[Samba] ldbrename does not rename container users CN=Deleted Objects

Stefan Kania stefan at kania-online.de
Wed May 3 08:50:17 UTC 2023 

It had been working up to Samba 4.8 and with the recyclebin active you 
could restore every attributre, but since 4.9 it's not working anymore

Am 02.05.23 um 23:57 schrieb Anderson Sampaio Mello via samba:
> Hello everybody.
> 
> When a user or group account is deleted, the user or group account is moved
> to CN=Deleted Objects,DC=domain,DC=com
> 
> I can find them with the command:
> 
> ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U administrator
> 
> Password for [DOMAIN\administrator]:
> # record 1
> dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> instanceType: 4
> whenCreated: 20230502211927.0Z
> uSNCreated: 3716
> objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> sAMAccountName: user1
> userAccountControl: 512
> isDeleted: TRUE
> lastKnownParent: CN=Users,DC=domain,DC=com
> isRecycled: TRUE
> cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
> name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
> whenChanged: 20230502211938.0Z
> uSNChanged: 3720
> distinguishedName:
> CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com
> 
> The user account is inside a container "CN=Dele
>    ted Objects", has not been removed.
> 
> But if I try to move it to the original OU or container to have the user or
> group account available again using the ldbrename command, the following
> error occurs, for example:
> 
> ldbrename -H ldap://localhost --show-deleted
> "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com" "CN=user1,CN= Users,DC=domain,DC=com" -U
> administrator
> 
> Password for [DOMAIN\administrator]:
> 
> rename of 'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> Objects,DC=domain,DC=com' to 'CN=user1,CN=Users,DC=domain,DC=com' failed -
> LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
> (32)> <>
> 
> It is possible to recover the user account, in the way that I demonstrated,
> I know that the correct thing is to be careful not to remove user accounts
> or groups, but if it happens due to human error, I would like to have a way
> to rescue this account or group, after all, as I understand it, after
> deleting the user account, it is not removed, but moved and renamed.
> 
> The samba version I'm using is 4.17. in the information above I renamed the
> domain name to domain.
> 
> I appreciate everyone's attention

More information about the samba mailing list