[Samba] ldbrename does not rename container users CN=Deleted Objects

Anderson Sampaio Mello anderson.sampaio.mello at gmail.com
Tue May 2 21:57:34 UTC 2023 

Hello everybody.

When a user or group account is deleted, the user or group account is moved
to CN=Deleted Objects,DC=domain,DC=com

I can find them with the command:

ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U administrator

Password for [DOMAIN\administrator]:
# record 1
dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
instanceType: 4
whenCreated: 20230502211927.0Z
uSNCreated: 3716
objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
sAMAccountName: user1
userAccountControl: 512
isDeleted: TRUE
lastKnownParent: CN=Users,DC=domain,DC=com
isRecycled: TRUE
cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
whenChanged: 20230502211938.0Z
uSNChanged: 3720
distinguishedName:
CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com

The user account is inside a container "CN=Dele
  ted Objects", has not been removed.

But if I try to move it to the original OU or container to have the user or
group account available again using the ldbrename command, the following
error occurs, for example:

ldbrename -H ldap://localhost --show-deleted
"CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com" "CN=user1,CN= Users,DC=domain,DC=com" -U
administrator

Password for [DOMAIN\administrator]:

rename of 'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
Objects,DC=domain,DC=com' to 'CN=user1,CN=Users,DC=domain,DC=com' failed -
LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
(32)> <>

It is possible to recover the user account, in the way that I demonstrated,
I know that the correct thing is to be careful not to remove user accounts
or groups, but if it happens due to human error, I would like to have a way
to rescue this account or group, after all, as I understand it, after
deleting the user account, it is not removed, but moved and renamed.

The samba version I'm using is 4.17. in the information above I renamed the
domain name to domain.

I appreciate everyone's attention

More information about the samba mailing list