Re: [Samba] Make Samba 4 as Additional DC to Windows Server 2003R2

On Sun, 2017-10-29 at 09:11 +0530, Anantha Raghava wrote:
> Hi,
> I did upgrade the server to Windows Server 2008 R2 along with AD.
> However, when I attempt to add Samba-4 as additional domain controller, it is able to provision the Domain and starts to replicate the data. However, while replicating, it throws up an error as shown below and stops. Samba-4 will remove itself being additional domain controller.
> I tried this migration using Samba Version 4.7 and BIND9_DLZ as dns backend.
> Error message:
> -------------------------------------------------------------------------------------------
> /lib/ldb/ldb_tdb/ldb_index.c:1189: unique index violation on objectSid in CN=TDS COMMON\0ADEL:dae6fa1e-21c5-4837-9d8c-a9356794c897,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com, conficts with CN=SUDIKSHA VILAS MHATRE\0ADEL:0b07eb12-99bd-4688-956f-55003920aa8f,CN=Deleted Objects,DC=corp,DC=dtdc,DC=com in @INDEX:OBJECTSID::AQUAAAAAAAUVAAAAu/PHIwO8muhtdxC5k7cDAA==
> Is this error something to do with Windows Domain Controller?

I have a patch for this, developed for a customer who hit the same
thing, remind me if you don't get it from me tomorrow, and given the
additional interest I'll figure a way to get it upstream. 

Samba is just stricter than windows in this area, not allowing a SID to
be deleted or be a conflict object and also exist normally.

Until your mail, I didn't think this could happen other than as a
foreignSecurityPrincipal however, and I don't think the source domain
is entirely healthy if an objectSid can be allocated to two different
users, even if they are now deleted. 

I hope this helps,

Andrew Bartlett
