[Samba] ldbrename does not rename container users CN=Deleted Objects

Sat May 27 10:21:54 UTC 2023

On 22/05/2023 21:03, Andrew Bartlett via samba wrote:
> Sadly the AD recycle bin isn't known to be reliably working in Samba.
> 
> The main effect that was noticed is that for some reason when enabled,
> from memory, it caused the object to vanish almost instantly, rather
> than remain as a tombstone for a time (eg, it did the opposite).
> 
> I've had investigating this properly on my wish-list for some time, but
> it is one of those annoying tasks that I know will be tricky enough not
> to start without a paying customer (sadly) to cover enough time to both
> understand it, but also fix and write the automated tests.
> 
> I don't want this to dissuade others of course, the beauty of open
> source is that anybody can have a go, and I think this is more likely
> 'fiddly' than 'difficult', if you get my meaning.
> 
> In the meantime, yes, tombstone renanimation, where you supply almost
> all the attributes again, is meant to work, and is essentially is about
> removing the deleted marker and setting the DN, but in an odd way (not
> a rename!).  See restore_deleted_object() in
> source4/dsdb/tests/python/tombstone_reanimation.py for some code.
> 
> We have a 'samba-tool domain tombstones' command, but with only a
> 'expunge' subcommand.  A 'reanimate' subcommand would be great - I'm
> sure I remember a script in the past, but I can't find it with a quick
> glance.
> 
> Andrew Bartlett
>

After Andrews post, I did I bit of searching and found this bug:

https://bugzilla.samba.org/show_bug.cgi?id=10371

That, along with Andrews post, pointed in a direction that I hadn't 
considered before, use ldbmodify instead of ldbrename. Using ldbrename 
seems logical, but it doesn't work, but if you delete a user, you can 
get it back again with ldbmodify, at least I can.

The recycle bin is not set up in AD

This is all carried out on a Samba AD DC:

create a user (I user the username user2del in testing)
delete the user
search for user using something like this (modified for your user):

sudo ldbsearch -H ldap://localhost -U administrator --show-deleted 
cn=user2del\\0ADEL:*

This should produce the deleted object from AD

Now using the info from that create an ldif containing something like this:

dn: CN=user2del\0ADEL:a43d90ad-915d-427a-90e9-c7b3f57e9770,CN=Deleted 
Objects,DC=samdom,DC=example,DC=com
changetype: modify
delete: isDeleted
-
replace: distinguishedName
distinguishedName: CN=user2del,CN=Users,DC=samdom,DC=example,DC=com
-
add: userPrincipalName
userPrincipalName: user2del at samdom.example.com
-
delete: lastKnownParent
-

Now reanimate the tombstone with:

sudo ldbmodify --show-deleted -H ldap://localhost -Uadministrator 
/tmp/restore.ldif

If you check with:

sudo ldbsearch -H ldap://localhost -U administrator cn=user2del

You should find that your user is back again.

I do not know about groups, didn't test, but I would imagine that you 
will have to rejoin your user to the required groups. Your user will 
have to set their password at the next logon and the account is set to 
never expire.

Rowland