[Samba] Repacking database from v1 to v2 / Samba failed to prime database, error code 22

Arnaud FLORENT aflorent at iris-tech.fr
Wed Oct 5 08:21:35 UTC 2022 

Hi

Le 04/10/2022 à 22:15, Andrew Bartlett a écrit :
> On Tue, 2022-10-04 at 14:53 +0200, Arnaud FLORENT via samba wrote:
>> Hi Andrew and thanks for your support.
>>
>> Le 03/10/2022 à 21:55, Andrew Bartlett via samba a écrit :
>>> On Mon, 2022-10-03 at 15:23 +0100, Rowland Penny via samba wrote:
>>>> On 03/10/2022 13:26, Arnaud FLORENT via samba wrote:
>>>>> Hi,
>>>>>
>>>>> i have an issue direct with in place upgrade from samba 4.3 to
>>>>> 4.13
>>>>> running single AD DC on ubuntu based installation
>>>> I think you may live to regret doing that :-(
>>>>
>>>>> samba failed to start after upgrade with this log
>>>> We have a bug that may be relevant:
>>>>
>>>> https://bugzilla.samba.org/show_bug.cgi?id=15189
>>>>
>>> This is actually the reverse, this is hope :-)
>>>
>>> If the server is still working on Samba 4.3 after the failed
>>> upgrade
>>> attempt, this is a way forward to upgrade over DRS instead.
>> to be exactly clear,  we returned to server state before upgrade
> Great.
>
>>> Arnaud, I would be very interested if you could attempt to instead
>>> upgrade using a replication based approach, and if that fails, to
>>> try
>>> the patch at:
>>> https://gitlab.com/samba-team/samba/-/merge_requests/2728.patch
>>>
>> i have to patch samba 4.13 source and rebuild?
>>> It would be very valuable to me to get real-world feedback.
>>>
>>> To test in a 'no changes' approach, you can attempt replication
>>> without
>>> changing the domain by running 'samba-tool drs clone-dc-database --
>>> server $SERVER --targetdir=$SOMEWHERE_SECURE -Uadministrator'
>>
>> so i have to run this command on a new server running 4.13 with
>> $SERVER
>> pointing to my samba  4.3 running server
>>
>> is this correct?
>>
>
> Yes.  First try with unpatched Samba 4.13 (or much better a supported
> version please!), but if that fails then grab Samba 'git master' and
> build that for testing, as my patch is now merged there.
>
> Backported patches will appear at
> https://bugzilla.samba.org/show_bug.cgi?id=15189


so i ran  samba-tool drs clone-dc-database with debug level 3

it helped me to find 3 entries with weird (bad encoding?) values on 
attribute (defined in updated LDAP schema)


after fixing those values on samba 4.3 AD, samba-tool drs 
clone-dc-database run successfully

and samba-tool dbcheck on targetdir report only 1 error with  SID 
conflicts with our current RID set in CN=RID Set,


>
>>> We can also look into why the in-place upgrade fails.
>>>
>>> Running 'samba-tool dbcheck --reindex' using the modern version
>>> should
>>> allow the error to be seen in a more controlled circumstance, and
>>> allow
>>> raising the debug level etc.
>> samba-tool dbcheck (without --reindex) on 4.13 returns
>>
>> Checked 4287 objects (6449 errors)
>>
>> mainly
>>
>> ERROR: incorrect attributeID values in replPropertyMetaData on ...
>> ERROR: unsorted attributeID values in replPropertyMetaData on ...
>> ERROR: unsorted attributeID values in replPropertyMetaData on ...
>>
>>
>> but may be it is because db repacking failed?
> No, this is a different thing.   These are real bugs at a higher layer,
> and while the unsorted attributeIDs are harmless (to samba, will break
> windows), the incorrect attributeID may impact on the attempted
> replication.
>
> What happens with the --reindex?  (This opens a transaction, which
> triggers the re-index, otherwise we just read the old format).

reindex failed on same attribute as samba-tool drs clone-dc-database

re-indexed database : (1, "reindexing failed: 
../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index kwartzExtID 
in CN=someuser,CN=Users,DC=my,DC=domaine - Failed to create index key 
for attribute 'kwartzExtID':Unknown error:Entry @ATTRIBUTES already exists")


so i did this:

- fixed this attribute values values on samba 4.3 server

- copy private dir backup to samba 4.13 test server

- samba 4.13 then starts successfully with 5 "ldb: Repacking database 
from v1 to v2 " message in log.samba

- directory returns all users and groups (via wbinfo or ldap)


BUT

samba-tool dbcheck still reports Checked 4204 objects (6365 errors) with 
in log 3 types of errors:

ERROR: incorrect attributeID values in replPropertyMetaData

ERROR: unsorted attributeID values in replPropertyMetaData

ERROR: linked attribute 'member' is present on deleted object


but samba-tool dbcheck --reindex runs successfully [completed re-index OK]



do you think AD will be fully functionnal with this copied data (as for 
in place upgrade)?

>
>> directory is 4 years old and was build with classic upgrade from
>> older
>> samba3 + openldap
>>
>>
>> i will do more test on db and keep the list informed.
> Thanks,
>
> Andrew Bartlett
>
> =--
> Andrew Bartlett (he/him)       https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
-- 
Arnaud FLORENT
IRIS Technologies

More information about the samba mailing list