[Samba] Repacking database from v1 to v2 / Samba failed to prime database, error code 22

Andrew Bartlett abartlet at samba.org
Wed Oct 5 19:14:20 UTC 2022 

On Wed, 2022-10-05 at 10:21 +0200, Arnaud FLORENT via samba wrote:
> Hi
> 
> Le 04/10/2022 à 22:15, Andrew Bartlett a écrit :
> > Yes.  First try with unpatched Samba 4.13 (or much better a
> > supported
> > version please!), but if that fails then grab Samba 'git master'
> > and
> > build that for testing, as my patch is now merged there.
> > 
> > Backported patches will appear at
> > https://bugzilla.samba.org/show_bug.cgi?id=15189
> > 
> 
> 
> so i ran  samba-tool drs clone-dc-database with debug level 3
> 
> it helped me to find 3 entries with weird (bad encoding?) values on 
> attribute (defined in updated LDAP schema)
> 
> 
> after fixing those values on samba 4.3 AD, samba-tool drs 
> clone-dc-database run successfully

Great.

> and samba-tool dbcheck on targetdir report only 1 error with  SID 
> conflicts with our current RID set in CN=RID Set,

Awesome!

> 
> > > > We can also look into why the in-place upgrade fails.
> > > > 
> > > > Running 'samba-tool dbcheck --reindex' using the modern version
> > > > should
> > > > allow the error to be seen in a more controlled circumstance,
> > > > and
> > > > allow
> > > > raising the debug level etc.
> > > 
> > > samba-tool dbcheck (without --reindex) on 4.13 returns
> > > 
> > > Checked 4287 objects (6449 errors)
> > > 
> > > mainly
> > > 
> > > ERROR: incorrect attributeID values in replPropertyMetaData on
> > > ...
> > > ERROR: unsorted attributeID values in replPropertyMetaData on ...
> > > ERROR: unsorted attributeID values in replPropertyMetaData on ...
> > > 
> > > 
> > > but may be it is because db repacking failed?
> > 
> > No, this is a different thing.   These are real bugs at a higher
> > layer,
> > and while the unsorted attributeIDs are harmless (to samba, will
> > break
> > windows), the incorrect attributeID may impact on the attempted
> > replication.
> > 
> > What happens with the --reindex?  (This opens a transaction, which
> > triggers the re-index, otherwise we just read the old format).
> 
> reindex failed on same attribute as samba-tool drs clone-dc-database
> 
> re-indexed database : (1, "reindexing failed: 
> ../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index
> kwartzExtID 
> in CN=someuser,CN=Users,DC=my,DC=domaine - Failed to create index
> key 
> for attribute 'kwartzExtID':Unknown error:Entry @ATTRIBUTES already
> exists")
> 
> 
> so i did this:
> 
> - fixed this attribute values values on samba 4.3 server
> 
> - copy private dir backup to samba 4.13 test server
> 
> - samba 4.13 then starts successfully with 5 "ldb: Repacking
> database 
> from v1 to v2 " message in log.samba
> 
> - directory returns all users and groups (via wbinfo or ldap)
> 
> 
> BUT
> 
> samba-tool dbcheck still reports Checked 4204 objects (6365 errors)
> with 
> in log 3 types of errors:
> 
> ERROR: incorrect attributeID values in replPropertyMetaData
> 
> ERROR: unsorted attributeID values in replPropertyMetaData
> 
> ERROR: linked attribute 'member' is present on deleted object
> 
> 
> but samba-tool dbcheck --reindex runs successfully [completed re-
> index OK]
> 

So now run 'samba-tool dbcheck --cross-ncs --fix --yes' to fix those
errors. 

> 
> do you think AD will be fully functionnal with this copied data (as
> for 
> in place upgrade)?

To be clear, this is an in-place upgrade, as far as Samba is concerned,
as you copied over the private directory files.   So yes, it shows that
an in-place upgrade on the original server would work. 

Just make sure you run that 'samba-tool dbcheck --cross-ncs --fix --
yes' to tidy up our historical errors in replPropertyMetaData and avoid
a future duplicate allocation of that rouge SID. 

I wish you all the best with your upgrade and encourage a move to a
fully supported version ASAP, as there are a number of security issues
still in 4.13 (unless someone other than Samba has been backporting). 

Andrew Bartlett

-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the samba mailing list