[Samba] ldbrename does not rename container users CN=Deleted Objects

Rowland Penny rpenny at samba.org
Wed May 3 07:06:22 UTC 2023 


On 02/05/2023 22:57, Anderson Sampaio Mello via samba wrote:
> Hello everybody.
> 
> When a user or group account is deleted, the user or group account is moved
> to CN=Deleted Objects,DC=domain,DC=com
> 
> I can find them with the command:
> 
> ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U administrator
> 
> Password for [DOMAIN\administrator]:
> # record 1
> dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> instanceType: 4
> whenCreated: 20230502211927.0Z
> uSNCreated: 3716
> objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> sAMAccountName: user1
> userAccountControl: 512
> isDeleted: TRUE
> lastKnownParent: CN=Users,DC=domain,DC=com
> isRecycled: TRUE
> cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
> name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
> whenChanged: 20230502211938.0Z
> uSNChanged: 3720
> distinguishedName:
> CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> 
> The user account is inside a container "CN=Dele
>    ted Objects", has not been removed.
> 
> But if I try to move it to the original OU or container to have the user or
> group account available again using the ldbrename command, the following
> error occurs, for example:
> 
> ldbrename -H ldap://localhost --show-deleted
> "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com" "CN=user1,CN= Users,DC=domain,DC=com" -U
> administrator
> 
> Password for [DOMAIN\administrator]:
> 
> rename of 'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com' to 'CN=user1,CN=Users,DC=domain,DC=com' failed -
> LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
> (32)> <>
> 
> It is possible to recover the user account, in the way that I demonstrated,
> I know that the correct thing is to be careful not to remove user accounts
> or groups, but if it happens due to human error, I would like to have a way
> to rescue this account or group, after all, as I understand it, after
> deleting the user account, it is not removed, but moved and renamed.
> 
> The samba version I'm using is 4.17. in the information above I renamed the
> domain name to domain.
> 
> I appreciate everyone's attention

Sorry, but it just doesn't work, even if you could undelete the user by 
renaming it, most of that users attributes wouldn't be restored.

Rowland

More information about the samba mailing list