Re: [Samba] restore deleted user (ldbrename) on samba 4.9.1 fails

The output below was on a test environment with only one DC (it is the wiki example domain with dc1 and m1).

So this way might be broken completely.

Did anybody try it the Microsoft way? The "new" Active Directory Administrative Centre seems to not not work with Samba AD, right? Is anybody aware of other working methods like ldp.exe or PowerShell?


Am 15.10.18 um 16:27 schrieb Stefan Kania via samba:
sorry it's not working any more. At least if you have more then one DC.
I didn't get an answer to this problem so that's the reason why it will
not be part of the new samba4 book :-(

Am 15.10.2018 um 15:47 schrieb Oliver Heinz via samba:
Dear list,

I am trying to restore an deleted user object with samba 4.9.1 (sernet
packages).  I am aware that the object will lose some attributes without
recycle bin enabled (enabling it is still not recommended, right?)
I tried to rename the object in order to make the  necessary
modifications afterward (as documented in Stefan Kania's Samba 4 book).
But ldbrename already fails.

root@dc1:~# samba-tool user create testuser
New Password:
Retype Password:
User 'testuser' created successfully

root@dc1:~# samba-tool user delete testuser
Deleted user testuser

root@dc1:~# ldbsearch -H ldap://localhost -U administrator
--password="Passw0rd" --show-deleted "cn=testuser\0ADEL:*"
# record 1
dn: CN=testuser\0ADEL:d4357200-a367-4601-93df-8c769f1d0e4f,CN=Deleted
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
instanceType: 4
whenCreated: 20181015123644.0Z
uSNCreated: 4038
objectGUID: d4357200-a367-4601-93df-8c769f1d0e4f
objectSid: S-1-5-21-2104162034-3764151921-3268498227-1112
sAMAccountName: testuser
userAccountControl: 512
isDeleted: TRUE
lastKnownParent: CN=Users,DC=samdom,DC=example,DC=com
isRecycled: TRUE
whenChanged: 20181015123702.0Z
uSNChanged: 4041
  eleted Objects,DC=samdom,DC=example,DC=com

# Referral
ref: ldap://samdom.example.com/CN=Configuration,DC=samdom,DC=example,DC=com

# Referral

# Referral

# returned 4 records
# 1 entries
# 3 referrals

root@dc1:~# ldbrename -H ldap://localhost -Uadministrator
rename of
Objects,DC=samdom,DC=example,DC=com' to
'CN=testuser,CN=Users,DC=samdom,DC=example,DC=com' failed - LDAP error
32 LDAP_NO_SUCH_OBJECT -  <00002030: ldb_wait from
../source4/ldap_server/ldap_backend.c:487 with LDB_WAIT_ALL: No such
object (32)> <>

Verbose and trace give no further hint. Any ideas? Seems to have work in
earlier versions.

With a regular LDAP we can use LDIF dumps  to restore objects, not
comfortable but working. But this is not working for AD as it is not
allowed to objects with an objectSid, right?
Is there another (recommended) way to restore deleted objects (
particularly users and groups).


