Web lists-archives.com

Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7




On Sat, 2017-08-26 at 13:46 +0400, HB via samba wrote:
> > -----Message d'origine-----
> > De : Andrew Bartlett [mailto:abartlet@xxxxxxxxx]
> > Envoyé : samedi 26 août 2017 12:40
> > À : HB; samba@xxxxxxxxxxxxxxx
> > Objet : Re: [Samba] DC Upgrade from 4.1.7 to 4.6.7
> > 
> > On Sat, 2017-08-26 at 12:32 +0400, HB via samba wrote:
> > > > 
> > > 
> > > Here is the output of samba-tool dbcheck :
> > > # samba-tool dbcheck
> > > Checking 1791 objects
> > > ltdb:
> > > 
> > 
> > tdb(/usr/local/samba/private/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3D
> > CIRAD-
> > > REUNION,DC%3DCIRAD,DC%3DFR.ldb): tdb_rec_read bad magic
> > 
> > 0xd9fee666 at
> > > offset=1115322096
> > > 
> > > ltdb:
> > > 
> > 
> > tdb(/usr/local/samba/private/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3D
> > CIRAD-
> > > REUNION,DC%3DCIRAD,DC%3DFR.ldb): tdb_rec_read bad magic
> > 
> > 0xd9fee666 at
> > > offset=1115322096
> > > 
> > > Checked 1791 objects (0 errors)
> > > #
> > > 
> > > But, if I run 'samba-tool dbcheck --cross-ncs' (as suggested in
> > 
> > Updating_Samba) :
> > > 
> > > # samba-tool dbcheck --cross-ncs
> > > ltdb:
> > > 
> > 
> > tdb(/usr/local/samba/private/sam.ldb.d/DC%3DDOMAINDNSZONES,DC%3D
> > CIRAD-
> > > REUNION,DC%3DCIRAD,DC%3DFR.ldb): tdb_rec_read bad magic
> > 
> > 0xd9fee666 at
> > > offset=1115322096
> > > 
> > > ERROR(ldb): uncaught exception - Indexed and full searches both failed!
> > > 
> > >   File "/usr/local/samba/lib64/python2.6/site-
> > 
> > packages/samba/netcmd/__init__.py", line 175, in _run
> > >     return self.run(*args, **kwargs)
> > >   File "/usr/local/samba/lib64/python2.6/site-
> > 
> > packages/samba/netcmd/dbcheck.py", line 136, in run
> > >     controls=controls, attrs=attrs)
> > >   File "/usr/local/samba/lib64/python2.6/site-
> > 
> > packages/samba/dbchecker.py", line 123, in check_database
> > >     res = self.samdb.search(base=DN, scope=scope, attrs=['dn'],
> > > controls=controls) #
> > 
> > Your DB is corrupt.  do you have another replica, or a good backup?
> > 
> > Andrew Bartlett
> 
> Hi Andrew, 
> 
> I don't have a replica , this DC is the only one.
> I have backups but as daily VM backups , I have tested the last one with the same errors. 
> I suspect that the DB could be corrupted since a long time, although the AD is running ok. 
> 
> What can I do to either correct the DB or export/import the AD ? 

This is where is gets messy.  You can dump the database with tdbdump
and ldbdump, you can even do an emergency dump with ldbdump.  

However, that doesn't tell you what you are missing, you need to then
compare a re-constructed database (rebuild each ldb file in the
sam.ldb.d/ directory via ldbadd) with an older backup using ldapcmp to
work out which records are missing.  Naturally stop Samba before you
copy the files, and do all this on another VM.

I helped one organisation (a school) do this once before (which is why
ldbdump exists), but in the end they just hobbled along until the end
of the school year and started over. 

How large/critical is this domain?  Also, because it will give a clue,
turn up the debug level on the join (eg -d5) and see if you get a clue
about which record is corrupt there.

Thankfully it is 'just' your DNS partition, and that can be re-created
a little more easily, as most things in there get fixed when the
clients re-register DNS, and when samba_dnsupdate is run on the server.

Also, carefully check your VM infrustructure.  Last time I blamed drdb,
which was being used for a 'hot/cold' spare system, for not preserving
barriers (the thing that makes fsync() and the sync command work) and
so allowing a corrupt DB rather than a safe transaction recovery.  I
never found out if my suspicions were correct.

Finally, this is why we suggest backups with the samba_backup script
and a second DC.  The first will find TDB level corruption, and the
second will generally not replicate a corrupt object, meaning you
notice corruption in real time and have a good backup from before it
all went bad. 

Sadly VM snapshots do none of these things, and will have partial
writes in them, as they don't stop Samba writing to the DB. 

I wish you the best with this, and if this is a large or important
domain suggest you may wish to engage some professional help from our
commercial support page.

Sorry,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba