[Samba] Repacking database from v1 to v2 / Samba failed to prime database, error code 22

Arnaud FLORENT aflorent at iris-tech.fr
Thu Oct 6 07:58:49 UTC 2022 

Hi Andrew

i run in place upgrade test successfully

thank you


i also run samba-tool dbcheck --cross-ncs --fix successfully after 
upgrade as you suggested


it report a new error type:

ERROR: incorrect instanceType part of Binary DN binary component for 
msDS-HasInstantiatedNCs

  but all errors were fixed.



could you please explain why those dbcheck errors were not reported when 
i run samba-tool dbcheck with samba 4.3?

may be extra check where added between 4.3 and 4.13?

should i be worried about those errors? could they happen again?

could those errors impact AD perfs on Samba 4.3?


thanks again for your support



Le 05/10/2022 à 21:14, Andrew Bartlett a écrit :
> On Wed, 2022-10-05 at 10:21 +0200, Arnaud FLORENT via samba wrote:
>> Hi
>>
>> Le 04/10/2022 à 22:15, Andrew Bartlett a écrit :
>>> Yes.  First try with unpatched Samba 4.13 (or much better a
>>> supported
>>> version please!), but if that fails then grab Samba 'git master'
>>> and
>>> build that for testing, as my patch is now merged there.
>>>
>>> Backported patches will appear at
>>> https://bugzilla.samba.org/show_bug.cgi?id=15189
>>>
>>
>> so i ran  samba-tool drs clone-dc-database with debug level 3
>>
>> it helped me to find 3 entries with weird (bad encoding?) values on
>> attribute (defined in updated LDAP schema)
>>
>>
>> after fixing those values on samba 4.3 AD, samba-tool drs
>> clone-dc-database run successfully
> Great.
>
>> and samba-tool dbcheck on targetdir report only 1 error with  SID
>> conflicts with our current RID set in CN=RID Set,
> Awesome!
>
>>>>> We can also look into why the in-place upgrade fails.
>>>>>
>>>>> Running 'samba-tool dbcheck --reindex' using the modern version
>>>>> should
>>>>> allow the error to be seen in a more controlled circumstance,
>>>>> and
>>>>> allow
>>>>> raising the debug level etc.
>>>> samba-tool dbcheck (without --reindex) on 4.13 returns
>>>>
>>>> Checked 4287 objects (6449 errors)
>>>>
>>>> mainly
>>>>
>>>> ERROR: incorrect attributeID values in replPropertyMetaData on
>>>> ...
>>>> ERROR: unsorted attributeID values in replPropertyMetaData on ...
>>>> ERROR: unsorted attributeID values in replPropertyMetaData on ...
>>>>
>>>>
>>>> but may be it is because db repacking failed?
>>> No, this is a different thing.   These are real bugs at a higher
>>> layer,
>>> and while the unsorted attributeIDs are harmless (to samba, will
>>> break
>>> windows), the incorrect attributeID may impact on the attempted
>>> replication.
>>>
>>> What happens with the --reindex?  (This opens a transaction, which
>>> triggers the re-index, otherwise we just read the old format).
>> reindex failed on same attribute as samba-tool drs clone-dc-database
>>
>> re-indexed database : (1, "reindexing failed:
>> ../../ldb_key_value/ldb_kv_index.c:3048: Failed to re-index
>> kwartzExtID
>> in CN=someuser,CN=Users,DC=my,DC=domaine - Failed to create index
>> key
>> for attribute 'kwartzExtID':Unknown error:Entry @ATTRIBUTES already
>> exists")
>>
>>
>> so i did this:
>>
>> - fixed this attribute values values on samba 4.3 server
>>
>> - copy private dir backup to samba 4.13 test server
>>
>> - samba 4.13 then starts successfully with 5 "ldb: Repacking
>> database
>> from v1 to v2 " message in log.samba
>>
>> - directory returns all users and groups (via wbinfo or ldap)
>>
>>
>> BUT
>>
>> samba-tool dbcheck still reports Checked 4204 objects (6365 errors)
>> with
>> in log 3 types of errors:
>>
>> ERROR: incorrect attributeID values in replPropertyMetaData
>>
>> ERROR: unsorted attributeID values in replPropertyMetaData
>>
>> ERROR: linked attribute 'member' is present on deleted object
>>
>>
>> but samba-tool dbcheck --reindex runs successfully [completed re-
>> index OK]
>>
> So now run 'samba-tool dbcheck --cross-ncs --fix --yes' to fix those
> errors.
>
>> do you think AD will be fully functionnal with this copied data (as
>> for
>> in place upgrade)?
> To be clear, this is an in-place upgrade, as far as Samba is concerned,
> as you copied over the private directory files.   So yes, it shows that
> an in-place upgrade on the original server would work.
>
> Just make sure you run that 'samba-tool dbcheck --cross-ncs --fix --
> yes' to tidy up our historical errors in replPropertyMetaData and avoid
> a future duplicate allocation of that rouge SID.
>
> I wish you all the best with your upgrade and encourage a move to a
> fully supported version ASAP, as there are a number of security issues
> still in 4.13 (unless someone other than Samba has been backporting).
>
> Andrew Bartlett
>
-- 
Arnaud FLORENT
IRIS Technologies

More information about the samba mailing list