005105708.0Z
> uSNCreated: 3742
> showInAdvancedViewOnly: TRUE
> name: Default-First-Site-Name
> objectGUID: 206ddbbb-14cf-4f37-bb66-1f2d07bac717
> systemFlags: 1107296256
> objectCategory: CN=Site,CN=Schema,CN=Configuration,DC=mydomain,DC=com
> uSNChanged: 10210
> msExchServerSiteBL: CN=PHT1,CN=Servers,CN=Exchange Administrative Group (FYDIB
>   OHF23SPDLT),CN=Administrative Groups,CN=MYDOMAIN,CN=Microsoft Exchange,CN=Servi
>   ces,CN=Configuration,DC=mydomain,DC=com
> distinguishedName: CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=pht
>   ool,DC=com
> Is there a documant that explains all of this in a manor that mear mortals can
> understand? 

Yes, https://docs.microsoft.com/  ( ;-) sorry ... ) 

> The above server no longer exists. It died before I could remove it gracefully
> so I am left with a mess that I think the only way to clean it up is to
> remove the remaining records by hand.
Try running :  samba-tool domain tombstones expunge

> I normally would not care that these orphaned records are there except that
> when I run samba-tool dbcheck --cross-ncs --fix I get 316 errors and none of
> them get repaired. Most if not all appear to be related to the dead server.
> For the record adsi edit will only let me look at the records. If I try to
> delete/modify anything, I get an error that says "Operation Failed error code
> 0x202c. the server does not support the requested critical extensions"
> In case it is useful in fixing the problem the following is a sample of the output
> of samba-tool dbcheck --cross-ncs --fix:
> WARNING: no target object found for GUID component for cross-partition link otherWellKnownObjects in object CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=mydomain,DC=com -
> B:32:A7D2016C83F003458132789EEB127B84:<GUID=5dc1e7ca-2cbc-4318-b250-b7d9126e02f6>;<SID=S-1-5-21-619667644-1604242038-736796184-1619>;CN=Exchange Servers,OU=Microsoft Exchange Security
> Groups,DC=mydomain,DC=com
> Not removing dangling one-way cross-partition link (we might be mid-replication)
> ...
> Fix nTSecurityDescriptor on CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com? [y/N/all/none] y
> Fixed attribute 'nTSecurityDescriptor' of 'CN=57428d75-bef7-43e1-938b-2e749f5a8d56,CN=Operations,CN=DomainUpdates,CN=System,DC=mydomain,DC=com'
> ...
> Fix nTSecurityDescriptor on CN=RpcServices,CN=System,DC=mydomain,DC=com? [YES]
> Fixed attribute 'nTSecurityDescriptor' of 'CN=RpcServices,CN=System,DC=mydomain,DC=com'
> Checked 9880 objects (316 errors)
> As you can see it says that it is fixing things but if I run it again, I get the same results.
> Suggestions?

A few, 

First, i saying ignore these errors and upgrade to latest 4.10. 
Then run samba-tool domain tombstones expunge again and samba-tool dbcheck --cross-nc --fix
After you upgraded. ( use upgrade steps, 4.8 -> 4.9 -> 4.10 )

If you dont want to upgrade that far, then you could try to remove the faulty records with the windows tools. 
Clean up AD-DC data and cleanup the AD-DNS data. If you use the windows tools, enable advanced view.
And its a pain but you must go and check every level/folder record ... Etcetra. 
And i know, if you repaet this a few times, you know where to look. 
Then stop/start samba and check again with samba-tool dbcheck.
If there are records you removed and your getting these back, then mail the list again. 

I see these are related links to MS Exchange servers. 
It might be that, your schema is extended and your not able to remove that extended part. 
But i cant tell that, i just dont know.

Last, use for example Apache studio and search manualy through ldap :
! Do note, here, remove the wrong things and you might get more problems.

So make very very sure you have good backups before you start. 



More information about the samba mailing list