Web lists-archives.com

[Samba] AD object fix (Re: [Announce] Samba 4.7.5 Available for Download)


Firstly thank you to all the Samba team for continued help & support.. and
thank you to those involved in resolving bug 13228, which might well
explain a number of issues I was having recently (I had thought
coincidentally, after upgrading to 4.7.4)

Can I check the expected behaviour of 'samba-tool dbcheck --cross-ncs

On 7 February 2018 at 08:59, Karolin Seeger via samba <samba@xxxxxxxxxxxxxxx
> wrote:

> o  BUG 13228: This is a major issue in Samba's ActiveDirectory domain
>    controller code. It might happen that AD objects have missing or broken
>    linked attributes. This could lead to broken group memberships e.g.
>    All Samba AD domain controllers set up with Samba 4.6 or lower and then
>    upgraded to 4.7 are affected. The corrupt database can be fixed with
>    'samba-tool dbcheck --cross-ncs --fix'.

What is the expected behaviour of this command if run consecutively?

On my DCs, freshly upgraded from 4.7.4 to 4.7.5, I have run the following
two commands in sequence:
$ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-01 2>&1
$ sudo samba-tool dbcheck --cross-ncs --fix --yes > ~/samba-fix-02 2>&1

The files produced by each run are identical in size.. but I would have
instead expected file 02 to be smaller than file 01, since all the issues
should have been fixed first time round..?

Can I first check that I'm not missing something in syntax etc., before I
spam the list with more details?

I'm seeing output along the following lines, during *both* runs of
samba-tool dbcheck:

WARNING: no target object found for GUID component for DN value
msDS-NC-Replica-Locations in object
WARNING: target DN is deleted for msDS-NC-Replica-Locations in object [....]
Target GUID points at deleted DN [....]
Remove stale DN link? [YES]
Removed deleted DN on attribute msDS-NC-Replica-Locations

plus many more; the output files are 13KB each on this DC, and contain 47
fixes according to
$ cat samba-fix-01 | grep "[YES]" | wc -l

I already know (I think) that I need to run the command on each DC.. but
before going further I just wanted to check I'm at least trying the correct
approach for dbcheck itself.



"If we knew what it was we were doing, it would not be called research,
would it?"
      - Albert Einstein
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba