[Samba] ldbrename does not rename container users CN=Deleted Objects

Andrew Bartlett abartlet at samba.org
Mon May 22 20:03:58 UTC 2023 

Sadly the AD recycle bin isn't known to be reliably working in Samba.

The main effect that was noticed is that for some reason when enabled,
from memory, it caused the object to vanish almost instantly, rather
than remain as a tombstone for a time (eg, it did the opposite).

I've had investigating this properly on my wish-list for some time, but
it is one of those annoying tasks that I know will be tricky enough not
to start without a paying customer (sadly) to cover enough time to both
understand it, but also fix and write the automated tests.

I don't want this to dissuade others of course, the beauty of open
source is that anybody can have a go, and I think this is more likely
'fiddly' than 'difficult', if you get my meaning. 

In the meantime, yes, tombstone renanimation, where you supply almost
all the attributes again, is meant to work, and is essentially is about
removing the deleted marker and setting the DN, but in an odd way (not
a rename!).  See restore_deleted_object() in
source4/dsdb/tests/python/tombstone_reanimation.py for some code.

We have a 'samba-tool domain tombstones' command, but with only a
'expunge' subcommand.  A 'reanimate' subcommand would be great - I'm
sure I remember a script in the past, but I can't find it with a quick
glance. 

Andrew Bartlett

On Wed, 2023-05-03 at 10:50 +0200, Stefan Kania via samba wrote:
> --------------ms050102020202000702010109
> Content-Type: text/plain; charset=UTF-8; format=flowed
> Content-Transfer-Encoding: 7bit
> 
> It had been working up to Samba 4.8 and with the recyclebin active you 
> could restore every attributre, but since 4.9 it's not working anymore
> 
> Am 02.05.23 um 23:57 schrieb Anderson Sampaio Mello via samba:
> > Hello everybody.
> > 
> > When a user or group account is deleted, the user or group account is moved
> > to CN=Deleted Objects,DC=domain,DC=com
> > 
> > I can find them with the command:
> > 
> > ldbsearch -H ldap://localhost --show-deleted "cn=*DEL:*" -U administrator
> > 
> > Password for [DOMAIN\administrator]:
> > # record 1
> > dn: CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: user
> > instanceType: 4
> > whenCreated: 20230502211927.0Z
> > uSNCreated: 3716
> > objectGUID: f53b71f8-a3e8-4997-bd84-5504235d3b31
> > objectSid: S-1-5-21-946835178-2883361477-2519564338-1103
> > sAMAccountName: user1
> > userAccountControl: 512
> > isDeleted: TRUE
> > lastKnownParent: CN=Users,DC=domain,DC=com
> > isRecycled: TRUE
> > cn:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
> > name:: dXNlcjEKREVMOmY1M2I3MWY4LWEzZTgtNDk5Ny1iZDg0LTU1MDQyMzVkM2IzMQ==
> > whenChanged: 20230502211938.0Z
> > uSNChanged: 3720
> > distinguishedName:
> > CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com
> > 
> > The user account is inside a container "CN=Dele
> >    ted Objects", has not been removed.
> > 
> > But if I try to move it to the original OU or container to have the user or
> > group account available again using the ldbrename command, the following
> > error occurs, for example:
> > 
> > ldbrename -H ldap://localhost --show-deleted
> > "CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com" "CN=user1,CN= Users,DC=domain,DC=com" -U
> > administrator
> > 
> > Password for [DOMAIN\administrator]:
> > 
> > rename of 'CN=user1\0ADEL:f53b71f8-a3e8-4997-bd84-5504235d3b31,CN=Deleted
> > Objects,DC=domain,DC=com' to 'CN=user1,CN=Users,DC=domain,DC=com' failed -
> > LDAP error 32 LDAP_NO_SUCH_OBJECT - <00002030: ldb_wait from
> > ../source4/ldap_server/ldap_backend.c:483 with LDB_WAIT_ALL: No such object
> > (32)> <>
> > 
> > It is possible to recover the user account, in the way that I demonstrated,
> > I know that the correct thing is to be careful not to remove user accounts
> > or groups, but if it happens due to human error, I would like to have a way
> > to rescue this account or group, after all, as I understand it, after
> > deleting the user account, it is not removed, but moved and renamed.
> > 
> > The samba version I'm using is 4.17. in the information above I renamed the
> > domain name to domain.
> > 
> > I appreciate everyone's attention
> 
> 
> 
> --------------ms050102020202000702010109--
> 

-- 
Andrew Bartlett (he/him)        https://samba.org/~abartlet/
Samba Team Member (since 2001)  https://samba.org
Samba Developer, Catalyst IT    https://catalyst.net.nz/services/samba

More information about the samba mailing list