[Samba] Active Directory Domain Corruption.

Andrew Bartlett abartlet at samba.org
Wed Jun 1 10:08:26 UTC 2022 

On Wed, 2022-06-01 at 09:51 +0200, Markus Dellermann via samba wrote:
> > Yes, but this is a Database corruption issue, I need DNS worked on,
> > but
> > lets hold off on that until things like this:
> > #samba-tool dbcheck
> > Checking 321 objects
> > ERROR(<class 'ValueError'>): uncaught exception - unable to parse
> > dn string
> >    File "/usr/lib64/python3.6/site-
> > packages/samba/netcmd/__init__.py",
> > line 186, in _run
> >      return self.run(*args, **kwargs)
> >    File "/usr/lib64/python3.6/site-
> > packages/samba/netcmd/dbcheck.py",
> > line 170, in run
> >      controls=controls, attrs=attrs)
> >    File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py",
> > line
> > 255, in check_database
> >      error_count += self.check_object(object.dn,
> > requested_attrs=attrs)
> >    File "/usr/lib64/python3.6/site-packages/samba/dbchecker.py",
> > line
> > 2601, in check_object
> >      expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))

So what is happening here is that the parent_dn, which is a string at
this point, doesn't parse when written as (eg in another syntax)
RDN=RDN,$parent_dn. 

That isn't typical, but we have had some changes in DN escaping stuff
and perhaps the linearlised DN is tripping that up.  Or perhaps it
really is corrupt, but I doubt it.

Ideally that would have been written differently, to create a new Dn()
of "RDN=RDN", then done a dn.add_base()

eg (only slightly tested):

diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index 449b0a7d985..077e81b2dcb 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -2596,7 +2596,8 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn),
str(to_base)))
                 controls += ["local_oid:%s:1" %
dsdb.DSDB_CONTROL_DBCHECK_FIX_LINK_DN_NAME]
             if parent_dn is None:
                 parent_dn = obj.dn.parent()
-            expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" %
(parent_dn))
+            expected_dn = ldb.Dn(self.samdb, "RDN=RDN")
+            expected_dn.add_base(parent_dn)
             expected_dn.set_component(0, obj.dn.get_rdn_name(),
name_val)
 
             if obj.dn == deleted_objects_dn:


At least then we wouldn't be dealing with DN escaping stuff

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list